I have opened a Syncthing node behind a NAT to the internet following the docs. As I have UPnP disabled, I have opened 22000/TCP and 21027/UDP ports on my router pointing to that device. However I also see that other nodes are connected to that node through quic://external_ip:22000. That would be 22000/UDP (which is not open in my router config) instead of TCP since quic uses UDP.
Is Syncthing punching a hole through the NAT by using RELATED packets?
nmap reports the port as open|filtered, which means that the port is giving back no response.
Port 21027/UDP is used for local discovery only, there is normally no need to open this port on a router (the docs only mention this port when talking about local firewalls).
In the past, Syncthing only used 22000/TCP for incoming connections, but recent versions have added the IETF QUIC protocol, which uses UDP. I guess the firewall guide is slightly outdated and doesn’t mention that.
Yes, syncthing does perform UDP hole punching and will probably do the same with TCP in future versions.
Opening a port in a firewall is a generally recommended step, because it reduces the number of issues further down the road. But in many cases, syncthing will work perfectly fine without port forwards/(semi-)closed firewalls.
As described, the port speaks QUIC and probably doesn’t respond to packets which are not QUIC. QUIC is a very recent protocol and most port scanners probably don’t speak it (yet).