Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


iSCSI and RouterOS
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

iSCSI and RouterOS

MaouniqueMaounique Host Rep, Veteran

I have a strange issue with iSCSI over RouterOS (mind you, i tried CIFS too and it also fails).
I setup a target behind a router in an infrastructure for local purposes and forwarded port 3260 because I want to connect to it from other places to take some files needed, including from home.
At home, with my old router, there was no problem, it still works if I switch, the only problem was that my old router was not capable of more than 6-7 MB throughput, so, when I upgraded to 1gbps connection I had to change it and took this routerboard which can do 20 MB without issues even with small packets and that is good enough for my needs now, BUT, it fails to connect. It goes through authentication failure or simple time out. TCPdump and connection watch shows nothing wrong, the connection is established, the target is seen, only the authentication does not work and at times it cant connect either, even though the connection is established in the router if you are looking at it. There is something going on at protocol level, but I was not able to see what, except that authentication fails. For now I do some ssh tunneling to workaround the issue, but I am baffled about what could be wrong, what a regular asus router can do and a serious routerboard one cant. There are no rules to drop iSCSI ports from what I see, that would make no sense since very few people are crazy enough to use the protocol over the net and it must be specifically enabled and set up, while blocking 445 probably does make sense.
I admit I am relatively new to routeros and there might be some issue(s) that i dont see.
Any help will be appreciated :)

Comments

  • Is MTU all the same (1500) between you and the destination?

  • MaouniqueMaounique Host Rep, Veteran

    It must be, the connection is established, they exchange packets. I believe something mangles the packets because authentication fails.

  • DavidxDavidx Member
    edited November 2014

    I found that RouterOS has some weird quirks like this. I was trying to setup a PPPoE connection on one earlier this week and it wouldn't connect quite right so I had to use a SonicWALL instead.

  • Sounds related: http://kb.open-e.com/Can-I-connect-to-Open-E-iSCSI-targets-behind-NAT_1333.html

    In short, it seems iSCSI isn't designed to work over NAT.

  • MaouniqueMaounique Host Rep, Veteran

    Yeah, i know, and in this case nat is at both ends, I am behind nat and the target is behind nat, but it works with a simple asus router (well, not so simple, it has usb and all) but it does not work with routeros. It is also inconsistent with routeros, I mean one day it discovers the target but fails to login, another day is completely dead on the initiator, it times out, even though the router shows traffic, both incoming and outgoing packets.
    The workaround for the internal IP it presents is adding an alias with the external IP on the NIC of the target, however, it was not necessary before and it makes no difference with routeros. There is also the routing over a VPN solution, but, while that could work from home, many times I am in a hurry and need a configuration ready made or something else to save time and establishing VPNs is not really saving time.
    I am asking here because i started to dabble in RouterOS and I am sure some fox here have a lot of experience with it, this is one piece of weird stuff, understanding it might shed some light on the inner workings of it.

  • What authentication are you running on the ISCSI login?

    Also what does the debug output of the ST request look like?

Sign In or Register to comment.