Details depend on your router, its manual should explain it step by step. And usually there are tutorials on the internet if you search for port forwarding and the router model.
But in general there will be a router settings page for internet permissions. In the Roon settings under Roon ARC, look up the IP address that your Roon Core uses, and the ARC port number. Then create a new port forwarding rule on the router’s internet permissions page with these settings:
Forwarding the external port using the number that you see in the Roon ARC settings
Forward it to the Core’s IP address that you see in the Roon ARC settings, using the same port number again
Use the TCP protocol (not UDP)
On some routers, you may have to tell it to always assign the same IP address to the Core. (This is usually in local network settings for DHCP, something like “reserve IP address”). Many good routers will do this automatically, or they will let you choose the Core by name in the port forwarding rule, instead of by IP address, which makes the IP address irrelevant.
This may complicate things because, depending on the modem, you may need to configure one port forwarding rule from modem to router and another one from router to Core.
I suppose the model number should be printed on a tag on the router, but probably this helps:
(By the way, this page mostly deals with port forwarding for game consoles. As you can see, any PlayStation or Xbox uses port forwarding and does so by UPnP if the router allows. It’s not some nefarious thing that only Roon uses)
For what it’s worth I had to setup manual port forwarding for a different app.
I had no idea what that even means but I managed to figure it out with minimal gnashing of teeth.
There are some very knowledgeable and helpful people in this thread who will help.
Thanks guys. That’s a lot for a simple peddler to take in. It’ll be end of the week before I can do anything more. Router and modem aren’t really accessible, so that’s a project to even look at them. I still maintain that this is a lot for the average joe to have to do to use a consumer product. Nothing I’ve ever set up before has ever required all this network stuff - printers, scanners, Sonos, Smartthings, Alexa, thermostat, Simplisafe, probably others. Mostly just turn 'em on and they work. Very hard for the layman to understand why ARC is so hard. Maybe not meant for the average consumer.
So you have IoT devices on your network already and yet your more worried about ARC and security when you have devices that are open themselves to the world on standard http web ports.
These devices are as much of a security risk as opening up your router to ARC. Using these you are allowing the manufacturers cloud service to access your device at home, the app doesn’t connect direct to your home. it goes to their cloud service and it talks securely to the box at home.
IOT devices open outgoing connections to cloud servers, often using common ports. This is hugely different than opening an incoming port, which allows ANYBODY on the internet to connect to your Roon server. Sure Roon has authentication to stop them getting further, but that doesn’t stop any hacker from attempting to crack the authentication. Or they could simply flood your server with connection requests thereby bringing your core to its knees (aka denial of service attack). It’s a real pity Roon didn’t opt for a zero config vpn option like Tailscale for Arc.
If you ever wanted to use a home printer when you are in a different network, very similar things would be necessary (actually more complicated). Same for most of the other things.
An internet-connected thermostat typically does not need an open port because it uses different solutions, but note how it can make itself be accessible from the internet without any UPnP or open ports - like I said, once a device is on your network, it can already do what it wants, UPnP or not, so the fear of UPnP is exaggerated.
(But the solutions used by these IoT devices are not really usable for ARC - ARC must be able to stream large amounts of data from your core, something that IoT devices don’t have to do)
Fair enough. I’m getting something of an education on security, not something I really wanted to do but I appreciate all your efforts. I googled UPnP and saw the stuff that sent me down this path because Roon help indicated I needed it to use ARC. At the core my beef seems to be that I’m forced to educate myself on all this networking stuff in order to use what is at the end a consumer product. I’m just a music lover. I’m a chemical engineer not software or systems or networking and don’t really have much interest. It seems that Roon will lose people like myself as ARC customers, which lessens the hold they have on customers. Doesn’t seem like a good business decision. Thanks everyone for your help.
There’s also a fair amount of confusion caused because in the past UPnP was used by some idiotic router manufacturers as a router configuration interface that was accessible from the internet, which was a spectacularly bad idea. UPnP is not designed for that, it’s expected to be only accessible from a local, trusted network. So some security articles were written based on this premise, but many people read only down to “don’t use UPnP …” and not farther until the important part, “… to make the router config accessible from the internet”.
What is required for ARC is a port forwarding rule. It is this rule which opens the port. UPnP is not a requirement.
UPNP is just one way to setup the rule, setting it up manually is another. I don’t have Upnp on in my router. I setup my ARC port forwarding rule manually.
For the majority, UPnP just works, and no user intervention is needed. Indeed, Universal Plug ‘n’ Play was designed to make it easier to set up games consoles and media servers.
I guess you could say UPnP is a little like leaving a key in a window in your home. However, this can only be exploited if someone has already gained entry to your house! Or in this sense, a Trojan has infected a PC on your network. So, I don’t think UPnP is inherently unsafe if your network router and connected devices are maintained and up-to-date.
Incidently, when I first used Roon ARC, I’d recently changed ISP and was [initially] using their stock router. ARC simply worked out of the box. However, when checking UPnP settings in the router, I noted that another device had used this, too, without any dislosure.
Personally, I prefer to disable UPnP, and manually set port forwarding rules. However, that’s not because of concerns with UPnP, but rather, anyone else jumping on my home network, e.g., family visitors, and members who pose a greater security risk in their behaviour… weak passwords, clicking on links without understanding what they’re doing etc.
I wish all routers implemented UPnP like my Fritzbox, where you can enable it for individual devices simply based on their network name (not necessary to find/enter the IP or MAC). Can’t be easier and eliminates this.
Thank you for reaching out to demystify security concerns with ARC. To summarize what our moderators and other users have posted, there’s no risk posed by using ARC out-of-the-box for its intended use cases.
The thread listed above contains more thorough and clarifying posts from more senior developers and staff at Roon. If you require assistance with setting up ARC on your own local network, the tech support team will be happy to respond here. If you’d like to pose further questions concerning UPnP, port forwarding, and network security, we’d be happy to move this to the #software section.
