Just for information, I disabled Symmetric NAT (ticked “Static Port”) for the whole network NAT and not only for port 22000, and can see the following in the Synthing log:
2025-06-10 23:36:44 quic://0.0.0.0:22000 detected NAT type: Port restricted NAT
Did still not help, it keeps displaying “Disconnected”.
And then I enabled Port Forwarding for TCP/UDP 22000 and it looks a bit better:
Maybe your problem is with discovery, so that the other side simply doesn’t know where to try connecting?
Show a screenshot of the “This Device” section of the GUI. What do the Listeners and Discovery entries show? Please also show the dialog that opens when clicking on the “x/y” numbers.
Just to make this clear, you do need some patience, as Syncthing will make many connection attempts in turn, and it may take some time until the correct address is tried. Don’t expect anything to happen instantly.
Debug logging may help as well, to see where the other side is trying to connect and what the result is for each address tried. And what addresses it has discovered for the device behind your NAT.
Relay LAN is not possible at the moment. Relay connections are always considered WAN by Syncthing [1] [2]. If it was possible it would show up as Connection Type of “Relay LAN” with 2 bars in the GUI.
I added even the Port Forwardings that @mraneri recommended - to no avail.
But as it seems, there was some unknown problem with the remote site!
Later, everything was back to green - so sadly I was not able to stop NAT traversal. And after everything was green, I removed the Port Forwarding and everything stayed green! I also restarted Syncthing and still all is fine.
So what did I learn?
Stopping NAT traversal may be more difficult than I thought, or even impossible
Port Forwarding is clearly not required for Syncthing to work
Be wary of recommendations from forums where some people have strong opinions and give recommendations that are simply off and are not the right thing to do, even if issued vehemently.
Just to make that clear, I did not mean you with the last statement!
Syncthing is aggressive to make connections (which is good). It’s likely if syncthing is still reporting symmetric NAT on the local side and you are not port forwarding (and no uPNP) that the local side is initiating and possibly holepunching the remote side. I don’t think you said too much about the remote side but if they are not behind symmetric NAT then it’s very possible your local server is initiating a QUIC connection via holepunching to the remote. (Check the remote syncthing log and see if it says symmetric NAT. Probably one of them (at least) doesn’t.)
Anyway glad it’s working without any forwarding rules. If you really want to block all local holepunching make sure you still see Synmetric NAT in the local syncthing logs and you should be good.
How not to love this? 
