I had this a while back but I got it before serious damage was done. They targeted WAV over FLAC and jpegs. It happened because ARC was incorrectly configured. If it isn’t done correctly it is a route through your routers firewall.
To be clear, it happened because the network was incorrectly configured. It’s been said here numerous times to not create a DMZ to get Arc working. Forwarding all inbound traffic to a single host is a very bad idea too.
4 Likes
And guess who’s experience that advice is based on. 
1 Like
Routers that call an exposed host configuration a DMZ or DMZ-Host deserve to be called-out so users can avoid them. This dangerous practice (incorrect naming of potentially unsafe functions with terms that have a positive connotation in popular belief [deceptive naming] without giving clear descriptions what the functions are designed for and instructions how to use them in a save way [without endangering end-user security]) even deserves to be banned legally IMHO.
What is a real DMZ configuration:
5 Likes
It’s a crime to rob a house. It’s not a crime to leave it unlocked.
Also: Deserves to be means that it isn’t the case now (sadly) and IMHO means I’m giving my opinion.
1 Like
DMZs play a big part in securing data, networks and hosts. Just because something is referred to as a DMZ doesn’t mean that there are no rules in place to get access.
1 Like
No one denied that.
I have no clue what you are trying to tell here.
PS: There is a definition for what a (real) DMZ is. Labeling functions as DMZ that do not fulfill the definition is at least deceptive (and may be even perceived as fraudulent) and endanger end-user security (obviously).
2 Likes
It is on the network administrator to secure the hosts on the DMZ.
In a real DMZ the hosts are protected by the border firewall and only selected (and hopefully sufficiently secure(d)) protocols are made publicly accessible.
This is not true for exposed hosts that receive all incoming traffic not directed at other machines.
Most home users are neither network administrators nor security specialists. Products aimed at such users should account for that. Mislabeling functions does not help with this.
PS: Most users are incapable of configuring/securing a bastion host and the few who are will probably not go through this effort for a home network and no one in its right mind would place such a machine inside the “secure” local LAN.
2 Likes
Ignorance is no excuse, in fact I would challenge that no one in their right mind would put an unfiltered/unprotected host on an internet connection. At the minimum it would be protected with internet security products that are bundled with the operating system. We both know that is not enough though in reality and the right thing to do, if using a DMZ configuration, is to put the hosts behind a firewall.
This is usually given in a real DMZ configuration (hosts behind a firewall-router), no separate/additional measures needed to achieve that.
I’d say that the average consumer of broadband products wouldn’t have a clue what you’re talking about. And, I believe this is the point @BlackJack was making.
I’m mindful that this particular part of the discussion is going off topic, so may move into another thread, so as not to confuse the OP.
2 Likes
And the way of implementing that with a consumer grade router is to stand up an internal router/firewall and expose it to all inbound traffic. That is the way that I have to do it in my house because my ISP locks me into using their hardware. I don’t have any other options available to me, and you’re suggesting making that illegal!
What is the proper way to configure a Nucleus/Roon Core on a private network to prevent issues? If you block access to all Internet inbound traffic, then it doesn’t work for getting content from a streaming source like Qobuz. Thanks.
No, I think that it should be illegal to name something DMZ if no DMZ is included/contained (deceptive naming). Manufacturers should just name it what it is (exposed host) or what it is for (router 2, inner router) and give users a clear description what it is for and how it can be used in a secure way.
Most routers have sane default firewall rules, which is:
- Allow established connections
- Block all incoming traffic
To play content from Qobuz, your core on the local network will reach out to Qobuz and establish a connection, which the router firewall normally lets through.
Usually it’s when users deviate from the default rules that things get messed up.
Welcome to the Roon community, @Steven_Musso.
Roon works just fine without any configuration of a router, i.e., no additional ports need to be opened. Qobuz and TIDAL stream fine without any intervention.
However, if you’re referring to Roon ARC, then port forwarding is necessary. This can be done automatically with UPnP or manual port forwarding, as described in the help guide.
1 Like
This topic has caused me a bit of concern, mostly because I’m not very networking-savvy. It would be nice if someone would (or did) write a “Roon Nucleus Internet Security for Everyday Users.”
Perhaps someone could assure me that I’m not too vulnerable.
I have an ISP-supplied modem/router. Not much that I can do with that. Hardwired ethernet to this, I have a Linksys Velop mesh network base node. My Roon Nucleus+ is hardwire ethernet to that base node. So, I have two WiFi networks available (one from the modem, one from the Velop), but use Velop for Roon. This is because I cannot arrange a hardwired connection from my cable drop point to the room where my main stereo lives. Streaming from Roon Core – physically connected to the base node – hops to a mesh node sitting on my stereo rack.
I run Sophos Home security for antivirus, web protection, anti-ransomware, etc. Both WiFi networks have unique and strong passwords. We practice tight OpSec in terms of phishing, SPAM, and phone call requests, and NEVER click on links we don’t know. Backups done, etc. At this point, I’ve done about everything that I know how to do in terms of Nucleus network security.
Oh, and I do not run Roon ARC.
Is this enough?
Thank you
1 Like
In a nutshell, yes.
2 Likes