Difference between <listenAddress>, <localAnnouncePort>, <localAnnounceMCAddr>

Please forgive me if my doubt is too basic. I have read the good article on the Wiki about [Firewalls and Port Forwarding] (https://github.com/syncthing/syncthing/wiki/Firewalls-and-Port-Forwards), and as I looked at my firewall logs, I stumbled across doubts.

Please correct me if I’m wrong:

<listenAddress> = address:port where a node receives TCP connections from other nodes (default: The port must be opened at the router, either through UPnP or port forwarding

<localAnnouncePort> = IPv4 UDP port used by a node to announce itself on the LAN, and also where it receives announcements from other nodes (default: 21025)

<localAnnounceMCAddr> = IPv6 broadcast address and UDP port used by a node to announce itself on the LAN; a node also receives IPv6 announcements from other nodes on this UDP port (default: [ff32::5222]:21026)

My current setup is simple: here at home, an Android phone and a Xubuntu desktop, and at my mother’s, a Xubuntu desktop. Local discovery on all 3 nodes, global discovery only on the desktops.

Initially, I had these ports opened at the firewall on my desktop: TCP/22000, UDP/21025. But then I noticed that the firewall log was flooded with messages like:

Apr 14 13:54:02 monk kernel: [27351.234292] [UFW BLOCK] IN=eth0 OUT= MAC=33:33:00:00:52:22:90:68:c3:ba:d3:7a:86:dd SRC=fe80:0000:0000:0000:9268:c3ff:feba:d37a DST=ff32:0000:0000:0000:0000:0000:0000:5222 LEN=104 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=UDP SPT=21026 DPT=21026 LEN=64

which I suppose is my phone (IPv6 address fe80:9268:c3ff:feba:d37a) announcing itself locally. So I also opened UDP/21026 on my desktop.

But trying to understand the function of each port, I closed UDP/21025 and UDP/21026, and observed the firewall logs: there was traffic only to UDP/21026 (no traffic to UDP/21025). But even with both ports closed at the desktop, phone and desktop still connected and synced, which puzzled me.

My doubts:

  1. What is the purpose then of port <localAnnouncePort> (UDP/21025), if I don’t see any traffic through it ?
  2. The port in <localAnnounceMCAddr> (UDP/21026) must really also be opened, if my phone and desktop managed to sync even though it was closed at the desktop ?

If your router supports UPnP, the devices could connect to each other through their public counterparts?

Right now, I use port forwarding, both at my router and my mother’s. I wanted to understand what each port is used for, and then revise my firewall settings, as well as configure the router for UPnP.

Not having luck with UPnP: configured it on both routers and enabled it on syncthing on both desktops, but now they don’t connect, and the only UPnP-related messages on the logs is:

[2L7Y5] 13:44:42 INFO: Starting UPnP discovery...
[2L7Y5] 13:44:48 INFO: UPnP discovery complete (found 0 devices).

when Firewalls and Port Forwarding says it should be like:

Created UPnP port mapping for external port XXXXX on UPnP device YYYYY.

I get the impression UPnP is not working on both routers.

But I still would like to know which ports really have to be opened at the desktop firewall, UDP/21025 or UDP/21026, or both.

Well, both ideally, or if want to lock it down, allow 21025 only over udp4 and 21026 only over udp6.

If you don’t have IPv4 or IPv6 support you can lock down even further by disabling 21025 if no v4 or 20126 if no v6 support is available.

1 Like

Thanks, @AudriusButkevicius, for shedding light. It’s crystal clear now.

So my firewall logs show that Android syncthing always announces with IPv6.

EDIT: Have to discover now why UPnP is not working on my routers