I don’t need any help. I wanted to share what I figured out in case it helps someone. This information is available in various places but I wanted to put it together for the next schmoe who is trying to do the same thing.
I have multiple VLANs with very strict FW rules that prevent communication between the two. My server
VLAN has very controlled WAN access which will automatically prevent ST from having access to the internet. My trust
VLAN has full WAN access and I wanted limit ST’s access to the internet.
To get everything working, this is what I had to do a few things that weren’t readily obvious to me.
- Everywhere ST is installed, in settings, under Connections, uncheck these options. This will ensure ST does not try to access the internet to discover clients.
Enable NAT traversal
Local Discovery
Global Discovery
Enable Relaying
- When adding a remote device, you’ll have to use
tcp://[hostname]:22000
as the Address in Advanced where[hostname]
is the hostname of the other device.-
You’ll have to do this from both sides. When you add a device from one place, the 2nd place might show an alert asking you to approve, but it’ll default to
dynamic
as the Address in Advanced. You’ll have to change it totcp://[hostname]:22000
on the 2nd side to the hostname of the first device.
-
You’ll have to do this from both sides. When you add a device from one place, the 2nd place might show an alert asking you to approve, but it’ll default to
- In your firewall/router you’ll have to create FW rules:
- To access the ST web interface on
hostA
fromhostB
, you will have to allowhostB
to access port8384
onhostA
- To allow
hostA
andhostB
to sync, you’ll have to allow port22000
from between both of them – meaning two FW rules, one for each direction
- To access the ST web interface on
- If you are using Docker and you add a new volume after building/creating the initial container, the mount point in the container will be owned by
root
. This means the user that ST is running as (i.e.1000
) in the container will not be able to read it. You’ll have to change the ownership of the mount point:docker exec -lt [container ID] chown 1000 [new mount point]
.
I hope this helps others.