getting SyncThings working between VLANs with no WAN access and Docker

Howto
1

I don’t need any help. I wanted to share what I figured out in case it helps someone. This information is available in various places but I wanted to put it together for the next schmoe who is trying to do the same thing.

I have multiple VLANs with very strict FW rules that prevent communication between the two. My server VLAN has very controlled WAN access which will automatically prevent ST from having access to the internet. My trust VLAN has full WAN access and I wanted limit ST’s access to the internet.

To get everything working, this is what I had to do a few things that weren’t readily obvious to me.

  • Everywhere ST is installed, in settings, under Connections, uncheck these options. This will ensure ST does not try to access the internet to discover clients.
    • Enable NAT traversal
    • Local Discovery
    • Global Discovery
    • Enable Relaying
  • When adding a remote device, you’ll have to use tcp://[hostname]:22000 as the Address in Advanced where [hostname] is the hostname of the other device.
    • You’ll have to do this from both sides. When you add a device from one place, the 2nd place might show an alert asking you to approve, but it’ll default to dynamic as the Address in Advanced. You’ll have to change it to tcp://[hostname]:22000 on the 2nd side to the hostname of the first device.
  • In your firewall/router you’ll have to create FW rules:
    • To access the ST web interface on hostA from hostB, you will have to allow hostB to access port 8384 on hostA
    • To allow hostA and hostB to sync, you’ll have to allow port 22000 from between both of them – meaning two FW rules, one for each direction
  • If you are using Docker and you add a new volume after building/creating the initial container, the mount point in the container will be owned by root. This means the user that ST is running as (i.e. 1000) in the container will not be able to read it. You’ll have to change the ownership of the mount point: docker exec -lt [container ID] chown 1000 [new mount point].

I hope this helps others.

4 Likes
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.