A message from the Roon founders

I think we’re on the countdown for this thread to be closed…

Do you mean create an album called “Disco Tunes Galore” that matches the folder’s content, retag all the files with MP3tag or other software to belong to that album, and even create fake “Album Art”? That’s what I do with a folders full of purchased like singles, as I don’t like having an “Album” with just one song. I also Roon-tag all my Digital Only purchases to differentiate from physical media (Roon’s ability to toggle off/on tags is THE BEST!!). That being said, I can definitely see why having Folders as a browse option would be nice. (Note: Local collection only)

Have to agree with @Joachim_Herbert . . . that way madness lies. If you must edit tags (which I do for things like adding purchased missing tracks to soundtrack albums; naughty, I know), I think it’s way safer to retag files outside of Roon. I love that Roon doesn’t futz with my stuff.

It is the end user’s responsibility to configure their own router. If you are concerned about what UPnP may be doing, or with Roon’s (or any other company for that matter) decision to utilize it, turn it off.

My understanding was that the Roon software opens the port itself. If that is not true then I’d retract my statement. If it is true then I stand behind it.

Roon server opens the port on the local machine and then uses uPnP to request that the router open the port and forward traffic to the Roon server. The uPnP request will fail if uPnP is not present and enabled on the router - in which case the port is not opened on the router.

So, if uPnP is not enabled, and no manual port forwarding rule is created, then your network is no less secure (from an ipv4 perspective) for the port being opened on the Roon Server device.

Ipv6 is somewhat different. In principle, if you have ipv6 enabled and your ISP supports it (or you get ipv6 connectivity some other way - e.g Hurricane Electric 6in4 tunnel) your Roon server will be given an ipv6 address which is routable - meaning that the Roon Server (and any other device on your network that supports ipv6) can be seen directly from any where on the internet.

However, most ipv6 enabled routers also implement an ipv6 firewall which will prevent unsolicited connections to devices on your LAN. In this case, in order to get ARC connecting to your Roon server over ipv6 (or indeed support any other connection to a server of any kind on your network), you would need to open a hole in that firewall - often referred to as a ‘pinhole’ - which is the ipv6 equivalent of a port forwarding rule.

I set the port to zero but Roon keeps changing it to 55002. A restart of any remote does this.

I’ve turned off UPnP and have no port forwarding set up on my router, so it isn’t getting anywhere. A switch to make ARC go away in Roon would be good.

Thank you for the explanation. So it sounds like it is a mix of settings we may control on our router and things Roon automatically does.

I suggest that if the Roon software does anything in terms of changing router configuration, that should (1) be made very clear to users - doesn’t Roon claim to be usable by ordinary people? and (2) should just ask before it does it. I understand UPNP is designed to react to Roon’s configuration instructions, but still, I think it is problematic. My understanding is that Plex asks before it opens up your home network.

Yes, this is what I see as well. That seems to me to be a fairly big programming issue.

In effect, I shouldn’t have to change my router settings to protect my network. Roon shouldn’t be doing anything with the router without more control-ability.

There is nothing to going anywhere anyway. Opening a port is just listening for a connection on that port. It is not transmitting anything. If nothing external (ARC) tries to connect, it will just listen indefinitely with no traffic and no connection established to any other device. When there is a connection request, a connection is established and used to authenticate the connection in some form. If that authentication fails the connection will be closed and no further traffic will flow.

Whilst an open port exposed to the internet is a security vulnerability, a well designed service will use authentication methods and checks that make a practical security risk very small.

Even if Plex does ask before opening ports on the router, and even if Roon Server was changed to do the same, can you be sure that every other program you are running on any of the computers on your network are doing the same? Some routers enable you to see what ports have been opened by uPnP requests - many don’t. If you have one of the latter, how do you know what ports are open or not.

If you want to lock down your network, then you should disable uPnP on the router.

I would contend that simply fixing what appears to be a bug with the port 0 setting getting reset would be good enough. There should not be a need for any further controls.

One can turn off UPnP on the router, but a factory reset of the router would likely result in it being set on again. It is unacceptable that the user has to remember to do this, easy to forget. I agree the security risk is small, but a user who has no intention of using ARC should not have to be exposed to any risk from it. Therefore Roon should have a switch to allow users to turn off ARC from the internet (fine if it’s available locally).

Obviously not albeit I do not run a lot of software that would seem to have a need for such a connection. It’s probably true that my kids use software that does. But at least they don’t have the router password to manually configure anything.

In any case, I don’t think that is much of a defense for Roon in the sense that sure, there may be other software that does unacceptable or inappropriate stuff, but that doesn’t make Roon any better, nor would it make me feel better that there is other software opening ports if a security breach was Roon’s fault.

A good start anyway.

Would it be a solution to forbid port forwarding in general for the roon core router-wise? My router has such option, if I am not mistaken.

It might be worth taking a look at this thread from July 22, which discusses the threat (or lack thereof) from using ARC and UPNP. @danny’s response is particularly useful in clarifying why ARC does not pose a security risk.

Yes. 1234567

Obviously there is a difference of opinion on the ARC/port forwarding/UPnP thing, and I would guess those who don’t see a problem are generally the users that use ARC, while those that aren’t happy are those that don’t.
A further question for those that might know. If a router has UPnP enabled, and Roon 2.0 is installed, and the user then disables UPnP on the router, is the port that Roon opened still open? My guess is yes, but it is just a guess. If that is the case I imagine there are a lot of Roon users that are not using ARC but still have an open port.

There will be a port open on the Roon server device but, if uPnP and natPmP are disabled and no port forwarding is set up on the router, then there is no security risk from outside of your own network.

The issue, if there is an issue (and I don’t believe that there is), is not the open port on the Roon Server. It is the open port on the Router.

Just as a comparison, in the UK, we are currently moving to VOIP landlines. If you want a new landline from BT, it will be what BP calls ‘Digital Voice’ which will require more than one port on your router to be opened.

I’m a bit confused by this TBH, I ran a port scanner and the ARC port was indeed open.
Do I understand correctly that if I just install ARC on a device and log into the Roon server in ARC I should be ok because the authentication is set up?

Thanks.

Edit. I should say that I know I can change the port no to 0 in Roon but it resets if the NUC reboots I understand.

Usually your router runs a firewall which keeps computers on the outside, the WAN side, from accessing any computers on the inside, the LAN side. So an open port on the LAN is only open to local devices. So if the device you install ARC on is on the LAN, it will work. If it’s outside the LAN, it won’t, unless you also do port forwarding (on the router).