Syncthing on intranet

I would like to use syncthing on an intranet. E.g. a vlan that is totally separated from the internet. Would this work without any kind of discovery?

What kind of connectivity do I need between the devices in such environment? E.g. do I need to make sure that they can reach other with layer 2 broadcast packets? Or would it be enough to specify the address with tcp://ip:port manually?

Either works.


Thanks! I have another related question. What happens if I let these syncthing instances reach the internet and upgrade themselves automatically? Will they also try to connect to discovery networks? Will they try to communicate with each other through the internet, or will they always use the manually given tcp://ip:port addresses?

What I really want is to let them upgrade automatically, but prevent any kind of data synchronization / device connection to any other syncthing instance, except the preconfigured fixed IP addresses. Is it possible to configure this? Can this be achieved with firewall rules? (Or maybe both?)

The Allowed Networks feature, set on a per-device basis from Actions->Advanced->Devices-> [devices] allows you to restrict syncing through specific subnets. This is obeyed even with global discovery enabled and means you don’t need to set specific addresses for devices to connect to. They can use local or global discovery, and will only attempt connections as permitted.

If you are likely to use this for new devices, you can also set the defaults in the Actions->Advanced page.

1 Like

This is fantastic! Syncthing is fantastic. Thank you! :slight_smile:

1 Like

Things like discovery, relays etc will still connect to the internet regardless if you have preconfigured addresses or not. You have to explicitly disable those.

1 Like

By default they will announce themselves to the global discovery servers, yes. If you don’t want this, you can turn off global discovery in the settings. Syncthing will also try to reach relay servers, but you can turn that off too.

Local discovery (layer 3 multicast) is a separate option and can be turned on/off separately. No discovery is needed if addresses are configured manually.

By default device addresses are set to dynamic, meaning that all addresses obtained using an enabled discovery method (local, global) can be used (though some advanced features like allowed networks can be used to forbid some discovered addresses). When configured with a manual address, only this address is used and no discovered address (technically it’s also possible to combine manual and discovered addresses, if anyone wants this).

Basically the answer to all of your questions so far is: You can configure this. Pretty much every feature related to connections can be switched on/off.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.