Arc is a really good idea if it worked. I don’t think Roon support is very good and I doubt how much I will use Roon in the future. It’s too complicated and Innuos does it much better and I get better sound there too.
It does work and flawlessly for me and 100k + others. Accessing your home network from outside is not a simple thing to do automaticity. How many people working from home get vpn issuers I know our support team are constantly having to help users with no idea of what to do. Doing this sort of thing was always going to have support issues for Roon as users have different understanding of how things work so many different network configs. Some isp won’t let you do anything at all to thier kit and don’t get started on how many create a double Nat situation without even knowing what they are doing because they plug a mesh system into an existing router with no thought. Plex which did this stuff years ago but is now more mature had and still does run into these kind of issues but their UpnP implementation seems to be more robust.
Yes and Roon is doing nothing special - it is just using a rule in your home firewall as you would do if you were serving content from your internet access. This is far from unique - and any one who uses their home internet service other than just for basic web based applications and a few others like SMTP will be quite familiar with it.
I guess many people don’t really the use the internet as such at the moment, other than a modest subset of its capability focussed on web based clients, - sure it works fine for many who are consuming or manually interacting , but clearly not suitable for server purposes or machine to machine purposes that really gets the internet working for you and provides a fuller benefit of a public interconnected network.
So ultimately its a choice you either limit yourself to a basic web access or use a more fully capable internet access. The latter requires rules to be setup in a firewall to be safe and to function across the RFC1918 boundary.
But yes - more full internet access tends to be used by enthusiasts or people who know what they are doing - I suspect most consumers don’t do this at the moment. Its like the in the early days of mass consumer audio streaming - many consumer devices were not really up to it - remember the issues with home broadband routers with switch ports that run out of puff and wifi access points that double NATed etc it was a horror show… but as usage demands changed - these consumer products became more robust and were better designed and now I rarely read of such issues. The same could happen with consumer firewalls as perhaps more consumers start to use the internet more fully rather than be limited to web applications… and they will become easier to configure and more robust… and become more familiar for the regular consumer rather than the domain of the enthusiast or professional.
1 Like
Double NAT is pretty common at the moment as more switch to mesh systems without realising they are creating two networks with two routers have wired systems to one and app uses the other for Wi-Fi. Seen it happen on here enough with users not being able to see their kit from the app.
I haven’t seen it recently - but yes should be avoided like the plague unless you know how to properly configure - or you are are limiting usage to basic client and web based applications only - which really is using the internet with a hand tied behind you back.
So many applications other than basic web ones will struggle or fail. To deal with NAT and double NAT within an RFC1918 subnet for many more advanced applications you need to use STUN servers and the like - and it can be a right faff. These days I consider it legacy - and IPv6 effectively makes this use of NATing obsolete.
In short if a product requires you to double NAT in your home network - I would get rid of it/sell it/ give it to a charity shop etc - at your earliest convenience
I think there are too many people who still have problems with Anc. They should have done more to explain what to do
1 Like
they do have many instructions and guides on their website - however I do agree that some people seem to have issues with their Roon Core configuring their home firewall of different types and makes, and indeed Roon Core failed to configure my BT HomeHub2 so I had to do it manually - which suggests perhaps that their firewall configuration implementation was not as robust or flexible as it could have been. Hopefully that will improve in later versions.
1 Like
The forum is a very small percentage of users they even said it’s about 1-2% of all users have had an issue with ARC that’s pretty good going if you ask me. That said their docs could be better at explaining things and they have some work to do and making it work with some setups. I was a tester and their wasn’t many that had too many issues that couldn’t get working with some configuration. That was part of the early access program to iron out as many of those issues before launch but obviously some didn’t get rectified in time for launch. It’s the start of this products lifecycle it will grow and get better I feel.
My wife upgrade her iOS remote to version 2 without understanding the implications whilst I planned to keep the Core on 1.8 for the time being. Now realize I have to update the Core to 1.8 Legacy (different to 1.8) and then install 1.8 Legacy on all the remotes if I want to stay on 1.8…what a PITA
It may well have been communicated on the Roon site but there’s been that much noise over there for the last week I’ve kind of shut it out.
There is nothing wrong with double NAT and everything wrong with allowing applications to punch holes to incoming traffic from the Internet at will. It is roon who is disregarding the most basic perimeter security guidelines, not Orbi.
That is just ridiculous, naive and suggests a lack of understanding of firewall design and how one manages network segmentation. There is a specific firewall rule… commercial firewalls may have many hundred of such rules … no wonder the poor layman gets confused trying to read some of these comments… I think you need to think beyond basic http/https clients which don’t work in this environment without locking up non scalable/in efficient resources…
Double NAT is BAD period - its lazy and and obsolete for home networks where one should be using a single RFC 1918 subnet - there is no reason to do it - and requires complexity in dealing with it unless using simple protocols. No wonder the poor consumer get frustrated when applications don’t work if they have bought obsolete consumer equipment that requires it. Jeez…
As I say avoid any consumer equipment that performs double NAT… or don’t complain when applications or services don’t work as intended… and if you want to provide an internet service (like Roon ARC) and you are unsure of what is happening - look up how to manage and configure simple firewalls.
The only possibly contentious bit is whether you allow automatic rule application using UPnP or similar or whether you manually apply…
UPnP has nothing to do with firewall rules, in fact it has nothing to do with security at all, it simply automatically maps the Public IP Address of the modem/router to a private IP Address/port combination across the perimeter. I don’t know what firewall you are talking about, there is no firewall in a typical home setup.
Double NAT is basically more routing, one additional pass through network, which breaks nothing, unless someone (like roon) comes up with the terrible idea of allowing UPnP over the Internet to the Internal network. Roon ARC is poorly architectured in terms of security, and presents all of the potential risks associated with exposing a host on your internal network to the Internet.
I think your are getting mixed up… UPnP and NAT-PMP are the main protocols used for configuring consumer firewall mapping rules in the broadband/internet router. I think you might be referring to UPnP AV or UPnP DLNA (sometimes short handed to also UPnP) which is used for home streaming which is something quite separate… but yes I can see this could be a cause of confusion.
As far as NATing… yes in one sense it can be seen as a type of routing… and as such one needs to correctly configure if using it. In LAN subnets such as used in a home network one would need helper and forwarders for broadcast data and multicast data such that functions across the NAT boundary … these include function like ARP, NDP, DHCP scopes, SSDP, Bonjour etc … for double NATing… this just makes the problem twice as hard to configure…. further some protocols incorporate layer 3 addresses for peers in the layer 7 encoding… think of SIP… so unless you had symmetrical double NATing you would need to use STUN servers. If this is not done then certain applications can or will fail… as indeed one forum member, @CrystalGipsy , commented that some on this forum who use such products can suffer from.
But sure simple web based client apps or limited LAN wide functions should work fine…
As I say for home networks, in my opinion, consumer using NATing within the LAN (not to be confused by the internet/RFC1918 routing boundary) is just asking for trouble, consumer frustration and is in my opinion unnecessary.
No I’m not confused, all I’m saying is that you don’t allow connections sourced from the Internet into your secured network. Applications that require that kind of connectivity are better not utilized. That’s exactly why you use STUN for SIP based voice traffic.
Unfortunately, it does appear that UPnP has a lot of problems. If you don’t use applications that need port forwarding, such as peer-to-peer applications, game servers, and many VoIP programs, you may be better off disabling UPnP entirely.
There was a time the FBI and other security experts recommended disabling UPnP for security reasons.
1 Like
The problem with network security is that just about everyone is a layman. It’s a specialist art almost. Yes here and there are people who understand a lot about this AND are Roon subscribers but it is sure that the bulk of the subscribers don’t.
Yet the ARC application is now forcing many users to manually configure router settings. And therein lies the Catch 22. You need to be a security expert to know which one of the many suggestions that are already out there to follow, but the reason you need to follow them is because you are not one.
This is invariably going to lead to some users turning too much off, or even breaking something elsewhere.
Oh dear… no that is not why you use a STUN server…a STUN server tells a host what it’s outside address across a NAT boundary… so it can communicate that address to peers….
Yes as I said above there is a view that it is better to disable auto firewall configuration and disable UPnP on your router firewall, but then means user action is required to setup rules if needed by applications for bespoke/custom ports… I guess for many consumers setting up their firewalls can be daunting even for simple rules as evidenced by this thread… so there is benefit to protocols like UPnP if it inter works correctly between application and firewall… as these things then happen silently and automatically… but it’s about proportionality and risk assessment. If you follow good NCSC practice with regard to software updates, web hygiene, anti malware software your exposure to risk should be minimal unless you have accessible high value assets.
Anyway perhaps we should leave it there because being a network security engineer I perhaps appear to work in a different world to one you work in.
Yep I agree… probably spurred by in appropriate or out dated views from arm chair critics…
It’s a shame Roon didn’t get their UPnP implementation more robust, as we probably would see a lot less noise as this functionality would then have silently worked for many more… as it is indeed designed to do for application that use custom non web based applications.
But network security is significantly not all about bits and bytes… we are not in the 2000s now … it’s common sense, usage behaviours and risk/impact assessment … the NCSC guidance for individuals and families is very good.
Biggest risks are from phishing, accessing non secure websites, running malicious or non accredited software, executing links/code in malicious emails, not being careful about information you share on social media and not keeping software updated on internet accessible networks.
1 Like
Indeed, but I don’t see the noise / opinions as the problem. That is a symptom of the problem. The real issue at hand is linked to UX. Someone who likes music suddenly being confronted by the control panel of the Star Ship Enterprise. It is Roon that is offloading development and timeline challenges to the user. If the ARC implementation worked out of the box for everyone there would not have been a need for a documentation page / thread on manual port forwarding so people would have nothing to discuss.
I mean imagine buying the newest Playstation game and getting large error on your screen and links to documentation to go change settings on your router. How well would that go down? It is almost like we are back in the day of autoexec.bat and config.sys scrounging that last few KB of base memory to be able to start Doom.
Yep… fair point… the communication could have been handled better. I think many people don’t like change… and when it occurs into a space they are unfamiliar with… and perhaps considering the main demographic of Roon users there is a high risk of unhappiness … also the new Roon has to be online… which the old Roon I believe only needed a monthly heartbeat… another cause for potential unhappiness .
I suspect there is some irritation and nervousness within Roon itself at the moment… hopefully lessons have been learnt about user communication.
1 Like