Dear All,
I have three syncthing instances running at three different sites. Let’s call them site-M, site-B and site-P. I’m using the default connection setup (dynamic) and get the following sites to connect directly:
site-M <=> site-B
site-M <=> site-P
However, connection between
site-P <=> site-B
does only work via relay. Direct connection is only established, if I use a dedicated VPN-connection between the two (making it effectivly a local discovery).
Any idea where I have to apply changes to get a direct connection working? Is this because port 22000 has been configured on all three instances, so one site can only connect to another using this port?
Any help is appreciated.
Thank you for pointing me in the right direction. The firewall for site_B is very restrictive (no NAT and all but the usual standard ports closed). For each port a FW-rule is needed so I suppose I have to add another port (apart from 22000) to establish a second direct connection to site-P. Is there a preferred port-range syncthing is scanning by default ?
You don’t need separate ports. You need the configured port (22000 by default) to be forwarded on either end (P or B, as in one of them is enough, both is fine too obviously). From what you describe it seems that M has such a forward, thus M-B and M-P works, but both B and P don’t, thus their connection doesn’t.
Thank you Simon for confirming my understanding of syncthing’s port handling. The strange thing is, that all three sites have port 22000 forwarded, but only M and P are able to open additional ports via UPNP while B is unable to do that.
So according to your explanation everything should work just fine …
I will go back and check the FW settings on each site.
Yes, if you have port forwards, UPNP isn’t needed. Check local firewall and anti-virus (if present) - even if they shouldn’t interfere, they have a tendency to do it.
Another thing to check: Do they discover each other? You could disable relaying and then while they are disconnected, you can expand the device and all discovered addresses are listed there.
That’s a good idea. I will try that tonight and feedback my findings. I did that a while ago but can’t remember the discovery status.
Thanks for your help.
Ok - just tried as you told me. Disabled relaying on M and P and watched the discovery process.
This is the result for P:
quic://78.aa.bb.ccc:22000
Handshake did not complete in time (21:10:23)
relay://107.aaa.bb.ccc:443
tcp://78.aa.bb.ccc:22000
i/o timeout (21:11:13)
And this for M:
tcp://78.94.33.250
i/o timeout (21:15:38)
So it seems P is discovering B via relay, while M is unable to discover M at all.
It’s not quite clear where these addresses belong, i.e. device whose UI you are looking at and device the addresses belong to.
Anyway for both device you showed a tcp address was discovered, which means that is working, but a connection (attempt) timed out. Which points back at nat/firewall/anti-virus.
I’ve reverted back to a VPN-based solution - that way the very restricitve FW on site-B is not disturbing any traffic. After trying all sorts of scenarios it turned out to be the culprit. Thank you for helping me on this.