In my opinion opening a port in the router and forwarding it to a device doesn’t have to be a big security issue. The problem is what happens next… In my case, for example, the core runs on a QNAP. If there is a vulnerability in the Roon code that can be exploited through the forwarded port, then that vulnerability can be exploited from anywhere on the internet. The attacker might get access to my NAS. This is exactly what needs to be avoided in any case!
3 Likes
I didn’t want to argue against that. What I feel uneasy about is the proposed recommendation to delegate the manual part to some mechanism - while others than Roonlabs seem to propose the opposite. Even if it’s just a lack of understanding (like in my case) or maybe outdated information like that on a router, allowing automatic port mapping done by clients via UPnP is better to be turned off.
Not sure if I could explain my concerns and probably the examples weren’t as helpful as I thought. So be it.
Having UPNP enabled on your router is not by definition enabling your network to be compromised. The reason the references you cited recommend UPNP not be enabled by default is to reduce the attack vectors that a threat actor has at their disposal. Personally, I’d rather manually configure port forwarding as it means I have to explicitly enable inbound/outbound traffic whereas with UPNP enabled applications like Roon ARC (and threat actors) can do it for themselves from the LAN side. Of course, if you have a threat actor with LAN side access you already have bigger issues to worry about.
The average internet user has limited knowledge of networks and network administration, hence the desire to have them use UPNP - easier on-boarding, less support issues & complaints arising from users not having the knowledge to configure their routers/firewalls manually.
All told, the sophistication of exploits is constantly increasing and cyber security will forever be a cat and mouse game. Keep your OS’ patched and current, backup important data to a cloud service, keep confidential information on your PCs and other network devices encrypted and occasionally check in on your router’s port forwarding to ensure you know what’s being forwarded and why. Otherwise, the only sure fire way to be safe from exploit is to uplug your router’s WAN interface.
4 Likes
A couple of thoughts primarily on my settings:
- UPnP is off
- Port Forwarding allows only TCP
- NAT Type is “Symmetric” (My Asus router default) vs “Full Cone”; Asus explains the types as:
Blockquote
Symmetric NAT:
Each request from the same internal IP address and port to a specific destination IP address and port is mapped to a unique external source IP address and port. If the same internal host sends a packet even with the same source address and port but to a different destination, a different mapping is used. Only an external host that receives a packet from an internal host can send a packet back.
Full-cone NAT:
Any external host can send a packet to the internal host, by sending a packet to the mapped external address.
Note: For some voice and video concurrent services or games, there might be some connection issue with symmetric NAT. You might switch to full-cone NAT for a better connection. However, with full-cone all external host can send packets to intranet, but its less secure. It is suggested to switch back to symmetric NAT after using the services and games.
Blockquote
You might be thinking of issues with full-cone nat. But from what I gather from a few hours of research, many routers use symmetric - its been around since 2008.
I’ve tested for several hours and despite trying to break this configuration, I can’t (yet 
).
Pretty surprised Roon is advocating users enable UPnP in 2022. A complete security clown car.
My advice would be to follow the manual config guide if you want to use ARC.
(Reposted because the topic I made was closed and was told to continue the conversation here. Not sure why my post couldn’t be merged into this topic but there we are)
4 Likes
I’d suggest there was an expectation that you might read the topic and see @danny argument on UPnP before reposting.
I did and I disagree with his refutation entirely.
At the end of the day, people can do what they want. But hopefully can’t say they haven’t been warned.
The problem is not about escape routes that’s totally the wrong end of the stick. It’s about providing attack vectors from external threats. there are so many recent examples of malware and Ransomware finding it’s way on to home NAS systems via unprotected ports it’s absolutely brain dead to have UPnP enabled on home routers.
It’s not about exploiting Roon, it’s all the other stuff on home networks that isn’t locked down properly that an average user doesn’t have a handle on.
4 Likes
Which of course has no bugs a nefarious intruder could exploit to gain control of your network, and never runs as a privileged user account.
5 Likes
I’m afraid I’m also not on the same page as Danny on this one.
Critical piece, in my opinion, from that post:
Malware does not need UPnP to reach your local devices: for it to be able to do UPnP, it already needs to be on your device, or inside your network, so it can reach the internal devices by itself without using UPnP.
While in theory the attack vector is reduced, in practice you will find no malicious software cares. There are better ways to attack.
I can stand behind this. It all comes down to the question: do you think the attack vector reduction is worth it?
I think it is, but not as a standalone thing. Security isn’t about a single thing you do and suddenly you’re guaranteed bullet proof. It’s about hundreds of layers. Each on their own fallible, but all of them combined, make it much harder.
Unfortunately an increase in security comes at the cost of convenience, although in an ideal world it shouldn’t have to be that way.
1 Like
You’d have some interesting conversations conversation with the thousands of Deadbolt ransomware victims who had their NAS exposed to the internet via UPnP enabled routers.
Aside from that article being over six years old, if you read the follow up comments it is comprehensively ripped to pieces by the commenters.
Don’t enable UPnP, kids.
5 Likes
A way please to disable the ARC features on the Roon Core because the port is opened by default with UPnP on the router. Too dangerous. ARC must be opt out and not opt in. You open a door to the entire internet when doing so.
2 Likes
If you don’t want ports opened by default, you should disable UPnP on the router. I do agree that users should be able to turn off ARC support in core.
6 Likes
Or, go into your router settings and remove those pinholes for Roon ARC.
Sadly my router seems to not offer it 
only disable UPnP entirely
When you have the option to. I would like to use UPnP for local usage too and not to have to disabled it to disabled Roon ARC feature.
It must be done by Roon Core and let user to not open the port and not configure the router.
1 Like
Yes, the problem is not really malware inside the LAN, it’s bugs and security holes in non-malware, as with the NAS incursions.
2 Likes
I agree. I run my Roon Core on a QNAP TS-473 that needed a complete reformat in January thanks to the Qlocker ransomware attack. I restricted access to my QNAP to the UK only, which will presumably block Roon Mobile were I to download it and use it outside of the UK (I am currently in Italy).
I will not be downloading 2.0 unless ARC can be disabled and access to my server protected. It contains a lot of other important business data besides Roon Core.
My music library is on an Innuos server that I do not use with Roon as the sound quality with Innuos Sense seems better. There was no mention of sound quality in the 2.0 note.