ARC & Tailscale complete beginner

Support ARC: Port Forwarding Help
1

I have a ROCK NUC that ran enabled me to use ARC without problem (TP Link router and DECO mesh network). BT Broadband.

I got this working thanks to good advice here.

We recently had to change to BT Homehub 2 due to the digital phone requirement.

I couldn’t get ARC to work. I updated my ROCK to use Tailscale thinking that would be easiest.

I followed the instructions and set my port to ‘0’. and get the below error.

{
“ipv4_connectivity”: {“status”:“NetworkError”,“status_code”:504,“error”:“error: Error: ETIMEDOUT, response code: undefined, body: undefined connected? undefined”},
“external_ip”: {“actual_external_ip”:“5.aaa.bbb.ccc”,“actual_external_ipv6”:“null”,“router_external_ip”:“192.168.1.100”},
“status”: “status”: MultipleNatFound
,
“natpmp_autoconfig”: {“status”:“NotFound”},
“upnp_autoconfig”: {“server_ip”:“192.168.68.1”,“found_upnp”:true}
}

On my Android phone via ARC on the home network I find the cloud but not the Roon Server.

I turned off port forwarding on the Mesh and none was set on the BT Box.

Any help would be much appreciated.

Chris

2

Firstly, you mention that you have tried Tailscale. If you have configured this correctly and it allows ARC to work when using either a cellular connection or a remote wifi network, this is all that needs to be done. With Tailscale in use, you can ignore the Roon → Settings → ROON ARC connectivity status. It is totally irrelevant because it pertains only to port forwarding and the whole point of using Tailscale is to avoid the use of port forwarding.

With regard to the port forwarding setup (if you wish to avoid using Tailscale), there are two significant pointers in the above diagnostic text:

“router_external_ip”:“192.168.1.100”

“Status”: MultipleNatFound

The second tells us that there are two layers of NAT (Network Address Translation).

The first tells us that the WAN (external) ip address of the the router to which the Roon Server machine is connected is 192.168.1.100 which is:

  1. On a different subnet to your Roon Server (192.168.68.1)
  2. Is also a private ip address (meaning that is it not one that is issued by your ISP.

Between the two of these, we can be pretty confident that the cause of the issue is the presence of two routers on your home network.

You mention that you are using BT broadband and you have the ‘BT box’ - presumably their Home Hub device - and a TP Link Router with a DECO mesh network.

Unfortunately, as you use the BT Digital Voice home phone service, you can’t remove the BT Home Hub. This leaves you with a couple of options:

  1. Set the TpLink router into ‘access point’ mode. This will prevent it from providing router functionality (including NAT) but should still allow your DECO mesh network to operate. However, it will mean that all of your network security firewalling will be provided by the BT home hub.

  2. Configure manual port forwarding on both routers. You will have to use manual port forwarding because your Roon Server connected to the TpLink router cannot use uPnP to configure both the TP Link router and the BT Home Hub and the network connectivity tests employed by the Roon Server will not work with two routers in play.

If you opt for the second solution above, then you will need to:

  1. On both routers disable uPnP
  2. On the BT Home Hub, configure a manual port forwarding rule to forward TCP connections on the configured ARC port to the ip address of the TP Link Router (192.168.1.100).
  3. On the BT Home Hub, if you can, configure a DHCP address reservation so that the TP link router is always issued with the same ip address (192.168.1.100).
  4. On the TPLink Router, configure a port forwarding rule to forward TCP connections on the configured ARC port to the ip address of your Roon Server (as seen on the Roon → Settings → Roon ARC page next to the ARC port setting).
  5. On the TPLink Router, configure a DHCP address reservation so that the Roon Server machine is always issued with the same ip address.

The purpose of points 3 and 5 above are simple a precaution to prevent the critical ip addresses changing (if for example, your devices are powered down for significant periods). Otherwise, if the ip address of the Roon Server or the WAN side ip address of the TP link router change, then the port forwarding rule on the relevant router would have to be updated to reflect that changed ip address. DHCP reservations are preferable to static ip addresses (which could also be used) because they cause less issues if, at a later date, a network subnet in use is changed (if, for example, a router is changed).

2 Likes
3

Hi @Chris_Speed ,

@Wade_Oram is correct here and has provided some great suggestions on how to proceed with this issue. Please give those a try and if you still experience issues afterward, let us know where exactly you got stuck and we can assist further. Thank you (and a big thanks for the detailed response @Wade_Oram )!

4

Thank you @Wade_Oram for a very detailed and helpful response.

I would like to make use of the Tailscale and I have a feeling I’ve not got that set up correctly.

I can see my phone and my ROCK and it says I’m connected. There is a red exclamation markby the word connected which, when I click it tells me the London relay server is unavailable.

Chris

5

To see whether or not you have Tailscale configured correctly, turn off WiFi on your phone and then run ARC.

Does it work correctly or does it report that ARC is operating in offline mode?

Maybe you could post a screen capture of your Roon ARC settings page like:

1000010128
10000101281080×2400 155 KB

The two green connectivity dots in the image above tell me that ARC connectivity is good.

Could you also post a screen capture of the ‘red exclamation mark’ that you referred to above.

6

Really appreciate your help with this.

Hoping the image loads.

The error on Tailscale seems to have gone now.

Add images

arc
arc864×1920 93.9 KB

Screenshot (Mar 14, 2025 15_17_49)
Screenshot (Mar 14, 2025 15_17_49)864×1920 64.2 KB

image (1)
image (1)1168×392 22.2 KB

image
image1018×428 29.2 KB

7

You may want to edit or remove the image of the WebUI page because it shows the email address that you use for your Tailscale account. (Edit: One of the moderators has done it for your :wink: )

In the first image, ARC is showing that it cannot connect to your Roon Server. I don’t use Tailscale so I can’t say whether that is normal or not (ie whether or not it just pertains to the port forwarding connection).

Does ARC now work?

8

No, I still can’t get it to work unless I switch on the DMZ option… I don’t think that is a good plan or solution.

9

Whilst not ideal, putting the TpLink router in the DMZ of the BT Home hub is not a major security concern. It just means that you have removed any network security offered by the BT Home Hub but you still have all of the security offered by the TpLink Router.

What you do not want to do, however, is put the Roon Server in the DMZ of the TPLink Router.

With regard to the use of Tailscale, if you have set it up correctly, you do not need to put any device in a DMZ or setup any port forwarding. If ARC is not working with Tailscale, then you have not completed the Tailscale configuration correctly. Have you installed Tailscale on your Phone as well?

See general guide to Tailscale:

And the installation instructions specifically for Nucleus and ROCK devices :

10

this is really kind.

I am going to call it a day today and try rereading and setting up tomorrow.

Thanks again.

11

Hi @Chris_Speed,

Just for due diligence - we see two Android devices with ARC installed that are associated with your account. What is the specific phone with which you’re having this issue?

12

Hi Connor. One device was my tablet (now removed tailscale from it).

My Phone is a Pixel 8.

Chris

13

Hey @Chris_Speed,

I wanted to check in and see if the information @Wade_Oram shared above was helpful in getting Tailscale up and running properly?

Let us know your status, and if you’re having any additional issues! :raised_hands:

14

Sorry for the delay in responding.

I have just come back to this. I have no idea why, but I took off the DMZ option, logged into Tailscale and it seems to be working fine. Maybe it needed a rest from my fiddling. Many thanks Wade_Oram. Very appreciative of all your help.

Chris

15

Hi @Chris_Speed,

Diagnostics from ARC confirm that it can reach through the server at a Tailscale IP address. We’re glad to hear the workaround is functioning as expected now.

For due diligence and security, I’d just double-check that everything on your network is behind the active firewall and no longer in the DMZ.

Please reach out if anything else comes up by creating a new topic thread. Thanks!