ARC not working: not be able to access Roon server

Roon Server Machine

Mac mini, M2 Pro, 32GB

Networking Gear & Setup Details

  1. Who is your internet service provider?
    China Telecom
  2. Please list the make and model of your modem and router?
    Modem: ZTE ZXHN G7615V2
    Router: UBNT Unifi Dream Machine Pro
  3. Do you have any additional network hardware, like additional routers or managed switches?
    Mac mini as DHCP Server and VPN Server. (Using Surge)
  4. Does your network have any VPNs, proxy servers, or enterprise-grade security?
    Yes, I’m using Surge on Mac mini for VPN.

Connected Audio Devices

Description of Issue -

What is the exact port forwarding error message you see in the Roon Settings → ARC tab?

The ARC used to be working very well in my network, but suddenly it stopped working someday recently.
Error message:
“ipv4_connectivity”: {“status”:“NetworkError”,“status_code”:502,“error”:“error: Error: connect ECONNREFUSED, response code: undefined, body: undefined”},
“external_ip”: {“actual_external_ip”:“”,“actual_external_ipv6”:“null”,“router_external_ip”:“null”},
“natpmp_autoconfig”: {“status”:“NotFound”},
“upnp_autoconfig”: {“status”:“NotFound”}

Could you tell us a little bit more about your network?

For example, the device that you list as a ‘modem’, the ZTE ZXHN G7615V2, is actually a router so you have two routers in your system. How is this managed? Is one of the routers put into bridge or access point mode? Or are you using double port forwarding?

I assume that the Roon Server is connected to the UBNT Unifi Dream Machine Pro which is in turn connected to the ZTE router.

Does ARC work if you (temporarily) turn off the Surge VPN on the Mac?

Assuming that ARC does not work even when Surge is turned off then:

The diagnostic text says that uPnP and natPmP are not found meaning either that the router that your Roon Server is connected to (assumed to be the UBNT Unifi Dream Machine Pro) either does not support them or has them disabled.

This being the case, if you have had ARC working previously, you must be using explicit port forwarding rules in one or both of your routers. If this is the case, then do you have:

  1. Your Roon Server configured to use a static ip address or a DHCP reservation in the Dream Machine Pro?
  2. You Dream Machine Pro (assuming the ZTE router is not in bridge mode) configured to use a static WAN side ip address or a DHCP reservation on the ZTE router.

If one or other of the above is not the case, it is possible that the IP address of the Roon Server or the WAN side IP address of the Dream Machine Pro has changed which would require you to update the port forwarding rules on the one or other (or both) routers.

As an alternative to using port forwarding, you could also look at using Tailscale. The use of Tailscale is now a supported configuration and can be used to avoid all port forwarding issues.

There is an article in the Roon Help centre describing how to use Tailscale at:

Thank you for your reply!

  1. My ZTE router is from my ISP. My Unifi Dream Pro get a static DHCP address from ZTE router, and my UDP performs as a main router in my setup. The ZTE router is set to DMZ to forward all ports to my UDP. The Upnp and natPmP is turned on on my UDP, and the port Roon ARC’s using is also forwarded to the Mac mini, where the Roon is installed.

  2. Surge on the same Mac mini is the DHCP server in my setup. It works as VIF and take over all traffics on my Mac mini and my entire home network. It gets a static IP address from my UDP.

  3. The local IP Roon ARC get is actually the VIF address of Surge, not the local IP Address of my Mac mini.

  4. All above is exactly the same situation as before. And the Roon ARC worked perfectly under this setup before.(Also, the Roon ARC was getting VIF IP address when it worked before)

  5. No, ARC does not work even if I turn off the Surge VPN (include the VIF and DHCP Server) on the Mac. And if I do so, I would not even get the diagnostic text. It will only say ‘Roon ARC is not able to connect to Roon Server’.

  6. One clue I can get is in the diagnostic text, the actual ip address session, seems to be my VPN address, not my actual home network public address. But if I turn off the VPN, as I said in 5, it still would not work and I can not even get the diagnostic text.

  7. I will try Tailscale this weekend but I think it may be conflicted with Surge.

  8. Surge also provides a service called Surge Ponte, it can connect devices to my host device’s local network via its private protocol. But I cannot use ARC even on my local network so it cannot help. Also I tried to use Roon (not ARC) via Surge Ponte, the result is I can connect but I cannot play music on my remote device.

Thank you very much!

Best Regards

I don’t know anything about Surge (and precious little about Apple devices) so I don’t know if I can help further. However, the following thoughts may help:

Is there any device other than the UDP connected to the ZTE router? Any devices so connected will be on a different subnet to the Roon Server connected to the UDP and will not be able to connect to the Roon Server on the local network.

Has the Wifi on your ZTE ISP supplied routers been disabled? It should be. Wifi devices associated to the ZTE router will not be able to interact with Roon on the local network.

On the UDM, I think that, from an ARC operation perspecive, you do not need both uPnP/natPmP and a manual port forwarding rule.

OK. So the connection from ARC is to a public ip address assigned to the Surge VIF. How does Surge handle incomming connections? Since it is used to assign (presumably private) ip addresses to your local network, it must be performing some kind of routing functionality. This being the case, does it, itself, need to be configured with a port forwarding rule?

In any event, this would appear to make any ARC releated port forwarding settings on the UDM irrelevant.

The ability to allow a device on an external network to connect to another device/network as if it was part of the same network is exactly what Tailscale does so if you cannot use ARC even when connected to your own network, then neither is likely to help. It appears to me that this needs to get fixed first.

With regard to local network operation, does Roon Remote work on the same device?

Are you sure that the iphone, when connected to your home network, is getting an ip address in the same subnet as your Mac Mini Roon Server? If it is not, then this will be the cause of the ARC inoperability on the local network.

With regard to the ability to connect to the Roon Server using Surge Ponte but then not be able to play anything, I may have had a similar experience using Wireguard VPN. On starting Roon Connect on my Phone (Android 14), I can immediately connect to the Roon Server and I can play music on other devices in my home network, but I cannot see the phone as an endpoint. If I left Roon Remote running but inactive on my phone, it would eventually (after 10-20 minutes) pick up the phone as a selectable endpoint - at least usually - and I could play music. I believe it is a limitation of the way that this kind of VPN works.

By contrast using an OpenVPN TAP VPN (server hosted on my router) which works at a lower layer in the networking stack and fully supports broadcast traffic over the VPN and provides full network bridgeing, Roon Remote on my laptop (Running a TAP mode OpenVPN client connection) is able to work and play music with no such delays. Unfortunately, running a TAP VPN client on an Android phone is not possible without rooting the phone and I suspect it is equally problematic on an iPhone.

I think I figured out what’s going on.

I checked the traffic through my network and I found that, if I turn on Surge for Roon, it cannot get my actual public IP address which should be 218.xx, it will only get the VPN IP address. And if I turn off Surge for Roon, every connection from Roon client to would fail, and it will not be able to connect to Roon server at all. In that case, I cannot connect to ARC even in my local network since it cannot connect to Roon server.

So the thing is, it seems like you are using connections to to get my actual IP, but it’s somehow blocked by my ISP. So I can only connect it via VPN but in that case it would only get my VPN’s IP.

Is there any workaround to manual set my home IP address? I do have a DDNS setting that point to my home network.

Thank you very much!

I checked the traffic through my network again and I found something further:

The Roon app is trying connecting 2 lan addresses all the time: and And all of these connections failed.

This is weird because neither of these is my lan address. My UDP lan address should be started with 192.168.17.x, and I confirmed that I’ve set the subnet mask to Also, the ISP’s router’s lan address should be 192.168.71.x, so it’s not ISP’s router’s lan address neither.

Do you have any clue about these connections? Is there any service in Roon uses port 9200 as default?

Thank. you for your help!

I’m sorry but I have run out of ideas. I think you may have to wait until Roon @support get on the case - if indeed they are prepared to help. They may consider such a VPN setup to be ‘tinkering’.

You may get more help from others by posting in Tinkering where other forum members with similar setups may be able to help.

I am also a user of China Telecom in China, and recently there has been a ventilation issue with ARC. I will first use Surge to redirect api.roonlabs. net to Hong Kong, and then switch the diversion to DICT later. Go ahead and refresh the ARC connection again, it will become ready. Then switch back to Hong Kong. Wait until the next PPPOE refresh IP for about 3 days. We need to do it again. So I didn’t understand. Is it difficult to develop an interface that allows users to input their own roon core address and port?

This topic was automatically closed 36 hours after the last reply. New replies are no longer allowed.