Quantcast

iSCSI Target through Firewall (NAT)

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

iSCSI Target through Firewall (NAT)

Oliver R.-2
Dear Colleagues

I am not sure if we already had this discussion. At least I could find
some old mailing list entries going into a smiliar direction
but I couldn't find a solution so I am posting my problem.

The situation:

- IET (latest SVN code) running on a FC7 system at my home (IP: 192.168.1.3)
- Microsoft iSCSI Initiator 2.05 running on my DELL Notebook (Windows
Vista Business) in public internet (Public IP)
- Inbetween those two systems is my firewall publishing IET to the
internet. (Port forwarding)

The FW rule is as follows:

Firewall is accepting connections on the public interface TCP port 3260
from ANY source IP and forwards them to my IET system 192.168.1.3
on the internal network.

- So far so good I can do a "telnet" to the Public IP of my firewall
(port 3260) and I get a connect.
- I can configure the portal (discovery) on MS INI and I see my exported
LUNs.
- I "cannot" connect to any of my LUNs. It just sits there and tries and
tries and times out after 5 minutes.

When I look at my ports with "netstat", or Sysinternals TCP-View I can
see that there are outgoing connections in state SYN SENT.
I see the destination port TCP 3260 but the destination IP is
192.168.1.3 instead of the public IP of my firewall.

Does iSCSI pass back the target IP address through the protocol  to the
initiator !! This way MS INI gets the private address.
Does this mean that iSCSI is not NAT compliant !

Any idea to overcome this limitation ? MS INI should just take the IP
address it used for connecting to the portal and not switch to
the targets real (private) IP.


Regards,
Oliver

-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Iscsitarget-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/iscsitarget-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: iSCSI Target through Firewall (NAT)

Ming Zhang-3
On Wed, 2007-12-19 at 00:54 +0100, Oliver wrote:

> Dear Colleagues
>
> I am not sure if we already had this discussion. At least I could find
> some old mailing list entries going into a smiliar direction
> but I couldn't find a solution so I am posting my problem.
>
> The situation:
>
> - IET (latest SVN code) running on a FC7 system at my home (IP: 192.168.1.3)
> - Microsoft iSCSI Initiator 2.05 running on my DELL Notebook (Windows
> Vista Business) in public internet (Public IP)
> - Inbetween those two systems is my firewall publishing IET to the
> internet. (Port forwarding)
>
> The FW rule is as follows:
>
> Firewall is accepting connections on the public interface TCP port 3260
> from ANY source IP and forwards them to my IET system 192.168.1.3
> on the internal network.
>
> - So far so good I can do a "telnet" to the Public IP of my firewall
> (port 3260) and I get a connect.
> - I can configure the portal (discovery) on MS INI and I see my exported
> LUNs.
> - I "cannot" connect to any of my LUNs. It just sits there and tries and
> tries and times out after 5 minutes.
>
> When I look at my ports with "netstat", or Sysinternals TCP-View I can
> see that there are outgoing connections in state SYN SENT.
> I see the destination port TCP 3260 but the destination IP is
> 192.168.1.3 instead of the public IP of my firewall.
>
> Does iSCSI pass back the target IP address through the protocol  to the
> initiator !! This way MS INI gets the private address.
> Does this mean that iSCSI is not NAT compliant !

yes. as u found out from old discussion. this is a unsolved issue.

>
> Any idea to overcome this limitation ? MS INI should just take the IP
> address it used for connecting to the portal and not switch to
> the targets real (private) IP.
>

it is bug in iet, not ms ini.

a possible workaround is to add target directly in ms ini by command
line instead of by discovering.


>
> Regards,
> Oliver
>
> -------------------------------------------------------------------------
> SF.Net email is sponsored by:
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services
> for just about anything Open Source.
> http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
> _______________________________________________
> Iscsitarget-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/iscsitarget-devel
--
Ming Zhang


@#$%^ purging memory... (*!%
http://blackmagic02881.wordpress.com/
http://www.linkedin.com/in/blackmagic02881
--------------------------------------------


-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Iscsitarget-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/iscsitarget-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: iSCSI Target through Firewall (NAT)

Oliver R.-2
Hmmm....

Are there an intentions to fix this issue in IET or is it problem in
IETs architecture which would need major code
rewrites ?

Regards
Oliver

Ming Zhang wrote:

> On Wed, 2007-12-19 at 00:54 +0100, Oliver wrote:
>  
>> Dear Colleagues
>>
>> I am not sure if we already had this discussion. At least I could find
>> some old mailing list entries going into a smiliar direction
>> but I couldn't find a solution so I am posting my problem.
>>
>> The situation:
>>
>> - IET (latest SVN code) running on a FC7 system at my home (IP: 192.168.1.3)
>> - Microsoft iSCSI Initiator 2.05 running on my DELL Notebook (Windows
>> Vista Business) in public internet (Public IP)
>> - Inbetween those two systems is my firewall publishing IET to the
>> internet. (Port forwarding)
>>
>> The FW rule is as follows:
>>
>> Firewall is accepting connections on the public interface TCP port 3260
>> from ANY source IP and forwards them to my IET system 192.168.1.3
>> on the internal network.
>>
>> - So far so good I can do a "telnet" to the Public IP of my firewall
>> (port 3260) and I get a connect.
>> - I can configure the portal (discovery) on MS INI and I see my exported
>> LUNs.
>> - I "cannot" connect to any of my LUNs. It just sits there and tries and
>> tries and times out after 5 minutes.
>>
>> When I look at my ports with "netstat", or Sysinternals TCP-View I can
>> see that there are outgoing connections in state SYN SENT.
>> I see the destination port TCP 3260 but the destination IP is
>> 192.168.1.3 instead of the public IP of my firewall.
>>
>> Does iSCSI pass back the target IP address through the protocol  to the
>> initiator !! This way MS INI gets the private address.
>> Does this mean that iSCSI is not NAT compliant !
>>    
>
> yes. as u found out from old discussion. this is a unsolved issue.
>
>  
>> Any idea to overcome this limitation ? MS INI should just take the IP
>> address it used for connecting to the portal and not switch to
>> the targets real (private) IP.
>>
>>    
>
> it is bug in iet, not ms ini.
>
> a possible workaround is to add target directly in ms ini by command
> line instead of by discovering.
>
>
>  
>> Regards,
>> Oliver
>>
>> -------------------------------------------------------------------------
>> SF.Net email is sponsored by:
>> Check out the new SourceForge.net Marketplace.
>> It's the best place to buy or sell services
>> for just about anything Open Source.
>> http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
>> _______________________________________________
>> Iscsitarget-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/iscsitarget-devel
>>    


-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Iscsitarget-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/iscsitarget-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: iSCSI Target through Firewall (NAT)

Neal Morgan
Oliver:

FWIW, you could probably work around this by configuring a PPTP tunnel
between your laptop and firewall, so that the packets are routed rather
than NATted.


Good luck!

Neal


"Oliver" <[hidden email]> wrote:

> Hmmm....
>
> Are there an intentions to fix this issue in IET or is it problem in
> IETs architecture which would need major code
> rewrites ?
>
> Regards
> Oliver
>
> Ming Zhang wrote:
>> On Wed, 2007-12-19 at 00:54 +0100, Oliver wrote:
>>  
>>> Dear Colleagues
>>>
>>> I am not sure if we already had this discussion. At least I could find
>>> some old mailing list entries going into a smiliar direction
>>> but I couldn't find a solution so I am posting my problem.
>>>
>>> The situation:
>>>
>>> - IET (latest SVN code) running on a FC7 system at my home (IP:
>>> 192.168.1.3)
>>> - Microsoft iSCSI Initiator 2.05 running on my DELL Notebook (Windows
>>> Vista Business) in public internet (Public IP)
>>> - Inbetween those two systems is my firewall publishing IET to the
>>> internet. (Port forwarding)
>>>
>>> The FW rule is as follows:
>>>
>>> Firewall is accepting connections on the public interface TCP port 3260

>>> from ANY source IP and forwards them to my IET system 192.168.1.3
>>> on the internal network.
>>>
>>> - So far so good I can do a "telnet" to the Public IP of my firewall
>>> (port 3260) and I get a connect.
>>> - I can configure the portal (discovery) on MS INI and I see my
exported
>>> LUNs.
>>> - I "cannot" connect to any of my LUNs. It just sits there and tries
and
>>> tries and times out after 5 minutes.
>>>
>>> When I look at my ports with "netstat", or Sysinternals TCP-View I can
>>> see that there are outgoing connections in state SYN SENT.
>>> I see the destination port TCP 3260 but the destination IP is
>>> 192.168.1.3 instead of the public IP of my firewall.
>>>
>>> Does iSCSI pass back the target IP address through the protocol  to the

>>> initiator !! This way MS INI gets the private address.
>>> Does this mean that iSCSI is not NAT compliant !
>>>    
>>
>> yes. as u found out from old discussion. this is a unsolved issue.
>>
>>  
>>> Any idea to overcome this limitation ? MS INI should just take the IP
>>> address it used for connecting to the portal and not switch to
>>> the targets real (private) IP.
>>>
>>>    
>>
>> it is bug in iet, not ms ini.
>>
>> a possible workaround is to add target directly in ms ini by command
>> line instead of by discovering.
>>
>>
>>  
>>> Regards,
>>> Oliver
>>>
>>>
-------------------------------------------------------------------------
>>> SF.Net email is sponsored by:
>>> Check out the new SourceForge.net Marketplace.
>>> It's the best place to buy or sell services
>>> for just about anything Open Source.
>>>
>>>
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

>>> _______________________________________________
>>> Iscsitarget-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/iscsitarget-devel
>>>    
>
>
> -------------------------------------------------------------------------
> SF.Net email is sponsored by:
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services
> for just about anything Open Source.
>
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
> _______________________________________________
> Iscsitarget-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/iscsitarget-devel
>




-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Iscsitarget-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/iscsitarget-devel
Loading...