Monthly Archives: 

January 2018

NAS Review: TerraMaster F5-420: Some nice touches, but not worth the risk

won’t let me write a review because I got a price other customers can’t
get — I double upped a publicly available coupon with a Lightning deal.
Not my fault. But I took the time to prepare to warn people, so I’m
writing this anyway.)

TL;DR: Seemingly acceptable hardware
perceived as untrustworthy and unreliable due to numerous unprofessional
and unreliable software engineering behaviors on display. I just can’t
trust it.

My 2TB 2-bay NAS is
getting a bit long in the tooth. For many things, my QNAP TS-220 still
works great after four and a half years. But capacity wise it’s no
longer there. Along with half the NAS-friendly US population, I picked
up the easy shuckable BestBuy-exclusive WD Easystore external 8TB
harddrives — but discovered that my TS-220 came with incompatible bays.
Rather than spend $80 on new drive caddies, I started a months long idle
browsing process, seeking something newer and more powerful. Mostly I
had been focusing on QNAP and Synology, because who hasn’t heard of QNAP
and Synology. I was wrestling with the price point, however —
especially as I jumped from looking at the 453B to the TVS series. So
when TerraMaster popped up with “not as well known” reviews, I did
remember the brand, but considered them only casually. The lack of
documentation and reviews means there aren’t as many forum posts or
reviews even mentioning the F5-420 (go look, and see how quickly you
start getting results for the F2 instead).

Then I hit pay dirt.
The Amazon app, that evil money-sucking-pocket-demon, alerted me to a
$99 off lightning deal on the Noontec TerraMaster. I poked around, and
was astonished to see NOONTEC was ALSO offering a $100 off coupon — and
free headphones, but I could only redeem one coupon. $300 for a FIVE bay
system that should be roughly as powerful as the QNAP TS-453 I had been
considering, and the higher RAM model at that? Done!

It arrived
the next day! And sat for almost a month before I had time to try it
out. I scanned my hard drives, discovered four out of 6 of the 8TB
drives were actually WD REDs, meaning there was only a risk the case
wouldn’t support 2 of WD white label drives. Finally, I had a chance to

PACKAGING: 5/5 – Some wasted space, but generally good
layout. Bagged screws identifying 3.5″ (“HDD”) vs. 2.5″ (“SSD”)
compatibility (with spares leftover); a SCREWDRIVER! Taking it out, it
just feels well put together. I’m a big fan of a metal case!

3/5 – … And then you discover the non-locking trays (known) are flimsy
plastic affairs. They verged on wiggling while I was mounting the hard
drives. I appreciated the dual ethernet ports, although I don’t
currently have a need for them. Given the size of the overall unit
versus the size of the individual drive bays, I’m not surprised they had
to use an external power brick — but I still don’t love external power
bricks. The biggest physical drawback is definitely the trays,
especially when contrasted with the metal case. I always felt I was on
the verge of destroying the tray when I put it in or took it out.
Hopefully, though, you wouldn’t have to do that too often.

4/5 – The sound from the system itself (the fan, mostly) wasn’t
noticeably audible at any point. The hard drives, however, were. I can’t
be sure that a better job could have been done, but it definitely
didn’t feel like there was any attempt to dampen the interior sound.

1/5 –  Up until when I went to configure the device, I only felt
slightly awkward about using the hardware. I’ve backed Kickstarter
campaigns — hardware is HARD. A little bit of “immaturity” in case
design is a minor problem, and I was impressed with the ease of
connecting to the backplate. So, there was still a change. Then I went
to their website (… and started wondering
what level of company I was working with. I have an SSL certificate.
Sure, it’s from Let’s Encrypt, but it’s not hard to do. I tried to visit
their HTTPS page, and it was rejected. Their corporate website
( has the same issue. I’ve seen startups with more
secure websites. Now, admittedly, I wasn’t sending private information
over the wire — but I was left with an increasing level of skepticism. I
selected my model from the drop-down (seemingly randomly ordered), and
clicked next — where I got my second surprise. The download link for the
manual had a sibling link (“Download Link 2”) pointing to Dropbox. From
past experience, I know that internet connections from China to the
rest of the world are not 100% reliable, and can understand why they’d
want a backup — but using DropBox just registered as surprisingly
unprofessional. A second VPS, perhaps, with nothing but the long-lived
content? There are ways to do this…

Clicked through, and download — again, with the second link being
via Dropbox. (A quick diagnosis by me now makes me think they’re using
their “connect remotely to your TNAS” functionality to host these files…
which is surprisingly clever, but doesn’t save the feeling). What’s the
contents of Huh.
That’s… scary.

In my day job, I program. Or engineer. Or sometimes
go to meetings. But for several years off and on, I’ve been using a
product called “Visual Studio” to write software. And what was in that
zip file was CLEARLY the zipped output from a build. Some highlights:

  • TerraMaster.vshost.exe
    – VS creates a “{appName}.vshost.exe” to serve as the virtual process
    that it can debug through. It started in VS2005, and it only really
    affects engineers… unless your software team is so amateur you don’t pay
    attention to your build artifacts. For the curious: MSDN article on the subject. Now, this file won’t break the application — it just shouldn’t be there.
  • TerraMaster.exe.CodeAnalysisLog.xml
    – Okay, this one might be more concerning. If I was going to attack
    this app, this gives some idea where. It calls out unsecure — or
    possibly unsecure — coding practices. Now, this isn’t the software
    running on the TNAS itself, but it’s a hint of an engineering culture.
    Good: they use code analysis tools! Bad: they seem to be making some
    really curious choices about P/Invoked APIs…
  • Newtonsoft.Json.dll – Hey! I use this a lot! Version 9… wait, that’s at least a year old. Might not be an issue, but still…
  • TerraMaster.application
    – Well, that makes no sense whatsoever. That’s a ClickOnce deployment
    manifest… For those less embedded in Windows development: ClickOnce
    isn’t great for end-user software, but it’s killer for Line-of-Business
    applications. ClickOnce provides you with a mechanism where you can
    create a stub application which will automatically update on publication
    of a new version. Think App Store type model, but without central
    control. However, this manifest doesn’t point even to Terramaster’s
    unsecure website, so there’s zero reason for it to be there.
  • Copyright date: 2015. Wait, what? Version
  • TerraMaster.exe.config
    – Well, that’s mostly normal and boring and why are there fields down
    here for UserName and Password? Is that how this is configured to store
    the information locally?? And why is jitDebugging=”true”?
  • TerraMaster.pdb – Debug symbols? Really?

of these things are inherently dangerous — but most of them shouldn’t
be there! Newtonsoft.Json.dll is a REASONABLY new version, and upgrading
arbitrarily can introduce risks, so that’s okay. And
TerraMaster.exe.config is even expected. But I would never expect to see
a PDB file in a shipped product (you can capture a memory dump without
it!). The CodeAnalysisLog and the .vshost.exe are just ridiculous.
Someone with less knowledge might just wonder which to click (which is
what they tweeted at me at Twitter when I complained), but for me, it
was a bunch of signs for an amateur engineering organization.

As I’m writing this, I went back through the
flow — and version 3.1 of the software has since been released! This has
a proper installer and MSI, but, for me, the damage is done.

2/5 – So I used the app to find the IP address for the Terra-Master
F5-420. It was reasonably fast to do so. The app hinted at other
functionality (file management), but I wasn’t inclined to try and see if
the apparent images were actually clickable. I just double clicked the
listed device, and it launched Internet Explorer. Not my default
browser, mind you: it’s apparently hard coded to launch INTERNET
Yes, if you’re on any version of Windows from the last fifteen years
you’re guaranteed that it will be installed… but Windows does a kick-ass
job with executing “” based on the default
handler — at least for the last ten years. Who the hell launches
Internet Explorer?

I grab the web link and hop over to Firefox,
and start the configuration process. It asks me to register my own email
address, which only allows you 30-60 seconds to receive the email and
enter the verification code. This is email, which is by definition a
best-effort, non-real-time communication medium. I timed out twice and
then gave up (another black mark). It identified my installed drives
(both — I only had two installed on this first attempt), and prompted me
to select drives and define which RAID level I wanted. I clicked
through, there was a nice progress ring, and then I was in. It then
prompted me if I wanted to update the firmware to 3.1! Sure! If it was
broken, I wanted to know anyway. I approved the installation, the device
restarted, I went back in and WTF. Launch the Control Panel, and
there’s an unformatted list of links. Click into one, and it’s a little
better — the content is there, even if broken. I deleted the RAID
cluster I had temporarily formed, and turned the entire unit off to add
three more drives. Turned it back on… and have to go through the
initialization steps again. Apparently it doesn’t do well if you delete
all the storage, which is alarming. Go to try to create a RAID6, and the
UI just… doesn’t work. The drop downs are visible, but changing the
value doesn’t always work. Try to enable encryption, and SOMETIMES it
prompts you for your password. SOMETIMES. The Create button doesn’t
consistently work, either. I was rapidly losing patience at this point.

gave up, and came back the next day. I opened the F12 debug tools in
Firefox to observe network activity (my theory was that it wasn’t
loading either a CSS or Javascript file) — but no 404s. Continued trying
to use the broken UI, and almost threw the entire unit out the window.
Then I remembered there was another option: I hit Ctrl+F5, which forces
the entire site to reload, forcing a refresh of the cache… and things
magically started working. What does this tell me? Noontec’s engineers
don’t properly version their resource files, and set an entirely too
long TTL for a local-network device. The UI was broken because I had
logged in — once — the day before to the previous version. They have no
version qualification in their resource paths (which would automatically
force a reload), and have a minimum of several hours in their
time-to-live (I assume at least 24 hours) for a device typically on a
local network. Is this bad? No. Again, it’s amateur. On a
public website, you wouldn’t go back to it — depending on when you last
visited, the entire site would stop working. For static content, this
isn’t as big a deal. For dynamic, interactive content, this is crippling
— hence I almost couldn’t test it out. Once I figured out THEIR bug, I
was finally able to configure a 5-drive RAID array and get down to
testing it.

PERFORMANCE: 3/5 – This may be an unfair rating, and
partially arbitrary. Once I have another device I can configure in a
RAID5/RAID6, I’ll update this.

Read performance pretty much
saturates the 100MBps Gigabit ethernet connection. I tested via an
isolated subnet behind a router (the Archer C7) supporting no other
devices, connected via CAT6 cables. I used LAN Speed Test (registered!)
to try a random assortment of 20 file sizes between 2MB and 5 GB written
to the default public share on the TNAS device, with Network Recycle
Bin turned on. The TNAS was not otherwise doing anything, nor was the
source desktop. LAN Speed Test writes a file, then reads it back to
verify it, then deletes it. I tried against four different RAID
configurations, all with the same 5 8TB drives; in all cases I waited
while the drives configured, then restarted the TNAS, then waited until
the TNAS web interface indicated the array was “Good.” I tried: RAID5,
RAID5 with encryption, RAID6, and RAID6 with encryption.

results vary far more wildly than the unencrypted results. READ speeds
for both RAID5 and RAID6 hovered above 95MB/s at all file sizes. WRITE
operations on both RAID5 and RAID6 were about 50MB/s, clearly not
saturating the network bandwidth, and likely constrained by the
requisite parity calculations. Surprisingly, RAID6’s two distinct parity
calculations didn’t more significantly impact throughput — but I don’t
have CPU utilization information for this time, so I can’t guarantee
that two cores were involved in RAID6 versus only one for RAID5.

Encrypted READS were closer to 90MB/s — with a single customer. WRITE speeds similarly dropped by about 5MB/s.

RAID5/Encrypted had a lot more noise than any other, I did a second run
against RAID5 with encryption enabled — but this time with 100 samples.

While these numbers bore out the same general indicators, it also was very noisy, and lead me into my next set of data.

With encryption enabled, the CPU utilization on all cores are hammered at about the same rate:

you notice, all four CPUs show a nearly identical noise pattern, with
frequent spikes to 100% utilization. What was I doing? I had the TNAS
web interface open to capture this data, and was running the
aforementioned RAID5/encrypted speed test. This tells me the device may
support RAID and encryption — but it’s not designed for it. But this is a
$500 (or to me, $300) device, so the fact that it’s not built for
hardcore processing isn’t a dreadful black mark.

So why 3/5, and
why the equivocation? I believe the CPU load and the saturation point on
the RAID5/6 for writes is too high. But until I have another “recent”
device to compare it to, it’s just whim. Read speeds seem fine. I
expected RAID5 write speeds to be higher than RAID6 (should be 3x slower
than a direct write due to the parity block, with RAID6 4x slower).
But… I could be wrong.

APPLICATIONS: 1/5 – Just as with Qnap and
Synology devices, Terra-Master OS devices (“TNAS” devices) have
available a list of web-installer apps for extending the functionality
of the TOS3. The list of available apps is nearly impossible to find
online (I couldn’t find it while shopping, at least), so here’s the
list. Please note the number of apps with “v1.0”, meaning they’ve NEVER

  • Emby Server v3.2
  • Elephant Drive v3.1
  • Transcoding v1.0, Description “null”
  • Mail Server v1.0
  • MySQL Server v1.0
  • Transimission v1.0
  • WordPress v4.8.1 (current: 4.9.2)
  • SugarCRM v6.5.23
  • Apache Tomcat v1.2
  • Node.js v5.8 (current: 8.9.4LTS, 9.4.0 Current)
  • rclone v1.37

    iTunes Server v1.1

  • Aria2 v1.32
  • DLNA Media Server v1.1.5
  • Net2FTP

    Gcc Build tools v1.0

  • SVN
    Server v1.0 (“Version management tool, which is frequently used in the
    software development project and can realize storage, sharing and
    privilege management of history versions such as codes and documents.”)

    Java Virtual Machine v1.0

  • Plex Media Server v1.10
  • Dropbox Sync v41.4.80
  • Clam Antivirus v1.0

short: 21 apps. One without any description. At least two painfully out
of date. One which has such poor information (“null”) I’m not even sure
why I should install it. Java is currently on version 10, not 1.0. I
didn’t bother tracking down the others. The selection is just dismal —
but it is there. You can even login via SSH and install your own apps —
but if you want apps that are already configured to work with your NAS?
You’re out of luck.

CONCLUSION: 2/5 – A good external case and
polite packaging (they include a screwdriver!) was brought down by cheap
plastic trays; solid READ performance was brought down by unexpectedly
low WRITE performance; and the nail in the coffin was the numerous small
unprofessional choices their engineering choices make.

mentioned the installation package issue and the CSS issue to a friend,
and his response was, “This is the product you’re going to trust your
data to?” He’s right. When it comes right down to it, I do not feel
comfortable trusting this unit with my data — even though I have other
offsite backups. In my delusional moments, I want docker and
virtualization support and to be able to play with it — but I am not
going to complain that this device doesn’t have what it doesn’t have.
But a certain level of polish is expected for me to trust irreplaceable
data to a unit, and there was just one too many cases of rolling my eyes
and shaking my head at the “amateur hour” exhibition. Even the new 3.1
discovery software — now with installer! — is unsigned, and the MSI is
authored by “Default Company Name”, created on “6/21/1999”. This might
be a fine device if I just want to play with it — but I can’t trust it.