Hi there.
I’m trying to setup Synchting replication behind a router in double nat with no upnp, and 2 “LAN” subnets, each with synchting instances. IPv4 only.
Instances in each LAN zone should be able to replicate across the Internet, and instances in each zone should be able to replicate each other.
I’ve looked at the doc, but I don’t understand what I am see, basically.
I’m wrestling with both the FW config and Syncthing configs and it is getting boring after 2 days.
Can someone point me to a good working multi-subnet LAN setup?
Thanks.
I’m not aware of a guide that covers that situation precisely. Maybe you can write one once you’ve sorted it out. Here are some pointers.
Given double nat, uPNP etc will indeed not work.
Instead, choose a port for each Syncthing instance that will be behind the same router. Usually people have ~1 such instance and the default port 22000 is fine. For multiple instances you will need one per instance, configured manually, and port forwarded in both routers. For example:
Instance A: port 22001 (the “sync protocol listen address” is 0.0.0.0:22001)
Instance B: port 22002
Outer router port forwards: port 22001-22002 towards port 22001-22002 on inner router.
Inner router port forwards: port 22001 to port 22001 on instance A, port 22002 to port 22002 on instance B.
Having the same port both locally and in the port forwards will both make this easier to follow mentally and make the global discovery work properly out of the box.
If you have firewall rules, tweak as appropriate to allow all this to happen.
Local discovery won’t happen between subnets.
Instead, configure instance A to talk to instance B directly using a static address tcp://instance-b-ip:22002. Optionally, do the same in the other direction. Make sure the firewalls allow the traffic.
Well those port forwards are totally unpractical.
It’s not only rules and port management but the static IPs that go with it.
However. I surmise that the global discovery needs either a unique IP or a unique port number.
Based on this idea, I have set my clients totally stock except for disabling relaying --which isn’t disabled, disturbing.
Then on the OPNsense firewall (pfsense if you prefer) I’ve added a “No NAT” outbound rule for connections from the subnet to anywhere port 22000/tcp.
With this I see individual machines connecting to the global servers, and not the gateway address only.
With ample restarts, it looks like connectivity is working, perhaps even for introduced, “Never seen” devices (either it takes long or it doesn’t work.)
So is it luck or can avoiding NAT on the inner router work?
I can’t exactly visualize your network topology where NAT is optional and it works with it either on or off, unless you are NAT:ing public IPs or have static routes on the outer router, but yeah, less NAT will probably simplify things.
I don’t know what the edge router is doing… It’s set to have the inner router as “DMZ” host. It forwards anything to it.
How it can accept outgoing traffic that does not belong to its own network, and let it out, I don’t know. I didn’t set any static route. I guess it NATs anything going out. Netgear stuff.
Anyways. “Unique IP OR unique port”, is that what’s required by global discovery servers?
I’d express it as unique(IP + port), what any listening service needs to be able to accept incoming connections, which I think is the same as what you’re saying.
I haven’t looked at why the edge router is happy while the inner router applies a no-nat outbound rule. But this isn’t right and I don’t think I should build on that.
Finally my idea for a clean and manageable config is this: in each subnet, designate a “mothership” syncthing instance, with static IP, port, and enough storage space. NAT these instances, keep other clients in stock config.
When within their subnets clients will locally sync with the mothership instance that has all the shares.
In the wild, clients will use upnp as provided by their router.
For me and from an admin pov this is acceptable. If the mothership instance was an introducer, traffic towards it would be minimized. What might be missing with this scheme would be some sort of soft quota per directory.
Would someone care to comment?
