Can only connect with relay, no NAT in place.

Seriously, two servers in DataCenters. The one I want to sync from is directly attached to the internet, with public IPs on the network interface and port 22000 allowed in the Windows firewall. The one I am syncing to is also in a data center, but behind OPNSense with a direct port forward of port 22000 to the IP of the server. The only thing not mentioned in all the forum posts, articles, KB, etc. I have read trying to figure this out is both servers have multiple IP addresses. I even tried WireGuard VPN installed on each creating a direct tunnel, and that didn’t work. I need to move about 5TB of data from one server to the other in a few days, and that is not going to happen if I have to use a relay. It should work if I can use the fast internet both of these servers get in their respective data centers.

Any help or suggestions is appreciated. I just don’t understand why my connection type is Relay WAN and I can’t get a connection in any other way. I have even tried giving both sides the Public IP of the other side, which in the case of the server I am syncing from is also directly attached to it’s Ethernet interface.

Verify you can connect using netcat or something, there is not much else we can advise you as it’s not really an application level issue.

Questions…

  • How is Syncthing installed and run? (i.e. Docker?)
  • Has Syncthing been configured to bind to only one network interface?

Set up Syncthing on a computer outside the data centers to see if a TCP WAN connection is established. Try to connect to both servers to see which one is causing the problem.

I is just installed from the installer as a windows executable.

2nd Question, how do I go about ensuring it is only bound to a single network interface. I believe right now it is the default where it listens on 0.0.0.0 (all interfaces) but I did try to change it to the default external IP, meaning the one in TCP/IP4 settings as opposed the additional IPs on the advanced tab, and it did not make a difference. It was set in the settings under “Sync Protocol Listen Addresses” is that the correct place to set it?

In addition, it is my understanding that only one side needs to be available, and if the very obvious server that actually has public IPs directly exposed is not good enough (don’t know how you can get better than no router/NAT) then the one on the other side that has direct port forwarding and even outbound NAT setup so the private IPs always map the the correct public IP should easily take up that direct connect duty.

These are both production email servers. So connectivity is not an issue. Email is extremely particular and finicky when it comes to the many things that have to be configured correctly for good deliverability.

None of the official Syncthing packages for Windows include installers so it must be one of the 3rd-party bundles (doesn’t matter as long as it doesn’t involved Docker or some other similar setup).

Yes, but shouldn’t normally require changing.

Port forwarding or a directly accessible port on one side helps, but isn’t required.

Sure, but email also has the advantage that network ports 25/587 along with 80/443 have been in use for decades and so ingrained in many people’s lives that network restrictions tend to be more relaxed compared to other ports.

Definitely need to try connecting with Syncthing on a computer outside of the data center (or if you have an Android tablet/phone, the mobile app version) to see if it resorts to using a relay.

As I suggested, you should convince yourself that all of the port forwarding, and firewall adjustments you’ve made works. Use netcat with those ports between the two machines to convince yourself.

You might have a firewall by your network provider or something like that, that you are missing.

Changing listen addresses I suspect won’t do much, as we advertise all interface addresses anyway.

You can enable debug logging for connections facility to check addresses used for connections and errors received. Discovered addresses should also be visible in the ui.