I use a modem and have 2 routers connected so that I use 2 separate networks. This is so that iOT and other non private stuff goes on one network and my private stuff goes on another. Each network has separate IP addresses. I want to use ARC, but only on the non private network so that the private network remains secure. The non private router does not allow for uPnP but does allow for Port Forwarding. The modem allows for both uPnP and Port Forwarding. So my question is how can I use ARC on the non private network (cause uPnP and Port Forwarding are both insecure) but keep the private network secure? Thanks in advance for any help.
Am I to understand that you have a configuration something like:
Modem <------------> Non Private Router <-------------------> Private Router
| |
Non Private network Private Network
or (if the Modem and the non-private router are the same device)
Modem / Non Private Router <-------------------> Private Router
| |
Non Private network Private Network
And that your Roon server is on the ‘Private Network’?
I am a little confused because you talk about a modem and two routers - but then you talk about port forwarding on the modem. Normally a modem is a bridge device and port forwarding is not relevant.
If either of these is the case, you only have two options:
Use port forwarding on both routers
Use a free Tailscale (or similar) VPN solution to configure a virtual private network with your Roon server and your ARC device in it.
Whilst, technically, the first solution is a security weakness into your private network, the weakness is exceedingly small. Whilst the ARC port would be open for any internet side computer to connect to, the security protocols on that port within the Roon Server itself will mean that bad actors are unlikely to be able to exploit the open port. In principle, there is less risk with explicit port forwarding on both routers.
In any event, in this scenario, uPnP can not be used to set up the Roon port forwarding because it has no mechanism to open the port of the ‘non private router’ and the configuration checks on the ‘private router’ may well fail because of the presence of the ‘non private router’.
The second solution, Tailscale, now appears to be an officially sanctioned (I don’t know about supported - it still references a how to in tinkering ) solution. See:
The post in tinkering referenced by the above announcement can be found at:
And finally, this references a help centre article on the use of Tailscale at:
Hi Wade.
Thanks for the detailed reply, much appreciated.
Looks like I did not explain sufficiently well (I am not a tech) - the two stand alone routers are each connected to the independent modem separately via two of the ethernet connections on the modem (Billion 8900X R3). There is no connection between the two routers outside of whatever may happen inside the modem.
Modem <--------------> private router
<--------------> non private router <-------------> Roon server
So I have two separate networks - one private and one not private each with different IP ranges.
I want to access the Roon server which is on the non private network without jeopardising the security on the private network. The non private router cannot be configured for uPnP, only port forwarding.
I assumed that if I opened a port on that router that I would need to do the same on the modem?
Tailscale looks on the surface that it may help, but first I need to try and understand it all! Is that correct?
Thanks again.
and the presence of the third router, the one providing the non-private network, is irrelevant.
This being the case everything I said in my first post about the two solutions still applies except that where I talked about the ‘non-private router’, it should have bleed the ‘modem/router’.
You either need to:
Use Tailscale (2nd solution) or
You need to add a TCP port forwarding rule to your modem/router to forward the ARC port to that WAN side ip address of the private router and a TCP port forwarding rule on the private router to forward the ARC port to the Roon Server.
Unless you re-architect your network, there are no other solutions.
No matter what you do, without the use of Tailscale, you must present the open TCP port of the Roon Server to the Internet in order to allow ARC to work.
Whilst I am not familiar with it, the documents referenced above mention the use of Tailscale as a kind of gateway. This is involves a second machine handling the tailscale link.
This second machine could be something as simple as a Raspberry Pi running DietPi or other linux distribution (maybe not ropieee because that is more aimed to be an appliance) and needent cost a great deal to purchase or to run. This is necessary for, for example, using Tailscale with Nucleus devices or ROCK installs which do not allow for the installation of additional software.
The Tailscale instructions for RoonOS (Nucleus or ROCK) take you to a set of Tailscale instructions for setting up a subnet router. The instructions are at:
Having said this, I think that it would be much simpler just to open the port for Roon ARC with the port forwarding rules on the Modem/Router and the ‘private network router’. The security implications are absolutely minimal.
If it were me, I would avoid the added complexity of running Tailscale if I could possibly do so. But then, I would also avoid the use of more than one router.