Opnsense rules for relay server


I’m running a public relay server in the following setup.

A custom Opnsense box is acting as firewall/router/gateway/dhcp server to my WAN connection. My internal network consists of two VLAN’s: DMZ and Internal. In the DMZ I have a raspberry pi that runs DietPi. The Pi runs the syncthing relay service on ports 22067 and 22070. The IP-Address of the pi is

All traffic from my internal network to the internet is allowed. I only use IPv4, both internal and on the WAN connection.

In Opnsense I have added two port forward rules, forwarding port 22067 and 22070 from the WAN address to the same ports on the Pi.

This seems to work at first sight, but when I was reviewing my firewall logs I noticed that a lot of traffic from to : was blocked by a rule labelled ‘Default deny / state violation rule’.

Question 1: what kind of traffic is this?

Question 2: I think this issue might be related to the state table that the firewall uses to keep track of connections. This assumption is based on this discussion:

and the state type option:


The solution that eventually worked out was creating one single additional floating rule:

  • Action: pass
  • interface: DMZ
  • Direction: in
  • Source: pi
  • Source port: 22067
  • Destination: any, any port
  • Advanced options - State type: none

Question 3: is this the proper way to solve the issue?

The relay server just takes regular incoming TCP connections; I have no idea what traffic you’re seeing blocked or what the problem with state would be. This seems like an OPNSense question.

Thanks for your quick reply, I’ll check the opnsense forum as well!

How did you setup public relay for everyone? What spurce did you use? Or you just simply run regular gui Dyncthing and forrwarded port? I did the same but i cant see my relay at official map https://relays.syncthing.net/

This doesn’t sound so great.

Please read the documentation as to how to set up a public relay and how to announce your relay to a public pool. Syncthing Relay Server — Syncthing documentation

If you’re not entirely sure what you’re doing, at the very least don’t port-forward to a regular Syncthing instance’s gui.

Dont worry, im aware of public facing assets. So its mot that im blindly forrward without any wonders. Ive found an official solution, but im looking for Docker-compose. Its much reliable to install etc :slight_smile: And ofcourse im will not expose gui…

1 Like

@klisza1993 I added the apt repository (Syncthing | Downloads) to my dietpi install and from there installed the relay server by using apt-get install syncthing-relaysrv. It currently installs version 1.22.1.

Docker container is available at dockerhub, but 1.18.6 is the latest version available and over a year old. I suggest not to use it for security reasons.

You have to forward both ports: 22067 and 22070. The latter is only used for showing the statistics on the public relay webpage. If you don’t forward it, the relay exists but information is not published there.

I have created the following topic on the opnsense forum: Syncthing relay traffic out blocked?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.