UPnP is set by default on my router and I saw that an unknown port forwarding service was automatically added that looked suspicious. Each time I deleted it, it was added back until I shut off UPnP on the router and now it’s gone. It appeared to be routing a port on my router to an external IP address in Korea? Does this look normal to anyone?
Two things.
The software interface asked you after the install if you wanted to participate in global statistics sharing. Did you enable or disable this?
By default syncthing is configured to communicate globally and be able to talk to servers located outside of your local network as well as inside so what you might be seeing is the default Discovery server packets.
If you are only going to be synchronizing devices on one subnet, you can disable Relay servers, and Discovery servers.
If however your network has multiple subnets the software normally uses the discovery servers to locate each other even though they will ultimately be talking on your local network possibly through an internal router.
Syncthing will auto discover servers on its own subnet.
Syncthing will attempt to create a port mapping on your router by default. So yes, this port mapping is normal and expected. This port mapping is used so that other syncthing devices can connect to your syncthing device over the internet, without a router NAT (Network Address Translation)/firewall getting in the way.
Ports cannot be “routed” to IP addresses. Ports can simply be opened or closed. Anyone can connect to an open port, unless a firewall intervenes. However, syncthing’s connections are always secured and hence an unauthorized connection over an open port is not a security issue.
Depending on your exact network setup, you may not need the port forwarding. You can turn it off from within syncthing under Actions → Settings → Connections → Enable NAT traversal. If disabled, syncthing will turn off all helpers that help to connect through NAT, including port mappings via UPnP/NAT-PMP.