Hi there, folks. I hope this post is okay here. I’m trying to do my best to follow the rules and also to have done my homework before I come here with questions, but if this is the wrong place to ask my questions, I’d just like to politely ask for directions for the right place to ask. I recently started test driving Jellyfin in a more limited way on my desktop, and I’m impressed. I’m way on board with building out my library and self hosting the majority of my media consumption. I’m looking into buying a NAS, and it’s not going to break the bank, but it’s still a substantial purchase, and I don’t want to waste money by buying the wrong thing for my needs.
I’m looking at getting something like a UGreen DH4300 NAS with four 8 TB hard drives in RAID 5, which ought to be 24 TB of usable space, if I understand correctly. My primary use case is going to be a Jellyfin server for video, though I might try hosting other media libraries and files there like eBooks and such, through Jellyfin or otherwise. Looking at my Blu Ray shelf, I’ve got about 65 Blu Rays already, some of which are combo packs with 4K and 1080p versions, and once I’ve got a server like this set up, I’m very much inclined to build that library out even more. Currently, I have no screen or drive with which to watch 4K movies (I have a regular Blu Ray drive, a 1080p TV, and my PC monitor tops out at 1440p), but if I’m being mindful of future proofing, whenever my current TV dies, I’ll have more reason for accumulating 4K content. I don’t intend for frequent usage of this Jellyfin server to be by anyone besides my wife and me, and I’d be surprised if I ever had 5 simultaneous users.
So here are where my questions come in.
-
Is a NAS like the one above strong enough to drive high quality output to even 5 simultaneous users, rare though that use case might be? Other than my regular gaming desktop, which is quite powerful, I also have a Minisforum EM780 mini PC that could potentially drive a media server if that’s necessary/sufficient?
-
I’ve been reading posts in this community here and there, and I’ve come across a comment or two about security when exposing ports to the outside world. At the risk of being a big dummy, with selective port forwarding, what kind of real risks are there to this? And is there a reasonable way to navigate those risks such that I could regularly access my own Jellyfin server when I’m on the go like I would any third party streaming service? To be clear, this project is still of interest to me even if it’s restricted to my own home network, but it would be a bummer if exposing it to the outside world was particularly ill advised.
-
I’ve seen measurements of things like decibel levels in reviews and words of caution about power draw, but I’m curious for feedback from folks here about real world noise levels and power draw from a NAS like the one above with HDDs. Is the noise easily ignored when it’s in the same room? I have a small apartment, and there are only so many places I could feasibly put one. Is the power draw noticeable on your electric bill such that you’re particularly mindful of when it’s running?
-
Any other tips for this project that I might not know that I don’t know?
Thanks!
You must log in or register to comment.
Don’t go for Raid 5.
Why not?
I have a 4 bay Synology NAS and it draws ~50W when running. Not astronomical, but if always going is potentially ~$100/yr. If the disks don’t need to be spinning, it idles at a pretty minimal wattage, so realistically maybe I’m paying half that, but if we’re being frugal it’s a lot of headache for something that’s not much less than just picking 1 streaming service/month and rotating (before you factor in the cost of hardware).
In terms of drives, a 4k movie is ~50-100 GB, so 24 TB saves you enough space for ~240-480 4k movies. It’s up to you to decide if that’s enough. Last I checked, the optimal $/TB was ~12TB drives, so worth considering starting with fewer larger drives if it works for you.
In terms of processing capabilities necessary, that kinda comes down to how you consume your content. Encoding audio is trivial. Encoding video is difficult. If you’ll always be playing on devices that can handle the raw HEVC output of bluray disks, then your server CPU doesn’t matter.
If you want to play on devices that may not be able to handle the full uncompressed content, or stream outside your home network without gobbling up all of your bandwidth, you will need to transcode the video. This can either be done on the fly as content is requested (in which case you probably need a capable CPU), or you can take the time and do it in advance on a PC, and just upload it to the Jellyfin server and request the compatible version when needed.
Getting in the habit of encoding your own files to your preferred spec or automating it with something like tdarr is time consuming but worth it in that it let’s your Jellyfin server be leaner (but takes more space on your NAS).
For me, I only stream Jellyfin content to one client (my ShieldTV), which is always on my network and capable of playing all video/audio formats I need. For that reason, I have a raspberry pi as my Jellyfin server because it doesn’t need to do anything more than download cover art and serve files.
I can’t speak to the sound levels of the specific NAS you’re looking at, but if you’ve ever owned a computer with 3.5"HDDs (I’m guessing you have), you’re familiar with the brr brr brr seeking hum & low grumble they do when moving files around. That’s the main source of noise and it’s primarily when you’re using them (aka watching a movie) so it’ll probably blend into the background. But I wouldn’t put one next to my bed.
Thank you!
As for the secure use outside your home, see if you can install TailScale on that NAS. I use it on mine, it’s like having a Wireguard VPN but you don’t have to mess with port forwarding. The only downside is that to connect to your NAS from outside your LAN, you’ll have to be on a device that’s also running TailScale, but if it’s a device you own that’s easy to set up.
I have a much older NAS with not a lot of compute power, but it’s only purpose is to share data. I have a a proxmox server that connects to the NAS through NFS and does the actual transcoding, etc.
I have a really cheap old as the hills desktop with an ancient Quadro gpu in it connected via a decently expensive but also used 10gb Nic to my nas which is running Proxmox and a bunch of containers, but the two interesting ones are a tailscale exit node and Jellyfin. The Jellyfin gets the gpu via pass through, and I get 1080p on tap anywhere in my house with no fuss no muss, and I can use the tailscale app, connect, and act like I’m in my house from anywhere else, including other continents. Noticeable delay on play and pause on media if I’m on the other side of the planet, but that’s it for limitations.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters HTTP Hypertext Transfer Protocol, the Web IP Internet Protocol NAS Network-Attached Storage NFS Network File System, a Unix-based file-sharing protocol known for performance and efficiency SSH Secure Shell for remote terminal access VPN Virtual Private Network
[Thread #1011 for this comm, first seen 20th Jan 2026, 22:55] [FAQ] [Full list] [Contact] [Source code]
An open port is a door to the service. The service needs a vulnerability and then an attacker can abuse that. Oftentimes multiple vulnerabilities are used in an attack. Attacks can become public years after they were found. Just because nothing is public doesn’t mean that it’s not there. What can an attacker gain if he enters your server?
https://app.opencve.io/cve/?product=jellyfin&vendor=jellyfin
If you want to know what happend to people who opened their ports in the past, look in the lemmy and reddit selfhosted subs for the posts about it. I am not aware of a single post in the last x years about someome complaining that his jellyfin media library was encrypted and she shall pay a sum x for the encryption keys.
So then if I’m evaluating a worst case for what I plan to use this NAS for, it would be that an attacker gains access to movies that I have on my shelf, CDs that I have on my shelf, books that I’d have the right to redownload as long as the place I bought them from is still in business, and my own save files for DRM-free video games that Heroic Games Launcher currently tells me not to rely on them for syncing back to GOG.com. At which point, if some attacker found a vulnerability and locked my NAS from me, they’d have caused me an annoyance in that I’d have to reformat those drives and re-rip that media. With no sensitive information intended to be on this thing, it seems pretty low risk, right?
That’s one risk. Someone could use it for a bot net or other attacks. Or he could try to escape the device and hack into other devices on the LAN. But also, it depends on the reward that a hacker can get. Is the expected reward worth the work to hack into your server?
I’m not saying it’s low risk because then you could/would blame me if something happens.
You’re a stranger on the internet. Even if I was so petty as to blame you, I’d have a hard time tracking you down, haha.
Backup and yolo 😎
One way to go about the network security aspect:
Make a separate LAN(optionally: VLAN) for your internals of hosted services. Separate from the one you use to access internet and use with your main computer. At start this LAN will probably only have two machines (three if you bring the NAS into the picture separately from JF)
-
The server running Jellyfin. Not connected to your main network or internet.
-
A “bastion host” which has at least two network interfaces: One connected outwards and one inwards. This is not a router (no IP forwarding) and should be separate from your main router. This is the bridge. Here you can run (optional) VPN gateway, SSH server. And also an HTTP reverse proxy to expose Jellyfin to outside world. If you have things on the inside that need to reach out (like package updates) you can have an HTTP forward proxy for that.
When it’s just two machines you can connect them directly with LAN cable, when you have more you add a cheap network switch.
If you don’t have enough hardware to split machines up like this you can do similar things with VMs on one box but that’s a lot of extra complexity for beginners and you probably have enough of new things to familiarize yourself with as it is. Separating physically instead of virtually is a lot simpler to understand and also more secure.
I recommend
firewalldfor system firewall.I’m not a total networking noob, but I definitely have some homework to do based on this write-up. Thanks.
-
I’m no security expert and my biggest concern with self-hosting is making a configuration error in the OS or some app, or missing a critical update that allows someone access to my personal data. In order to reduce the attack surface and management requirements my network can only be accessed through Wireguard. The random open WG ports do not respond to unauthenticated packets, so someone would have to have access to my configurations to be able to get past my firewall, at least in the absence of some yet unknown vulnerability. Of course that won’t prevent mistakes being made on PCs (especially Windows) but it’s one less thing to worry about.
Wireguard clients on our PCs and phones make connecting and accessing media and files a breeze. There are no third parties involved so enshittification by some company’s security breach or sudden monthly fee isn’t going to happen.
I have a Bosgame mini-PC that is completely inaudible unless you get close to it. Power draw is <15 watts under light load meaning that even with the high electricity rates where I live it costs less than $3.50 a month to operate. I’ve avoided hard drives because I don’t want to listen to them whine, so no comment there. Two simultaneous 1080p Jellyfin streams increase CPU utilization by less than a percent and it still is under 5% with a couple of other Docker containers running.
Good luck setting everything up to your liking.
Thanks! I feel pretty good about the power draw based on what you wrote, even though HDDs are going to add to that, and that’s good to hear about the mini PC running Jellyfin, which gives me some hope for the on-board server in a NAS like the one I’m eyeing. And even if that doesn’t work out, I’ve got my own mini PC that I should be able to leave in place most of the time.
I installed Jellyfin on my Synology and it works very well for a bit and then it gets stuck and Synology stopps the Docker container and you need to start it again. So every time me and the wife sit down to watch a movie it doesn’t work, while when I test it then it works. I had to switch to rygel on my PC quickly so that we could watch the movie this day.
Q2 uses vpn. That way you’re not exposing jellyfin. I have wireguard on my router
Sorry, but the SEO on “Q2” is pretty bad. What are you referring to? And what are the actual risks of a port being exposed to the outside world via an off-the-shelf router? Surely they can always hit my IP, and if this port is only exposed for Jellyfin, it would be just as vulnerable as any other port that calls out, right? I ask that knowing that it must be wrong, but I don’t understand how.
There is always risk with exposing something to the Internet or untrusted people. You need to take steps to mitigate the risk. Make sure you patch make sure you only expose as little as possible use https/tls have good, automated, tested backups to media that gets disconnected! having access logs enabled Isolate and separate from any private/internal stuff as much as possible. Separate hardware separate VLANs separate VMshttps://www.reddit.com/r/selfhosted/comments/yc2wmd/is_it_dangerous_to_open_http_ports_to_the_world/
That’s why my reply to use vpn. Wireguard is silent, so it won’t respond without valid key and Jellyfin is not directly exposed to the whole world as it is behind VPN.
Short for question #2
Oh, sorry, haha. There’s a lot of jargon thrown around in a place like this, and I thought this was one I missed.
No worries, sorry for using shortand. I was on phone and I always misclick with soft keyboard, so I tend to use shorthand there.
So how do you deal with the fact that So many services on the phone tell you to turn off VPN to use them? I’m turning the VPN off and on several times a day on my phone and am always annoyed about it, because I need it on so I can get notifications and calls from my parents home network.
But every time I need to pay with Samsung Pay I have to turn it off, every time I want to log in to a government website I have to use this 2FA PASS app here in Korea and I have to turn the VPN off.
So often I forget to turn it on again, it’s so annoying, that this alone makes me want to put my stuff directly on the internet without a VPN and just keep stuff updated.
Never. I vpn to home, so my ip is home ip.
But those services detect that I have VPN on and force me to turn it off, otherwise they just exit.
My VPN tunnel automatically turns on when I leave my home lan. All traffic is tunneled and leaves my home network.
Are you able to use the internet with VPN turned on when you’re out and about? You may simply need to set that.
Yes I always have it on, both when I’m at home and away. The problem is that when I try to pay something with Samsung Pay, the Samsung Pay app tells me to turn off the VPN before I can use it.
Sorry, i dont have answer. Here i mostly tap with cc and bank apps. Only prblem is gov app where it refused to work because i use graphene os. For gov app, no issue when i open it on iphone and my vpn runs all the time there too
That sounds too good to be true :D I’m also really interested in Graphene OS but I never pulled the trigger. Perhaps I need to buy some used pixel to try if all the things work which I need.
