Probable Firewall/NAT issue - not sure what to try next

Support
1

Hi, apologies, I don’t know if I’m allowed just to ask for help on this topic. It will probably be a firewall/NAT issue, but I could do with some advice on how to diagnose the problem.

I have tried my best to do the right things, trying to connect on ports 80 and 443 to get through the corporate firewall, setting up port forwarding on my router, etc.

When all devices are together on the same subnet, local discovery works great and all the devices see each other and syncing works just great.

Trying to connect one device using a supplied DNS name rather than local discovery always fails (regardless of whether at work behind NAT and firewall, or at home on the same subnet).

The errors I get are:

[SQXDO] 2016/02/02 21:42:10 DEBUG: dial ZNUNMJP tcp://koloss.zakss.com:80

[SQXDO] 2016/02/02 21:42:20 DEBUG: dial failed ZNUNMJP tcp://koloss.zakss.com:80 EOF

[SQXDO] 2016/02/02 21:42:20 DEBUG: Connecting to ZNUNMJP via tcp://koloss.zakss.com:80 failed

[SQXDO] 2016/02/02 21:43:20 DEBUG: dial ZNUNMJP tcp://koloss.zakss.com:443

[SQXDO] 2016/02/02 21:43:30 DEBUG: dial failed ZNUNMJP tcp://koloss.zakss.com:443 EOF

[SQXDO] 2016/02/02 21:43:30 DEBUG: Connecting to ZNUNMJP via tcp://koloss.zakss.com:443 failed

My setup is as follows.

One node is at home (ZNUNMJP), one node is a laptop mostly used at work (SQXDOA5).

Node SQXDOA5 (running OSX) at work behind a corporate firewall. No UDP is allowed through. It permits outbound TCP on port 80 and port 443.

On node SQXDOA5 I have added device ZNUNMJP using address tcp://koloss.zakss.com:443, tcp://koloss.zakss.com:80 and this is externally DNS resolvable from behind my firewall.

On node SQXDOA5 I have unchecked local discovery, global discovery and relaying as none of this will work behind the firewall.

Node ZNUNMJP (also running OSX) is at home behind my own router and firewall which I control.

Node ZNUNMJP is listening on addresses tcp://0.0.0.0:22000, tcp://0.0.0.0:22001

There are two ports to give me two bites at the cherry to hit either port as follows.

The router (Apple Airport Extreme) is configured with port forwarding rules:

koloss.zakss.com port 80 -> internal host 22001 koloss.zakss.com port 443 -> internal host 443

So connecting on port 80 should directly hit Syncthing on port 22001.

Regarding port 443, I do not want to run syncthing as root, I am using the BSD packet filter (PF) and network address translation (NAT) device which comes with OSX to do some port forwarding locally on my OSX host:

In /etc/pf.anchors/ansyncthing

rdr pass on lo0 inet proto tcp from any to any port 443 -> 127.0.0.1 port 22000

In /etc/pf-ansyncthing.conf

rdr-anchor "forwarding" load anchor “forwarding” from “/etc/pf.anchors/ansyncthing”

I enable the packet filter and load my rules

$ sudo pfctl -v -e -f /etc/pf–ansyncthing.conf

No ALTQ support in kernel ALTQ related functions disabled PF enabled rdr-anchor “forwarding” all Loading anchor forwarding from /etc/pf.anchors/ansyncthing rdr pass on lo0 inet proto tcp from any to any port = 443 -> 127.0.0.1 port 22000

HTTP and other traffic seems to be OK. In the log from node SQXDOA5 at work, I see HTTP requests. For example:

[SQXDO] 2016/02/02 18:05:25 DEBUG: http: GET “/rest/system/status”: status 200, 282 bytes in 0.34 ms

I don’t know what to try next. Any advice is much appreciated.

Rgds Andris

2

Out of curiosity: Have you tried connecting to a relay on port 443 first? There are four available:

  • 23.92.71.120:443
  • 78.47.248.86:443
  • 194.126.249.21:443
  • 88.146.209.122:443

see: http://relays.syncthing.net/

3

I enabled relaying on both nodes and entered relay addresses: relay://23.92.71.120:443, relay://78.47.248.86:443, relay://194.126.249.21:443, relay://88.146.209.122:443

No connection yet, and I get this in the logs:

[SQXDO] 2016/02/02 23:13:27 DEBUG: Not connecting via relay false true false

I have started to get different error messages on the original scheme trying to connect on 80 and 443 via DNS name, I’m sure this should tell me something but I don’t know what.

[SQXDO] 2016/02/02 23:14:35 DEBUG: dial ZNUNMJP tcp://koloss.zakss.com:443

[SQXDO] 2016/02/02 23:14:35 DEBUG: dial failed ZNUNMJP tcp://koloss.zakss.com:443 remote error: handshake failure

[SQXDO] 2016/02/02 23:14:35 DEBUG: Connecting to ZNUNMJP via tcp://koloss.zakss.com:443 failed

[SQXDO] 2016/02/02 23:14:35 DEBUG: dial ZNUNMJP tcp://koloss.zakss.com:80

[SQXDO] 2016/02/02 23:14:35 DEBUG: dial failed ZNUNMJP tcp://koloss.zakss.com:80 dial tcp 31.48.144.33:80: getsockopt: connection refused

[SQXDO] 2016/02/02 23:14:35 DEBUG: Connecting to ZNUNMJP via tcp://koloss.zakss.com:80 failed

[SQXDO] 2016/02/02 23:14:35 DEBUG: Not connecting via relay false true false

4

So I suggest you play with netcat to verify that the port forwarding works correctly.

It is also possible that port 80 and 443 are only allowed via a http proxy, and not directly.

5

OK that is completely right. Port forwarding was the issue.

The option using the BSD PF facility (equiv of iptables) to set up local port forwarding rules on the OSX host looks like it is not doing forwarding correctly, I don’t know why, but I am temporarily giving up on that option.

The option of using my home router to port forward external 443 to internal 22000 looks like it is working today. Wasn’t working yesterday.

I suspect this had something to do with it:

BT apologises for broadband outage across much of UK

Murphy law in operation !

Thanks for all the help, the advice I got on this site has helped me fix the problem.

Anyway its all working now and I am very happy. I have local discovery working at home and addressing via specific DNS name from elsewhere. I look forward to contributing back to Syncthing in some way.

3 Likes
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.