Tailscale using relay even if firewall disabled - why?

I tried connecting my laptop from my brothers place to my Synology NAS at home. I disabled the firewall on my brothers router, my home router, my NAS as well as my laptop. I turned off/paused my kaspersky antivirus as well. However, when i check my tailscale status, it says that i’m connected via relay. How do i get direct peer-to-peer connection?
I’ve read that I should open ports 443, 3478 and 41641 but does that matter if all the firewalls are already disabled? I’m a novice in networking, please teach me what to do. Do i need to do port forwarding? Thanks.
Note: I can connect to my Synology and do file transfers, etc. I just want to get a peer-to-peer connection.

update: i got it to work. i just had to refresh. also checked that i had setup port forwarding correctly on both ends for the said 3 ports.

1 Like

Normally, with tailscale you don’t need to open any port or firewall. Tailscale is using some awesome stateful firewall magic to map the port via stun.

But there are some limitations when you don’t have a public routable ip address, often seen in CGnat (or double NAT).