Clarifying firewall settings IN and OUT for KCP

epoch1970 · November 28, 2017, 11:41pm

Hi. Me again with my non-UpNP double NAT.

I thought I would upgrade to .40 on linux (Pi 3) and see how KCP managed. Without it I get a mess of “connecting to myself”.

The documentation regarding firewalling is not up to date. For KCP:

What are the ports that are necessary to be opened, outgoing and incoming, on a firewall? 22020/udp??
I understand port forwarding is no longer necessary?
Does KCP work when there are multiple subnets behind the same firewall?

Thanks.

AudriusButkevicius · November 29, 2017, 12:07am

Logically it should work if none of the NATs along the way is symmetric/firewall, in practice, I am not sure, as there are a ton of things that could go wrong. See what NAT type stun reports as syncthing starts up.

epoch1970 · November 29, 2017, 12:04pm

Ok thanks. I think there is at least one instance that detects a “Symmetric NAT” setup, and the remote does try to connect to the external interface of the router. So forwarding would be needed indeed. I’ll look more carefully at it.

In the mean time I thought I’d try to describe my use case. Sorry it is a bit verbose. HTH.

Site A

--[S1]--[S2]--subnet1--+
                       |--[GwA]--[Edge]--Internet ....
--[S3]--subnet2--------+

Site B
                              +--subnet 1--[S1]--[S2]
.... Internet--[Edge]--[GwB]--|
                              +--subnet 2--[S3]

On each site:

IPv4, no UPnP on GWs. GWs defined as “DMZ hosts” in their respective “Edge” ISP Box.
Some holes are poked in the GW on each site to allow subnet 1 and subnet 2 to interact on a limited set of services.
Syncthing must be one of these: at least the S1 laptop replicates data served by Syncthing instance S3. S3 is a server, it doesn’t move.

Ideally, S1 and S2 can share stuff and S2 can also replicate with S3.

Between sites: Each “S3” Syncthing instance must replicate with the other one.

Elsewhere: S1 and S2 are laptops, their Syncthing service should continue working when they are outside their usual site.

Syncthing configs:

S3 has Global discovery enabled, nothing else.
S1, S2 ideally should have default configs.
If initial discovery doesn’t work between S3 and S1 (or S2), that’s ok as long as a simple address name can be used (e.g. tcp://sync/) and details figured out by the site’s GW.

epoch1970 · November 29, 2017, 9:05pm

So. With a much simpler setup (less than 1 half of the description above), OSX (no firewall, NAT) and i386 linux (2 firewalls, double-NAT).

They publish their address ok. Each machine gets the addresses of its peer. Every attempt at dialing seem to end up in i/o timeout. Nothing relevant logged in the firewall.

Any suggestion?

calmh · November 29, 2017, 9:09pm

I don’t expect kcp to work automatically through double nat. I suggest tcp and port forwards.

epoch1970 · November 29, 2017, 9:13pm

Ok. Bummer, I think my setup doesn’t work with tcp/PFs; I thought it was, but now that “site A” is for real and I try to simulate site B, I see those “connecting to myself” messages.

Thanks anyway!

epoch1970 · November 30, 2017, 11:21am

Hah. Good news, tcp works for me, the error yesterday was due to a mistake on my part.

Bad news the sync started by destroying all files in my local copy

system · December 30, 2017, 11:25am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.