How to configure Port forwards?
I am doing this for the first time, and am very insecure what i need for my configuration to work properly and i am afraid of accidentally opening my network too far by unintentionally disabling security mechanisms.
Attempted use case:
- Prepare my server to be accessible from an external network outside of my routers local network (far distance).
- Make sure only external devices i trust gain access to my server (hence no UPnP desired?)
- Ideally, only my server should be accessible from external devices. All the other devices in my local network should be able to connect to the internet for me to browse, game and do normal work on them, but should not serve as an access point.
My Questions:
- Is port forwarding the proper approach to achieve my goals? - i know i might have to configure DNS and maybe even a relay server in addition to port forwards at one point.
- Where do i have to start and where i have to enter the ports and listen addresses? - My current understanding is that i have to (1) allow port forwards in the routers, (2) to create listeners in the Syncthing UI/configuration and (3) i might have to allow Syncthing to listen for the ports in the firewalls. Is that correct?
Guidelines i follow:
#1
Firewall Setup — Syncthing documentation
Port Forwards
If you have a NAT router which supports UPnP, the easiest way to get a working port forward is to make sure UPnP setting is enabled on both Syncthing and the router – Syncthing will try to handle the rest. If it succeeds you will see a message in the console saying:
Created UPnP port mapping for external port XXXXX on UPnP device YYYYY.
If this is not possible or desirable, you should set up a port forwarding for ports 22000/TCP and 22000/UDP (or whichever port is set in the Sync Protocol Listen Address setting). The external forwarded ports and the internal destination ports have to be the same (e.g. 22000/TCP).
Communication in Syncthing works both ways. Therefore if you set up port forwards for one device, other devices will be able to connect to it even when they are behind a NAT network or firewall.
In the absence of port forwarding, Relaying may work well enough to get devices connected and synced, but will perform poorly in comparison to a direct connection.
#2
Syncthing Configuration — Syncthing documentation
Listen Addresses
The following address types are accepted in sync protocol listen addresses. If you want Syncthing to listen on multiple addresses, you can either: add multiple tags in the configuration file or enter several addresses separated by commas in the GUI.
Default listen addresses (default)
This is equivalent to tcp://0.0.0.0:22000, quic://0.0.0.0:22000 and dynamic+https://relays.syncthing.net/endpoint.
TCP wildcard and port (tcp://0.0.0.0:22000, tcp://:22000)
These are equivalent and will result in Syncthing listening on all interfaces, IPv4 and IPv6, on the specified port.
TCP IPv4 wildcard and port (tcp4://0.0.0.0:22000, tcp4://:22000)
These are equivalent and will result in Syncthing listening on all interfaces via IPv4 only.
TCP IPv4 address and port (tcp4://192.0.2.1:22000)
This results in Syncthing listening on the specified address and port, IPv4 only.
TCP IPv6 wildcard and port (tcp6://[::]:22000, tcp6://:22000)
These are equivalent and will result in Syncthing listening on all interfaces via IPv6 only.
TCP IPv6 address and port (tcp6://[2001:db8::42]:22000)
This results in Syncthing listening on the specified address and port, IPv6 only.
QUIC address and port (e.g. quic://0.0.0.0:22000)
Syntax is the same as for TCP, also quic4 and quic6 can be used.
Static relay address (relay://192.0.2.42:22067?id=abcd123…)
Syncthing will connect to and listen for incoming connections via the specified relay address. Todo Document available URL parameters.
Dynamic relay pool (dynamic+https://192.0.2.42/relays)
Syncthing will fetch the specified HTTPS URL, parse it for a JSON payload describing relays, select a relay from the available ones and listen via that as if specified as a static relay above. Todo Document available URL parameters.
Current Syncthing configuration:
-
Various devices in a lokal network. I use local discovery only and it works fine.
-
Example:
-
[GTMM2] 11:50:46 INFO: QUIC listener ([::]:22000) starting
-
[GTMM2] 11:50:46 INFO: TCP listener ([::]:22000) starting
-
[GTMM2] 11:50:51 INFO: Established secure connection to F4MFRUP at 192.168.178.45:22000-192.168.178.22:22000/tcp-client/TLS1.3-TLS_CHACHA20_POLY1305_SHA256
-
[GTMM2] 11:50:51 INFO: Device F4MFRUP client is “syncthing v1.16.1” named “server” at 192.168.178.45:22000-192.168.178.22:22000/tcp-client/TLS1.3-TLS_CHACHA20_POLY1305_SHA256
My router is a Fritzbox 7490
- https://assets.avm.de/files/docs/fritzbox/fritzbox-7490/fritzbox-7490_man_en_GB.pdf)
- https://en.avm.de/service/knowledgebase/dok/FRITZ-Box-7490/34_Setting-up-port-sharing-in-the-FRITZ-Box/
- My router supports UPnP, but i have NEVER seen the following message:
Created UPnP port mapping for external port XXXXX on UPnP device YYYYY.
Operating System / Syncthing edition
- My server runs with Fedora Server 34, with the Syncthing 1.16.1 fedora package Overview - rpms/syncthing - src.fedoraproject.org
- I connect to the server via Windows 10 or Linux Mint, both running Syncthing 1.17.0