How to configure Port forwards

How to configure Port forwards?

I am doing this for the first time, and am very insecure what i need for my configuration to work properly and i am afraid of accidentally opening my network too far by unintentionally disabling security mechanisms.

Attempted use case:

  • Prepare my server to be accessible from an external network outside of my routers local network (far distance).
  • Make sure only external devices i trust gain access to my server (hence no UPnP desired?)
  • Ideally, only my server should be accessible from external devices. All the other devices in my local network should be able to connect to the internet for me to browse, game and do normal work on them, but should not serve as an access point.

My Questions:

  • Is port forwarding the proper approach to achieve my goals? - i know i might have to configure DNS and maybe even a relay server in addition to port forwards at one point.
  • Where do i have to start and where i have to enter the ports and listen addresses? - My current understanding is that i have to (1) allow port forwards in the routers, (2) to create listeners in the Syncthing UI/configuration and (3) i might have to allow Syncthing to listen for the ports in the firewalls. Is that correct?

Guidelines i follow:

#1

Firewall Setup — Syncthing v1 documentation

Port Forwards

If you have a NAT router which supports UPnP, the easiest way to get a working port forward is to make sure UPnP setting is enabled on both Syncthing and the router – Syncthing will try to handle the rest. If it succeeds you will see a message in the console saying:

Created UPnP port mapping for external port XXXXX on UPnP device YYYYY.

If this is not possible or desirable, you should set up a port forwarding for ports 22000/TCP and 22000/UDP (or whichever port is set in the Sync Protocol Listen Address setting). The external forwarded ports and the internal destination ports have to be the same (e.g. 22000/TCP).

Communication in Syncthing works both ways. Therefore if you set up port forwards for one device, other devices will be able to connect to it even when they are behind a NAT network or firewall.

In the absence of port forwarding, Relaying may work well enough to get devices connected and synced, but will perform poorly in comparison to a direct connection.

#2

Syncthing Configuration — Syncthing v1 documentation

Listen Addresses

The following address types are accepted in sync protocol listen addresses. If you want Syncthing to listen on multiple addresses, you can either: add multiple tags in the configuration file or enter several addresses separated by commas in the GUI.

Default listen addresses (default)

This is equivalent to tcp://0.0.0.0:22000, quic://0.0.0.0:22000 and dynamic+https://relays.syncthing.net/endpoint.

TCP wildcard and port (tcp://0.0.0.0:22000, tcp://:22000)

These are equivalent and will result in Syncthing listening on all interfaces, IPv4 and IPv6, on the specified port.

TCP IPv4 wildcard and port (tcp4://0.0.0.0:22000, tcp4://:22000)

These are equivalent and will result in Syncthing listening on all interfaces via IPv4 only.

TCP IPv4 address and port (tcp4://192.0.2.1:22000)

This results in Syncthing listening on the specified address and port, IPv4 only.

TCP IPv6 wildcard and port (tcp6://[::]:22000, tcp6://:22000)

These are equivalent and will result in Syncthing listening on all interfaces via IPv6 only.

TCP IPv6 address and port (tcp6://[2001:db8::42]:22000)

This results in Syncthing listening on the specified address and port, IPv6 only.

QUIC address and port (e.g. quic://0.0.0.0:22000)

Syntax is the same as for TCP, also quic4 and quic6 can be used.

Static relay address (relay://192.0.2.42:22067?id=abcd123…)

Syncthing will connect to and listen for incoming connections via the specified relay address.

Todo

Document available URL parameters.

Dynamic relay pool (dynamic+https://192.0.2.42/relays)

Syncthing will fetch the specified HTTPS URL, parse it for a JSON payload describing relays, select a relay from the available ones and listen via that as if specified as a static relay above.

Todo

Document available URL parameters.

Current Syncthing configuration:

  • Various devices in a lokal network. I use local discovery only and it works fine.

  • Example:

  • [GTMM2] 11:50:46 INFO: QUIC listener ([::]:22000) starting

  • [GTMM2] 11:50:46 INFO: TCP listener ([::]:22000) starting

  • [GTMM2] 11:50:51 INFO: Established secure connection to F4MFRUP at 192.168.178.45:22000-192.168.178.22:22000/tcp-client/TLS1.3-TLS_CHACHA20_POLY1305_SHA256

  • [GTMM2] 11:50:51 INFO: Device F4MFRUP client is “syncthing v1.16.1” named “server” at 192.168.178.45:22000-192.168.178.22:22000/tcp-client/TLS1.3-TLS_CHACHA20_POLY1305_SHA256

My router is a Fritzbox 7490

Operating System / Syncthing edition

The simplest is a forward of port 22000/TCP on your router towards your internal device. No DNS, no relays, no special config. The other side will try to connect to whatever external IP gets announced on port 22000.

2 Likes

Wow, It is really that simple? Thank you. :slight_smile:

But how does PC1 know the external IP of my Server? Or my routers external IP for that matter? Does it work via Global announcing? also, is ipv6 a thing?

I will try it out tomorrow.

This is done by the global discovery, yes, which also understands IPv6 if you have such connectivity.

2 Likes

Issue closed. All works well so far. Your comments helped a lot.

Turns out router #1 was not able to use UPnP or NAT (i didn’t have access to that router to check configuration), whereas router #2 could (i forwarded port tcp 22000 in router #2 as you advised).

I found out after stumbling upon some logs in fedora cockpit that showed that PC1 connected to the server, but the handshake got closed by “remote device”, hence something in Local network #1 was the culprit.

Eventually, I tested it with a friend who used another router and it all worked well without having to do any configuration on his side. Man i fumbled for weeks with this… glad it finally connects directly without the need to fall back to a relay server.

Cheers

1 Like

I’m about to take my SyncThing set up external, to see if i can connect my phone when offsite, then a friend’s phone and/or PC at their place behind their router.

So my question is pertaining to

What if I have 3 internal devices? Just pick the fastest one that will always be on? Would there be any benefit to connecting to 2/3? I only have 75 Mbps download and I think 7.5 up, so 1 device should be able to saturate anyways… but I’d like to know regardless as I hope to build out some amazing stuff with ST.

Thanks for your time and effort.

You can change the listen address on other devices to a different port and map the different port on the NAT.

Also: FAQ — Syncthing v1 documentation

Gotcha. Not my wheelhouse but I get the basic gist.

Care to comment on speed/performance connecting to multiple internal device vs a single one?

Thanks

Can’t really, as it depends on what the bottleneck is, I guess you see the speeds you expect, then its the network and it’s not a problem.

However it will definately affect latency in terms of how quickly a file propagates, which might leave a bigger window for conflicts to happen, etc.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.