Zyxel NAS326 iSCSI

Nov 7, 2018
13
6
8
44
I got excited when I thought my Zyxel Nas326 supported iSCSI, but it seems it doesn't support CHAP authentication (but it does as a target)? Idk. I got it to work with windows iscsi initiator, but not inside proxmox and I suspect it's because I don't connect using a proxmox initiator like I do with windows [using a username and password I created from the endpoint (i.e. windows or proxmox)].

It's weird though, because I do create a username and password under target creation (on the zyxel), but at no time do I input a username and pw in proxmox when attempting the connection.

Anyways, anyone have any ideas?
 
  • Like
Reactions: World Tech
I found a solution

I have open-iscsi installed

I used the username/key here to configure chap authentication for the client inside zyxel's gui

/etc/iscsi/initiatorname.iscsi

also uncommented
vi /etc/iscsi/iscsid.conf

node.session.auth.authmethod = CHAP

and set

username = initiatorname extraction
node.session.auth.username = username
node.session.auth.password = password

then

iscsiadm -m discovery -t sendtargets -p 10.0.0.30

iscsiadm -m node -o show

iscsiadm -m node --login

cat /proc/partitions
 
...
and set

username = initiatorname extraction
node.session.auth.username = username
node.session.auth.password = password
...

This works, but doesn't help when cluster is created. Newly joined node wants to connect to the same iSCSI target with default config (no CHAP).
  • Easiest solution is to disable CHAP on NAS326 if you can (secure network): iSCSI Demo mode
  • Optional solution (needs modification of iSCSI config on each node): TPG authentication
    • Setting up authentication information for every single initiator separately can be cumbersome, so targetcli provides the capability to define common login information for all Endpoints in a TPG. As a result, all initiators connecting to that TPG can use the same login credentials.
 
  • Like
Reactions: World Tech
I agree with you. I looked into that solution for my model and found one here

1- create the LUN(s) and target via the webgui
2- login to your zyxel via ssh (admin@nasaddress), BTW if your pass is longer than 14 chars, only use the first 14 chars, for some reason Zyxel allows you to choose a pass longer then 14 but only uses the first 14 chars.
3- $ sudo -i (to get root)
4- targetcli (this will open a shell where you can manage iscsi, use tab completion to get around in it)
5- ls (to get an overview)
6- cd /iscsi/iqn.2018-03.com.zyxel:targetname.randomstring/tpg1/ (again use tab completion, so cd /iscsi/iqn<tab><tab<tab<tab> etc. etc.)
7- set attribute authentication=0
8- set attribute generate_node_acls=1
9- set attribute demo_mode_write_protect=0
set attribute generate_node_acls=1 cache_dynamic_acls=1
10- I also deleted the ACLS by doing; cd acls, delete iqn<tab><tab>
11- exit
11- targetcli saveconfig (normally if you exit targetcli, it will autosave, so this is just in case)

https://homeforum.zyxel.com/discussion/356/nas542-iscsi-without-chap-authentication

I was then able to mount is as iscsi in proxmox
 
Last edited:
  • Like
Reactions: World Tech
albeit you can only mount is as one giant volume... I'm starting to see now what zfs over iscsi is. It creates zfs volumes on the remote node to be mounted individually. So it seems the best choice is to create luns individually for each node in a cluster and then mount that locally
 
  • Like
Reactions: World Tech