Port Forwarding for Roon

jasiu82

Hi All, I have a Roon Music Server. I send all traffic over a Nord VPN and have a Netgate 4100 box. I am trying to open a port for Roon ARC to work and am using the stock port of 55000. I set up a port forward rule and it doesn't work. In PF Top, I test WAN to 192.168.10.202:55000 and it fails. What am I missing? Thank you!

Roon Port Forward.png

johnpoz

@jasiu82 well that are you testing from?

Nord doesn't allow port forwards do they, if they did the traffic would be coming in your nord interface not your wan..

Got some place like can you see me . org and send traffic to the IP you want to port forward..

https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html

Gblenn

@johnpoz said in Port Forwarding for Roon:

@jasiu82 well that are you testing from?

Nord doesn't allow port forwards do they, if they did the traffic would be coming in your nord interface not your wan..

And some that did support port forward have removed it, like Mullvad. But you could try using Tailscale for this type of use case... Depending on your setup you either install Tailscale on a separate machine as a "subnet router" or you install it on the machine running the roon server. Then install tailscale on the phone and you are good to go.

Bob.Dig

@Gblenn said in Port Forwarding for Roon:

And some that did support port forward have removed it, like Mullvad.

Interesting. Good to know and bad to ~~hear~~ read.

Gblenn

@Bob-Dig said in Port Forwarding for Roon:

@Gblenn said in Port Forwarding for Roon:

And some that did support port forward have removed it, like Mullvad.

Interesting. Good to know and bad to ~~hear~~ read.

Yes it is quite a bad (dark) read actually... https://mullvad.net/en/blog/removing-the-support-for-forwarded-ports

jasiu82

@Gblenn Hello! Thank you for the suggestion. I have installed Tailscale and connected the sites on the same subnet, as suggested and it works beautifully. If you don't mind, I'll ask another question:

Since I've been running a Nord VPN both on all traffic from the pf 4100 as well as on my phone using the app, when I change to the Tailscale VPN on my phone, it drops the Nord VPN. When I check what my IP address is on the phone with Tailscale, it shows a verizon address. When I use the Nord VPN, all traffic is routed over that VPN and thus I see a Nord address, as expected. It looks like only some traffic is routed over the Tailscale VPN on my phone. It doesn't seem like I can run both VPNs on the phone at the same time, the Tailscale to run Roon and Nord to run everything else. My question: If I'm routing over Tailscale back to the Roon computer, I'd have expected my service to be from inside my network and thus routed over the Nord VPN as a consequence of all traffic inside my network being routed by the pf 4100 to Nord. What am I misunderstanding. Thanks so much for your help!

Gblenn

@jasiu82 Ah yes, on the phone you may be limited to running only one VPN at a time, like on iOS. https://tailscale.com/kb/1105/other-vpns.

Otherwise it might be possible to set it up so that tailscale only routes traffic from the apps that want it (roon in this case). I have not looked into this at all, but perhaps this provides some insight into how it can be done: https://www.reddit.com/r/Tailscale/comments/15e9m6m/routing_specific_traffic_through_exit_node/

But on the other hand, the tailscale client on your phone will find your "home IP" by checking with tailscale's servers. And they only know what the subnet router on your home network tells them. So when you say you run "all traffic on NordVPN from the pf4100", how do you achieve that?

If you have policy routing that routes any and all traffic on your LAN via your NordVPN tunnel... Then the way it should work is that the Tailscale subnet router will also find it's way out via NordVPN...
So even if you only run tailscale on your phone, it should anyway end up inside your NordVPN connection, a tunnel within a tunnel.

But even if your phone no longer uses NordVPN, from a privacy standoint I suppose it really doesn't matter since it's you that initiates a point to point connection to your own network. So the fact that it goes to your IP directly doesn't matter since it is fully encrypted and there is no way for anyone to even know what's going on inside... regardless if it's roon or some other server you are accessing inside your network.