I’m not manually mapping ports in the router. Sorry, its a little hard to clarify over text here but I’ll do my best.
I’m using a Fortigate 60F but this would apply to any Fortigate firewall running FortiOS v6.x and up, and probably most prior versions. The firewall does not support UPnP and by default will randomize the source port when NAT/PATing to the WAN interface. This makes it nearly impossible for ZT nodes or just about any p2p software to connect directly when both nodes are behind enterprise grade firewalls. So on my end, I enable “source port preservation” which at least keeps the source port when PATing to the WAN.
The problem arises when you have two or more inside hosts sending traffic to the same destination IP+Port like the ZT planet/leaf servers. Both hosts send from the same source port, now the firewall has a conflict, how does it differentiate the sessions when they are going to have the same NATed IP and PATed source port, going to the same Destination IP+Port? It can’t, so it logs a session clash and allows the most recent packet to override the session in it’s NAT table.
My workaround to this session clash, is just changing the default primary source port on ZT from 9993 to 9994 and up from there on clients that are behind the same Firewall, or just picking something in the ephemeral range.
Edit: Just re-iterating that I dont actually notice any negative impact from the session clashes on the firewall apart from the excessive logs. ZT seems to work just fine with the session clashes happening but I don’t really have the knowledge/expertise/visibility to tell if something is wrong unless the network connections completely fail. For the most part, this is just my OCD trying to clean up what I can see.