It is the end user’s responsibility to configure their own router. If you are concerned about what UPnP may be doing, or with Roon’s (or any other company for that matter) decision to utilize it, turn it off.
4 Likes
My understanding was that the Roon software opens the port itself. If that is not true then I’d retract my statement. If it is true then I stand behind it.
Roon server opens the port on the local machine and then uses uPnP to request that the router open the port and forward traffic to the Roon server. The uPnP request will fail if uPnP is not present and enabled on the router - in which case the port is not opened on the router.
So, if uPnP is not enabled, and no manual port forwarding rule is created, then your network is no less secure (from an ipv4 perspective) for the port being opened on the Roon Server device.
Ipv6 is somewhat different. In principle, if you have ipv6 enabled and your ISP supports it (or you get ipv6 connectivity some other way - e.g Hurricane Electric 6in4 tunnel) your Roon server will be given an ipv6 address which is routable - meaning that the Roon Server (and any other device on your network that supports ipv6) can be seen directly from any where on the internet.
However, most ipv6 enabled routers also implement an ipv6 firewall which will prevent unsolicited connections to devices on your LAN. In this case, in order to get ARC connecting to your Roon server over ipv6 (or indeed support any other connection to a server of any kind on your network), you would need to open a hole in that firewall - often referred to as a ‘pinhole’ - which is the ipv6 equivalent of a port forwarding rule.
1 Like
I set the port to zero but Roon keeps changing it to 55002. A restart of any remote does this.
I’ve turned off UPnP and have no port forwarding set up on my router, so it isn’t getting anywhere. A switch to make ARC go away in Roon would be good.
4 Likes
Thank you for the explanation. So it sounds like it is a mix of settings we may control on our router and things Roon automatically does.
I suggest that if the Roon software does anything in terms of changing router configuration, that should (1) be made very clear to users - doesn’t Roon claim to be usable by ordinary people? and (2) should just ask before it does it. I understand UPNP is designed to react to Roon’s configuration instructions, but still, I think it is problematic. My understanding is that Plex asks before it opens up your home network.
Yes, this is what I see as well. That seems to me to be a fairly big programming issue.
In effect, I shouldn’t have to change my router settings to protect my network. Roon shouldn’t be doing anything with the router without more control-ability.
2 Likes
There is nothing to going anywhere anyway. Opening a port is just listening for a connection on that port. It is not transmitting anything. If nothing external (ARC) tries to connect, it will just listen indefinitely with no traffic and no connection established to any other device. When there is a connection request, a connection is established and used to authenticate the connection in some form. If that authentication fails the connection will be closed and no further traffic will flow.
Whilst an open port exposed to the internet is a security vulnerability, a well designed service will use authentication methods and checks that make a practical security risk very small.
1 Like
Even if Plex does ask before opening ports on the router, and even if Roon Server was changed to do the same, can you be sure that every other program you are running on any of the computers on your network are doing the same? Some routers enable you to see what ports have been opened by uPnP requests - many don’t. If you have one of the latter, how do you know what ports are open or not.
If you want to lock down your network, then you should disable uPnP on the router.
I would contend that simply fixing what appears to be a bug with the port 0 setting getting reset would be good enough. There should not be a need for any further controls.
1 Like
One can turn off UPnP on the router, but a factory reset of the router would likely result in it being set on again. It is unacceptable that the user has to remember to do this, easy to forget. I agree the security risk is small, but a user who has no intention of using ARC should not have to be exposed to any risk from it. Therefore Roon should have a switch to allow users to turn off ARC from the internet (fine if it’s available locally).
1 Like
Obviously not albeit I do not run a lot of software that would seem to have a need for such a connection. It’s probably true that my kids use software that does. But at least they don’t have the router password to manually configure anything.
In any case, I don’t think that is much of a defense for Roon in the sense that sure, there may be other software that does unacceptable or inappropriate stuff, but that doesn’t make Roon any better, nor would it make me feel better that there is other software opening ports if a security breach was Roon’s fault.
A good start anyway.
1 Like
Would it be a solution to forbid port forwarding in general for the roon core router-wise? My router has such option, if I am not mistaken.
It might be worth taking a look at this thread from July 22, which discusses the threat (or lack thereof) from using ARC and UPNP. @danny’s response is particularly useful in clarifying why ARC does not pose a security risk.
Yes. 1234567
Obviously there is a difference of opinion on the ARC/port forwarding/UPnP thing, and I would guess those who don’t see a problem are generally the users that use ARC, while those that aren’t happy are those that don’t.
A further question for those that might know. If a router has UPnP enabled, and Roon 2.0 is installed, and the user then disables UPnP on the router, is the port that Roon opened still open? My guess is yes, but it is just a guess. If that is the case I imagine there are a lot of Roon users that are not using ARC but still have an open port.
There will be a port open on the Roon server device but, if uPnP and natPmP are disabled and no port forwarding is set up on the router, then there is no security risk from outside of your own network.
The issue, if there is an issue (and I don’t believe that there is), is not the open port on the Roon Server. It is the open port on the Router.
Just as a comparison, in the UK, we are currently moving to VOIP landlines. If you want a new landline from BT, it will be what BP calls ‘Digital Voice’ which will require more than one port on your router to be opened.
I’m a bit confused by this TBH, I ran a port scanner and the ARC port was indeed open.
Do I understand correctly that if I just install ARC on a device and log into the Roon server in ARC I should be ok because the authentication is set up?
Thanks.
Edit. I should say that I know I can change the port no to 0 in Roon but it resets if the NUC reboots I understand.
Usually your router runs a firewall which keeps computers on the outside, the WAN side, from accessing any computers on the inside, the LAN side. So an open port on the LAN is only open to local devices. So if the device you install ARC on is on the LAN, it will work. If it’s outside the LAN, it won’t, unless you also do port forwarding (on the router).
1 Like
I am more than confused 
I have this in my router:
I assume this i needed to use Roon ARC? Or did a miss something?
THX
Torben
There is still the possibility that you want to enable uPnP on the router (for other devices/services in your network), but don’t want Roon to configure port forwarding. A simply switch to enable / disable ARC would be nice to have.
4 Likes
If you want to use ARC from outside your LAN, say in the car, you need to tell your router to pass connections from the WAN side of the world through to the port on your Roon Server machine. There are two ways to do that. One is to enable uPnP on your router; we all frown on that, because any other device on your LAN can also then forward ports without you knowing about it. The other is to manually enable port forwarding, as you have done here (I think). So, yes, it’s needed to use Roon ARC on the WAN side of the world.
2 Likes
After feeling like an annoying fringe obsessive for years, the new direction reads like a dream. I hope the mandate allows you to take a holistic look at the product experience. I love connecting with my real world collection (~10K?), but I’m ever frustrated connecting with my digital collection (~50K), and it’s making me love music less. Far too much to say on the topic (as I’m looking back on a revised product experience I was mocking up in 2020 to solve my frustrations), but I would say listening to music (for me) is the simplest activity, and the experience via Roon should feel like it. Experience first, features second, is my wish.
1 Like