Don't do this, there is no good reason to run UPNP if you care about security, turn it off and learn to manage a firewall.
If the author really cares, go one step further and replace the ISP owned router with something with more control.
Finally, if one cares about the software one's NAS runs, build or buy from someone like TrueNAS.
As others have said it's really necessary for some consumer devices to work properly - especially if you have more than one of the same device.
Games consoles are the best example.
If you have one console only, then you can usually forward ports manually, but if you have two or more of the same console, and want them to go online at the same time, then you need to use UPnP.
If you don't have UPnP enabled on one of the consoles, you'll see issues like being unable to join some games or being unable to do voice chat with certain players.
Not with you there bud - we have multiple game consoles and my firewall doesn’t even support UPNP. I also have never set up and DNAT or ‘punched holes’ in it to Mae them work. They just do.
Out of the box on most consumer networks, you're going to be able to access things like the store, downloading updates etc.
To play with certain players on peer to peer games (which are less common these days) or have a voice chat with certain players, you will need to port forward (manually or with UPnP).
You either need to forward ports manually (which can obviously only be done to one console), or use UPnP. The Xbox One and later does have an option to manually ask it to use a different port on multiple consoles for some features (so that you can port forward separately to consoles), but I am unsure if that will solve all issues in such an environment.
What happens though is that another external port gets forwarded to 3074 instead.
3074 -> 3074
3075 -> 3074
3076 -> 3074 etc.
Its likely uPnP does this automatically as even uPnP won't be able to map multiple devices to the same external port but it does make the process convenient.
However, we're talking about a service listening behind NAT (in this case Call of Duty on an Xbox at home) that needs to be listening for connections initiated by other Xboxes to establish a P2P connection. This is what port forwarding enables and this is what uPnP automates.
Anyway, these days, if you don't have an IPv6 /56, you don't have a real Internet connection.
Depending on the game you're playing, that may or may not be an issue.
It can stop you connecting to certain players in a peer to peer scenario.
As another example, last time I checked WebRTC didn't use UPnP, but has all the same issues as a fundamentally P2P UDP protocol. They use STUN/ICE/TURN, live uses custom protocols filling the same niches.
I don't think anything has fundamentally changed in this area since the days of the Xbox 360. Back then it was a PITA to get two or more consoles working properly without UPnP, and I can't see anything about the problem that would be different now.
Nintendo has a similar page:
So does Sony:
The issues with IPv6, in my experience come from its relative complexity, compared to IPv4, and also from forgetting to manage it at all, as it often uses different tools, firewalls, e.g. ip6tables vs iptables, or the fact that Ubiquiti EdgeRouters don't expose ANY IPv6 firewall configuration in the GUI at all.
Other players in this space have had these capabilities for over a decade, and you can call to get help. Ubiquiti might be inexpensive, but its still more than double the price of Grandstream's SoHo/SMB router and access point offerings while offering equivalent support and features.
Really neither of these offerings are good outside the SoHo and single location business space. I wish for OpenWRT, OPNsense or WatchGuard's configurability wrapped in a single interface that lets you see the router, switches and access points performance live while letting you alter their settings, without seriously kneecapped router capabilities.
Why do people throw this out there as if it's a fact we all agree on?
I've heard of one potential privacy issue 20 years ago, which was that IPv6 autoconf used the MAC address for the host part of the address, but this has long since been replaced with regularly rotating random suffixes.
So... why keep saying this?
P.S. If your security paradigm relies on IP addresses being semi-stable, you need to overhaul it.
I'm in the rest of the world and my non-static IP address almost never changes. I actually memorised my external IP address at one point since I saw it so often.
Fair, but that's still IPv4 and IPv6 rotating at the same rate.
In use the highest fibre offering from Orange and have a dynamic IP. Fixed IP is for "professionals".
That's funny, because I kind of have the "lowest" fiber offering from Orange, and I don't think my IP ever changed ? (I wouldn't bet on it thought.)
I monitor closely my Internet connection (since I serve stuff on it, and also because why not) and I saw my IP changing and wandering throughout the Ile-de-France. I would say that the changes are every 6 months or so (since one of my domain is with Gandi I had to write a checker and change the assignment through their API)
How having ran out of IPv4 means that there is no "rea" Internet?
Honestly - it would be great if IPv6 caught up but the standard, first choice is IPv4.
IPv6 has been slowly rolled out for more than a decade now, though AFAIK the standard has only been finalized in 2017.
Since 2017, first choice should have been IPv6.
"Internet" stands for "International network". If you're using IPv4 only, when someone else uses IPv6 only, then obviously you won't be able to connect to each other. Therefore you aren't on the same network. And only one of them can be "really" called "Internet".
(Also, IPv4 was an experimental ARPANET protocol which wasn't supposed to be used "in production" worldwide, but here we are...)
Source? Every consumer router I've ever seen that supported IPv6 also had a firewall covering IPv6. Given the crapshot routers tend to be I wouldn't be surprised if some messed that up, but "pretty common" seems unlikely.
For context, Free recently boasted reaching 99% IPv6 coverage. On their (now) midrange Freebox Revolution router, the IPv6 firewall is (AFAIK still today) opt-in.
> the author depends on NAT as a security feature, when it was never designed to be one
> UPnP is a convenience feature, and is disabled in all security focused networks.
uPnP punches holes in a NAT. If you shouldn't be trusting NAT to protect you anyway, why bother disabling a feature that's designed to punch holes in it? Just set up your firewall to protect your network, and it's not an issue.
(I suppose some routers might automatically add a firewall exception when doing uPnP hole punching, but if so that's an issue with those routers, not with the idea of relying on a firewall.)
The hole was always there. People get this topic confused all the time because the majority of network devices doing NAT are also acting as firewalls of varying efficacy. There are basically no non-firewall routers anymore, they all have at least simple network address ACLs.
The purpose of upnp is touchless configuration. If you care about security, that is orthogonal to your goals, and so it must be restricted by some other policy enforcement.
Another reply to my comment suggests that at least some consumer routers open a firewall port up as well, meaning that UPnP is still a potential security hole on those routers. (This might actually be required by the IGD protocol spec for all I know, that would be unfortunate...)
Every consumer router I’ve ever had will open up a port in the firewall when uPnP is enabled and a request is received. Is that not standard?
NAT is not really security and UPnP doesn't really do much to prevent malicious software already on your network from doing malicious things except perhaps hosting itself on your WAN to spread further.
What disabling it does help is prevent improperly configured or flawed devices from accidentally exposing themselves to your WAN. IOT devices? Put them on a network with no UPnP. Workstations and video game consoles with up-to-date patches? UPnP is probably fine.
I've set up several private v6 networks to deal with renewable energy projects in which the integrator used the same ipv4 address blocks on every single one, and the whole 6to4 translation explanation landed like they had just seen a devil sorcerer graft a goat head onto a human.
This knowledge saved at least 2 companies hundreds if not thousands of euros in on-site support, hardware and other expenses. Funnily, while these things are quite hacky, they tend to work better than most of the dedicated hardware I have seen in practice, while keeping you/ the technician/ engineer in control. With any kind of working infrastructure, you can estimate how good your solutions are because you don't get called at random times and from monitoring/ explicit contact you just see/ hear the things work fine.
You can also try this not-shortened link: https://www.orgpad.com/o/AWhUSD7lhAjYC0sw-9lcDd
IPv6 is overly complex, therefore insecure. Thanks to the US Patriot Act I dont even trust the VPN stuff tbh.
I'm being a bit pedantic about this since you're right that in practice, setting up stuff for IPv6 is in-fact complex since support for it is all over the place.
But I want to stress that IPv6 as a protocol is much simpler, more intuitive and much more versatile than IPv4. I'd even go so far as to say that it's actually fantastically suited for local networks, especially so in complicated setups with multiple subnets (in an alternate reality where everything supports it).
It's really, truly, a genuine shame that it never gained the momentum it could have.
But the routing is not simple.
I'm pretty well versed in networking generally - even IPv6, but a quick glance over something like:
Makes it obvious why it still hasn't gotten anywhere, _no one_ wants to dig through all that unless they really really have to.
Security depends on securing the routing and address allocation. So it is hardly surprising very few were/are willing to step up a declare IPv6 installations safe for service.
Combine that with most users being happy and comfortable with 1 IP address and there was no mass market appeal for IPv6 hardware or software.
I'd go so far as saying the vast majority of people do not even realise their machines can be accessed from the outside world when they only have one public address behind their "firewalled super safe ISP router", and would be terrified to find out they can.
Everything listed there either also applies/transfers to IPv4 or is not applicable at all to the situation you're evaluating.
> Makes it obvious why it still hasn't gotten anywhere
[EDIT: sibling post by minimaul has the better link:]
The mass market appeal for IPv6 is the fact that we do not have enough IPv4 to actually give one internet connection a unique IP. CGNAT is getting ever more present in the marketplace as a result of this.
Major providers are rolling out IPv6. eg in the USA, several major cable/fibre providers provide v6, several mobile networks provide IPv6 using things like 464xlat. It's the same in the UK - BT for example provide IPv6 on consumer internet connections, EE (a major phone carrier) provide v6 and use 464xlat to provide v4 connectivity to handsets.
India and Germany are further ahead still, generally. Google's IPv6 stats are a good indicator of just how much v6 is in use now: https://www.google.com/intl/en/ipv6/statistics.html#tab=ipv6...
All the IPv6 routing security has to be done with IPv4 as well. ARP -> NDP, prevent source address spoofing, DHCP guard/ RA guard are basically two sides of the same coin. Serious networking hardware supports this for years or there are firmware updates supporting it. For about the last 5 years, supporting IPv6 became much easier, almost as easy as supporting IPv4 for most of the real world use cases. Anyway, the reality is, we don't really have much choice other than to migrate to IPv6 sooner or later.
In practical networks, IPv4 tends to be set up in some way and usually seems to work correctly - until you discover all the atrocious hacks people have commited over the ~ 25 years of practical, widespread use. Quite often multiple levels of NAT without much reason for it, UPnP where it shouldn't be, payment for even single IP addresses (great, we are paying for numbers other people got basically for free) and more - IPv4 are often handled like pets. Compared to IPv6, it is much harder to do a simple split into security groups based on prefix with IPv4. (In IPv6, you can usually just give every broadcast domain a /64 and will not do a huge mistake - they are a single security group. Sometimes, you might want to hand out a /64 or even shorter prefix to every client though.)
There are some great resources for modern and practical IPv6 too: https://knihy.nic.cz/#IPv6-2019 (4th edition in Czech by Pavel Satrapa, but can be translated using Google Translate and is more or less ok as a translation: https://docs.google.com/document/d/10CRjSRBLcdqtGjJgaW5Sct5h...) there are older books in English that are also mostly relevant still. The free IPv6 course by RIPE NCC is also a good way to get up to speed and avoid (spreading) FUD.
And they even disable UPnP from some of their routers for "security reasons".
IPv6 could be set up so every computer has an internal address and you choose to map external to internet using 1 to 1 NAT.
::Pets His firewalls lovingly::
“Don’t listen to Him, He didn’t mean it.”
However, devices should default to local access only, and offer an option to expose them to the world, with appropriate warning.
Unfortunately we need to act based on what is and not what should be.
Ofcourse for most people who aren't dealing with state secrets convenience is a priority.
As usual, various solutions are available, I described one here. Disabling uPnP is an option for some, and I encourage those who want to go that route to go that route.
It's definitely a bug in the nas that it continues to punch ports no matter how it is configured. Plenty of software gives you the option of not punching ports.
I build secure communications solutions for a living, so I'm speaking from experience.
Any solution worth its salt doesn't want or need UPnP on your network, it doesn't need anything other than for you to let it hit the internet and for the traffic to come back the other way.
I also run and have run other solutions in my day to day working from home and private life, many SIP flavours, Teams, Zoom (once, because it was the only option), Jitsi, BBB, Google Duo, Hangouts, Houseparty they all work with no effort from me.
There is a lot of hypothetical about what will and won't work, but take it or leave it when I say that some of us, the people building these solutions, have a bit of a clue about networking and how to build solutions around security best-practice.
I also game online with PC, Nintendo Switch and PlayStation 4/5, not one has given me issues, nor have I needed any custom firewall rules for the consoles.
My wife works from home on a government issues laptop, she's never complained of issues with video conferencing or her work VPN.
There may be some exceptions, sure, but it's less of an issue than people think.
Isn't it more difficult to justify keeping it on when you can't trust devices not to, literally as the article shows, punch gaping holes in your network? 4 ports and if you didn't know too look...
At a bare minimum, if you MUST have uPnP, then those devices need to be on their own "unsafe" network with another network further in or next to it that has uPnP disabled.
Does the following disable the FS2-210's local UPnP?
Go to TOS Desktop> Control Panel> Network Services> Discovery Service> UPnP Discovery > Uncheck "Enable UPnP discovery service"
I assume this won't break anything you don't want broken (ie- automatic port forwards), but I'm with you that the option is needlessly ambiguous.
UPnP has its security implications, but it doesn't mean that random appliances can just open ports through it without any settings whatsoever.
Everybody has the freedom to have opinions and free to express them, however we shouldn't disregard other person's situation while expressing our opinion. Talking about theoretical best practices is always easy in a vacuum.
Addendum: I want to congratulate bunny for trying to learn from his/her mistakes, for being honest and sincere. I wanted to leave it here since there's no other way to contact. I also made a lot of mistakes and HN taught me how to discuss this stuff, so you're at the right place.
Then @kn100 assigns to @bunnyfoofoo the offending behaviour.
It's the personal responsibility thing.
"I'm offended" vs "You're offensive".
Because that’s a bug.
The correct solution is the NAS manufacturer needs to correct the issue and provide a software update.
This article shouldn't be ignored at all. Your supposed "correct solution" does nothing to fix the root issue.
Maybe he is under the impression if he turns off UPnP on his router (the automatic port forwarding feature), that his LAN device discovery features will break?
Typically, it can be possible to join another lobby, but impossible to host (insofar as other people can't connect to it)
Of course they can be opened manually but that assumes some technical experience, and that the ISP provided hardware gives you access to its configuration.
Normally people say games. I have disabled upnp on my firewall and there're two gaming PCs, a PS3, a PS4 and a PS5 running happily behind it. I just finished a Demon Soul's session with voice chat with friends with no problems. NAT type 2, because I managed my firewall to enable this.
My point was to get an example of something that breaks "because it doesn't work without upnp". I have yet to see a game that doesn't support a fixed set of ports.
I live in EU.
(Sorry if it's bad form to ask for product recommendations, but I am unhappy with/ don't trust, my isp provided router, and gp explicitly mentions buying a router)
The short but not so useful answer is, run something with pfSense or similar, I hear PCEngines hardware works well and is open source from the bootloader up.
Ubiquiti has hardware offloading using Cavium hardware so you need to get some throughout tests if you need high bandwidth in hardware without the offloading hardware.
Both are generally maintenance free once they’re set up.
* I'd recommend OPNsense over pfsense. If nothing else then because they break licenses (pfsense is NOT open source as they claim. You cannot built from the sources they provide).
Nothing is where you expect it to be. Getting to the control panel requires multiple login screens. Changing a port forwarding rule for devices that are and are not currently connected not only isn't on the same screen, it's not even in the same section of the control panel.
I had no end of problems getting it up and running for her, despite having paid tech support on the phone. Everything connected via ethernet would benchmark at exactly 1/2 the normal download speed of her old router, and anything on wifi benchmarked at 1/6. For the first three days her IP phone just rang continuously with nobody there, and neither I nor the tech support guy have any idea why it started working correctly.
I think its only for real networking pros
Static port forwarding combined with DHCP gets annoying quickly, you end up having to set up static assignments for every device that may need a port forwarded, which can be a lot, with modern multiplayer gaming and p2p.
And for applications that select a random port on startup, such as some bittorrent clients, you either have to manually forward the port every time or select a static port.
UPnP serves a purpose and is extremely convenient, as long as you trust the devices on your network.
What if you run them over a VPN? I don’t use torrents much but have a client containerised with OpenVPN. I’m not a networking expert but I had assumed (with all the dangers that comes with) that this moved the problem to the VPN provider?
And multiple devices on the network may need the same port forwarded at different times, such as multiple games consoles.
If the suffix stays stable then with iptables you can use netmasks where you mask out the prefix rather than the suffix.
If both prefix and suffix are dynamic you need a solution that takes dhcp or host names into account. Not all router firmwares support something like that.
Another alternative is to use UPnP or PCP with authentication.
If you’re using DHCPv6 then the DHCP server should take care of DNS as it would for v4.
Except for devices that randomize mac addresses. Normally even those that do that only try do so when connecting to a new network but that's not always reliable.
> Even if you’re using privacy extensions (and you should) you should still be able listen on the MAC address one.
I'm doubtful that all applications make that distinction and advertise the right address. If they just use some external "what is my IP" service to determine their address because that's what they did for IPv4 then they'll get the privacy address and advertise that to peers because that'll be picked by default for outgoing connections.
Being able to allow incoming connections to a port for any address belonging to a particular machine would be less error-prone.
Don't waste time with WiFi on the gateway itself as most WiFI chips you can buy are crippled in firmware for regulatory reasons. Just use a dedicated commercial AP hooked up directly or VLANed.
Once you get comfortable with something like pfSense I highly recommend switching to regular Free/OpenBSD, or Linux depending on what you're comfortable with. I find it much easier to manage a gateway with the entire configuration in version control than a GUI. There aren't that many services that a gateway needs to run.
If you feel like you'll miss pf on the *BSDs check out nftables on Linux. It's not as well documented but it's much less painful than iptables.
To loop this into the UPnP discussion: when you build your own gateway from scratch you have to add a UPnP daemon and configure it yourself, instead of forgetting to disable it and exposing poorly configured IOT stuff.
If I was going the "dedicated machine" route, I'd probably go with OPNsense nowadays.
Not aff'd, just a customer.
Software wise, pfSense is where it's at, but I don't have experience with their own hardware other than the ones we ran at work all failed due to a silicon flaw in the Intel SoCs they ran.
Sadly there isn't exactly a lot of alternatives in the hobbyist network setup area ... It's basically just ubiquity and mikrotik at this point as far as I know
Recent events suggest that the people behind pfSense are not especially responsible stewards; see https://arstechnica.com/gadgets/2021/03/buffer-overruns-lice... and https://opnsense.org/opnsense-com/ .
I discovered a similar issue as the blog poster with my QNAP NAS which was easily remedied by disabling UPnP.
I’ve not noticed any issues. We can do all the same things we did before. My Xbox and Switch still do online multiplayer just fine.
I remember hearing Xbox/PS3-4 and UPnP mentioned together but it’s been a while.
Now-a-days it's not used much and quite frankly it was always a fairly bad idea.
I have root access to mine, so I can configure it to my liking, but the device is _not_ blinking out in quality, needing to be reset at least once every 14 days, otherwise it starts chocking when I need to transmit my radio stations over the NET
These type of ISP's make a lot of cash, selling bulk purchased cheap hardware, esp mine, which still sells services over copper using VDSL & ADSL2. Their FTTH speeds are also inconveniently capped on VDSL speeds
My router firewall drops all packets from my NAS to my WAN. Doesn’t matter what software it runs.
Also STUN for VOIP does not increase latency. It tells you your external IP and port.
Edit: Port symmetric —> port restricted
You can port forward of course, but you have to know which ports and obviously it only goes to one static IP
And, don't quote me on this, but most PC games are not Peer-To-Peer. They often come with their own server software.
Heaven forbid you have a PC game and a Xbox game that have conflicting ports.
And, I just have to say: you open arbitrary ports to your game console from the internet and talk about security.
Networks featuring UPNP should be marked as "open/insecure".
Well it sounds like a feature for pro users that know what they are doing and control all devices on the network. Even then, security appliances (eg. from SonicWall) don't support it. I don't know, this is probably a niche feature for a few occasions.
Without UPnP, you specifically have to configure your NAT for this...
While I realize that configuring nftables/iptables is beyond most folks, there are many firewalls out there that have a GUI/webui which makes this dead simple.
Not sure why this should be an issue in 2021, except for users' trained-in helplessness.
Kids hosting games on random ports (terraria, etc.) benefit from UPnP. I'd rather enable it than manually enter firewall rules for each game or give them admin access to the firewall.
UPnP is only an additional risk if you have malware inside your network already and then it mostly allows malware to host services in a simpler way, but capable malware will be able to use TCP hole punching to establish arbitrary connections between infected networks.
I'm not sure where you get that idea. Once a hole is poked (depending on the perimeter device/software in use), it stays poked and you've expanded your attack surface.
I make sure that there's no dynamically defined external access to my network. Can you guarantee that no software in use on your network is free of vulnerabilities? I'm not talking about malware here, just your run-of-the-mill software bugs.
If you think the answer is no, then why don't you share your network details with us and let's have a go? Then we'll see how much of an extra risk upnp might be.
What's that? You'd prefer not to do so? If there's no risk, then it shouldn't be a problem, right?
My suggestion is (obviously, I hope) an idle one and more intended as food for thought.
>Kids hosting games on random ports (terraria, etc.) benefit from UPnP. I'd rather enable it than manually enter firewall rules for each game or give them admin access to the firewall.
That may be a valid use case for you. However, claiming that it doesn't increase your attack surface/risk profile doesn't magically make it so.
I'm not telling you what you should or shouldn't do, but I do disagree with your rationalizations about why allowing upnp to expose your perimeter doesn't increase your risk profile.
The cheap and fast attacks are DDoS and they're trivial to aim at a cable modem. Avoiding becoming a target is at least 50% of security posture. There were already 4286 ssh login attempts today so I don't really need more attempts than the automated botnet scans provide.
It's a risk/convenience tradeoff. I could probably package up a vpn.exe and force the kids' friends to run it before playing games, or force them to host games remotely. It's just not worth it.
I'm also reasonably sure that there are plenty of 0-days in all networks, given their relatively frequent discovery. So, again, don't be more of a target than necessary, and keep offline backups current and tested.
This phrase is a thing of nightmares now. Stay tuned for a really scary Haunted House full of users trained in helplessness...coming Halloween 2021.
Once that happens, there will be government action. Not before.
Meanwhile the top agencies distributing IPv4 blocks have ran out of them a decade ago.
Recently it was the time for a lower level agency to run out - for Europe.
There's a lot of things that people don't care about until it's too late. Governments are supposed to be able to plan decades in advance. And they do, for things like digital TV. (And I already gave an example of governments acting to push IPv6.)
CGNAT is causing issues in that some protocols simply don't work properly through them. IPv6 also allows for simpler networking, since you don't have to add the extra abstraction layer that is NAT.
We need something that increases consumer demand for IPv6 if we wantbthis to be dealt with now.
Wouldn't making STUN work be a better alternative?
And TURN is one of those relays.
(I host a STUN and TURN relay myself, because I had to for my personal VoIP server for enough people to be able to connect on it. Downside is more use of bandwidth.)
edit: replaced STUN with TURN where appropriate, I did confuse both as they were provided as a single package.
What's also true, and what I think the GP was trying to get at, is that STUN requires an external coordination server. UPnP (I think—I am far less familiar with it) does not, because in UPnP you're negotiating the holepunching with the local router directly, whereas STUN is sort of using a loophole.
(and it turns out that the server software that I use implements TURN and STUN in the same daemon)
I wanted to do that for a while now. Do you happen to have a good suggestion regarding whose products are worthwhile?
The snafu: https://news.ycombinator.com/item?id=26638145
For the Mobo I suggest finding a decent board (AMD based one if you want ECC RAM) and then use a PCI-e controller card to support the hard drives you need. It is hard to find a nice MB with all the SATA ports you need, using an external card gives you a lot more options. When I researched it everyone recommended an "LSI Logic Controller Card LSI00301 SAS 9207-8i" (eg. https://www.amazon.com/LSI-Controller-LSI00301-9207-8i-Inter...) and it has performed very well for me. If you go that way you'll need a SAS to SATA cable, they are easy to find as well.
Consumers generally trust that manufacturers will follow Best Practices and that security is part of the deal: I pay you money, you give me a quality product that Just Works and is Secure.
Products are made to be sold at a profit. You can imagine that some engineer at that company knows about this problem, put in a Jira bug for it and since it didn't affect overall functionality, and because the product needed to be released as soon as possible, they rejected the bug and sent it off.
By default, we should NOT trust that things are Good and Secure. If we are security conscious, then it's on us as consumers to figure out how to mitigate these problems. Or is it?
If I was this guy, I'd box that thing up and send it back and give the company feedback as to why, and then I'd show them this very blog post.
The manufacturer probably won't care. They know that until the average consumer cares about security and knows how to mitigate problems it won't matter. And we all know that the average consumer, even of technical products, has security habits.
Now if you'll excuse me, I need to go take care of some security stuff on my boxes, this really got me thinking about it!
sudo passwd root
Go to http://NAS_IP/module/api.php?wap/ and it will give your admin password out as an md5crypt hash. Why? I assume it's some sort of backdoor/dev code but I don't know.
- FreeNAS / NAS4free / OpenMediaVault (for Home-NAS)
- OpenWRT / OPNsense / PFSense (for Home-Firewall)
- Dell T20 / T30 / T40
- HP Microserver N54L / Gen8 / Gen10
- Linksys WRT 1200 / 1900 / 3200 / 32X (https://dc502wrt.org/)
- Alix APU
The consistency of FreeBSD is a real benefit here — it's well documented to begin with, and since things change so little between releases, bits and pieces you find online are largely still relevant even if they're a little old.
Same thing with my Internet router. Flash it with non-manufacturer firmware so I can configure it properly.
Its use of ZFS and ability to easily manage multiple "jails" and vms is perfect for a reliable home automation platform!
The only major downside I've found thus far it that you cannot pass USB devices selectively to a jail/vm.
Having Home Assistant as a guest under TrueNAS would be nicer though. Right now there's no data redundancy for Home Assistant.
Mainly because then my containers can run on the metal rather than being limited by Bhyve.
Currently in Alpha. I fired it up in a VM and it had some rough edges still but did manage to create a pool and fire up some containers.
Been running FreeNAS, now TrueNAS, for several years and been happy with that, but not being able to take full advantage of the hardware due to Bhyve has been a pain point.
And don't forget to do all this each time the NAS updates. And pray to whatever entity you wish that auto-updates don't get enabled.
Seriously, after a blunder like this, why not return the device and find a manufacturer you can trust?
Surely, first discovering by happenstance that a devices is doing this in the first place, then trying to figure out how to go through idiosyncratic & unsupported means to change the device's behavior, is significantly less convenient than updating a router/firewall config rules in supported standard predictable ways on occasion?
> My router is an ISP provisioned one so the feature-set there is somewhat limited
My assumption was that their router doesn't support disabling uPnP for a single client, so it's 100% on or 100% off. If they play a significant number of p2p games or use p2p applications with non-predictable ports, it might well be more difficult to do manual port-forwarding when needed than to leave uPnP enabled (or even impossible, depending on what the router can do).
Administrator’s username is admin and the initial password is admin as well. "
Is this article helpful? Yes / No”
At least you change the password...
For at least some of the x86 ones, you just need the right cable to connect to a suitable monitor, and it can boot from a USB drive. You don't need the VGA cable to replace the OS, but it helps a lot. You may have to dismantle the whole thing to get at the boot drive, but they're pretty easy to take apart.
First I did with mine was to install Open Media Vault.
I bought a Fractal Node 304 case (room for 6 drives), put an ITX board in it, a PCIe SATA controller and set it up as btrfs RAID, with CIFS, NFS and FTP. Not a huge outlay and so much better than a hacked-together Pi solution.
It also functions as my DNS and DHCP (Pi-Hole in a Docker container) and since it has hardware video decoding, it works great as an always-on HTPC, which is practical for apartment living.
Personally I also have a node 304 based nas, but I’ve seen plenty of people with low cost Pi setups and no major issues. Plugging a few drives into a Pi is much easier if you don’t have experience with building computers, and is still a couple hundred dollars cheaper than something like that.
Also worth noting that it’s possible to connect PCIe devices to a Pi, although I believe you need a specific model.