Devices can't find each other across internet or across bridge. Non-UPnP setup. LAN works fine

My end goal is clustering several computers together (my first experience with Syncthing), some on a local network to each other, some across the internet on a different local network, without using UPnP. So my initial experimental setup looks like this:

Where I have a PC behind a router/firewall, a laptop that can be either on the same lan (physically attached to the swith) or on a bridged wireless network running DD-WRT. Across the Internet, I also have another router/firewall with servers all behind the same switch.

I have one point of success, and two problems so far.

Success: My PC and laptop can find each other and sync when they’re physically connected through the switch.

Problems: 1) PC and laptop can’t find the server and vice versa. 2) When my laptop is attached to the wifi, it and the PC can’t find each other.

Both firewalls allow 22000/tcp and 21025/udp (on both WANs), but currently read closed when I probe them with nmap (nmap -Pn -p 22000 {ip address} and sudo nmap -Pn -sU -p 21025 {ip address}). I presume Syncthing running on a client doesn’t change this to ‘open’ status. I also think I’ve allowed them on DD-WRT, but I’m less confident with that. All clients read Global Discovery reads 1/2 (IPv4), are running Linux, and Syncthing v0.11.11.

I’d love to solve both problems I have, but the more important one is problem 1. I’m not sure what to do from here. Any help is appreciated!

So Allow only implies outward connections, you actually need to setup port forwarding if you don’t have UPnP. Please note that the external port number and internal port number should be the same.

Also, PC and laptop need to be on the same subnet for local discovery to work over WiFi, which might not be the case, as DDWRT is probably not acting as an access point but instead double-NAT’ing the Wifi connection within the physical lan. Which also might mean that even global discovery can’t help you behind a double NAT, as you’d need to forward port N to laptop when physically connected, and when connected over wifi, forward the same port N to the DDWRT (which is impossible). You could potentially make the laptop listen on two different addresses, N and N+1, then forwarding N to laptop and N+1 to DDWRT. Then from DDWRT forwarding N+1 to laptop.

I think I worded some of that poorly. In iptables --list, I have

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:22000
ACCEPT     udp  --  anywhere             anywhere             udp dpt:21025

Do you mean that I have to forward all incoming traffic on those ports to only one specific server?

You’re correct that the PC and wifi-laptop aren’t on the same subnet. I might try that setup you mention.


Yes, you need to actually forward the traffic, just as it explains in readme, unless you have UPnP support or you are not running behind NAT.

This just permits the traffic, but doesn’t forward it anywhere.

If you get around the subnet problem, it will be enough to setup two static forwardings for different ports, if not, then you might have to get the laptop two listen addresses and forward one from gateway to laptop (when connected via wire), the other one from gateway to ddwrt, then from ddwrt to laptop (for when laptop is connected via wifi).