NAS Review: TerraMaster F5-420: Some nice touches, but not worth the risk

(Amazon won’t let me write a review because I got a price other customers can’t get — I double upped a publicly available coupon with a Lightning deal. Not my fault. But I took the time to prepare to warn people, so I’m writing this anyway.)

TL;DR: Seemingly acceptable hardware perceived as untrustworthy and unreliable due to numerous unprofessional and unreliable software engineering behaviors on display. I just can’t trust it.

My 2TB 2-bay NAS is getting a bit long in the tooth. For many things, my QNAP TS-220 still works great after four and a half years. But capacity wise it’s no longer there. Along with half the NAS-friendly US population, I picked up the easy shuckable BestBuy-exclusive WD Easystore external 8TB harddrives — but discovered that my TS-220 came with incompatible bays. Rather than spend $80 on new drive caddies, I started a months long idle browsing process, seeking something newer and more powerful. Mostly I had been focusing on QNAP and Synology, because who hasn’t heard of QNAP and Synology. I was wrestling with the price point, however — especially as I jumped from looking at the 453B to the TVS series. So when TerraMaster popped up with “not as well known” reviews, I did remember the brand, but considered them only casually. The lack of documentation and reviews means there aren’t as many forum posts or reviews even mentioning the F5-420 (go look, and see how quickly you start getting results for the F2 instead).

Then I hit pay dirt. The Amazon app, that evil money-sucking-pocket-demon, alerted me to a $99 off lightning deal on the Noontec TerraMaster. I poked around, and was astonished to see NOONTEC was ALSO offering a $100 off coupon — and free headphones, but I could only redeem one coupon. $300 for a FIVE bay system that should be roughly as powerful as the QNAP TS-453 I had been considering, and the higher RAM model at that? Done!

It arrived the next day! And sat for almost a month before I had time to try it out. I scanned my hard drives, discovered four out of 6 of the 8TB drives were actually WD REDs, meaning there was only a risk the case wouldn’t support 2 of WD white label drives. Finally, I had a chance to install.

PACKAGING: 5/5 – Some wasted space, but generally good layout. Bagged screws identifying 3.5″ (“HDD”) vs. 2.5″ (“SSD”) compatibility (with spares leftover); a SCREWDRIVER! Taking it out, it just feels well put together. I’m a big fan of a metal case!

PHYSICAL: 3/5 – … And then you discover the non-locking trays (known) are flimsy plastic affairs. They verged on wiggling while I was mounting the hard drives. I appreciated the dual ethernet ports, although I don’t currently have a need for them. Given the size of the overall unit versus the size of the individual drive bays, I’m not surprised they had to use an external power brick — but I still don’t love external power bricks. The biggest physical drawback is definitely the trays, especially when contrasted with the metal case. I always felt I was on the verge of destroying the tray when I put it in or took it out. Hopefully, though, you wouldn’t have to do that too often.

SOUND: 4/5 – The sound from the system itself (the fan, mostly) wasn’t noticeably audible at any point. The hard drives, however, were. I can’t be sure that a better job could have been done, but it definitely didn’t feel like there was any attempt to dampen the interior sound.

INSTALLATION: 1/5 –  Up until when I went to configure the device, I only felt slightly awkward about using the hardware. I’ve backed Kickstarter campaigns — hardware is HARD. A little bit of “immaturity” in case design is a minor problem, and I was impressed with the ease of connecting to the backplate. So, there was still a change. Then I went to their website (… and started wondering what level of company I was working with. I have an SSL certificate. Sure, it’s from Let’s Encrypt, but it’s not hard to do. I tried to visit their HTTPS page, and it was rejected. Their corporate website ( has the same issue. I’ve seen startups with more secure websites. Now, admittedly, I wasn’t sending private information over the wire — but I was left with an increasing level of skepticism. I selected my model from the drop-down (seemingly randomly ordered), and clicked next — where I got my second surprise. The download link for the manual had a sibling link (“Download Link 2”) pointing to Dropbox. From past experience, I know that internet connections from China to the rest of the world are not 100% reliable, and can understand why they’d want a backup — but using DropBox just registered as surprisingly unprofessional. A second VPS, perhaps, with nothing but the long-lived content? There are ways to do this…

Clicked through, and download — again, with the second link being via Dropbox. (A quick diagnosis by me now makes me think they’re using their “connect remotely to your TNAS” functionality to host these files… which is surprisingly clever, but doesn’t save the feeling). What’s the contents of Huh. That’s… scary.

In my day job, I program. Or engineer. Or sometimes go to meetings. But for several years off and on, I’ve been using a product called “Visual Studio” to write software. And what was in that zip file was CLEARLY the zipped output from a build. Some highlights:

  • TerraMaster.vshost.exe – VS creates a “{appName}.vshost.exe” to serve as the virtual process that it can debug through. It started in VS2005, and it only really affects engineers… unless your software team is so amateur you don’t pay attention to your build artifacts. For the curious: MSDN article on the subject. Now, this file won’t break the application — it just shouldn’t be there.
  • TerraMaster.exe.CodeAnalysisLog.xml – Okay, this one might be more concerning. If I was going to attack this app, this gives some idea where. It calls out unsecure — or possibly unsecure — coding practices. Now, this isn’t the software running on the TNAS itself, but it’s a hint of an engineering culture. Good: they use code analysis tools! Bad: they seem to be making some really curious choices about P/Invoked APIs…
  • Newtonsoft.Json.dll – Hey! I use this a lot! Version 9… wait, that’s at least a year old. Might not be an issue, but still…
  • TerraMaster.application – Well, that makes no sense whatsoever. That’s a ClickOnce deployment manifest… For those less embedded in Windows development: ClickOnce isn’t great for end-user software, but it’s killer for Line-of-Business applications. ClickOnce provides you with a mechanism where you can create a stub application which will automatically update on publication of a new version. Think App Store type model, but without central control. However, this manifest doesn’t point even to Terramaster’s unsecure website, so there’s zero reason for it to be there.
  • Copyright date: 2015. Wait, what? Version
  • TerraMaster.exe.config – Well, that’s mostly normal and boring and why are there fields down here for UserName and Password? Is that how this is configured to store the information locally?? And why is jitDebugging=”true”?
  • TerraMaster.pdb – Debug symbols? Really?

None of these things are inherently dangerous — but most of them shouldn’t be there! Newtonsoft.Json.dll is a REASONABLY new version, and upgrading arbitrarily can introduce risks, so that’s okay. And TerraMaster.exe.config is even expected. But I would never expect to see a PDB file in a shipped product (you can capture a memory dump without it!). The CodeAnalysisLog and the .vshost.exe are just ridiculous. Someone with less knowledge might just wonder which to click (which is what they tweeted at me at Twitter when I complained), but for me, it was a bunch of signs for an amateur engineering organization.

UPDATE: As I’m writing this, I went back through the flow — and version 3.1 of the software has since been released! This has a proper installer and MSI, but, for me, the damage is done.

USAGE: 2/5 – So I used the app to find the IP address for the Terra-Master F5-420. It was reasonably fast to do so. The app hinted at other functionality (file management), but I wasn’t inclined to try and see if the apparent images were actually clickable. I just double clicked the listed device, and it launched Internet Explorer. Not my default browser, mind you: it’s apparently hard coded to launch INTERNET EXPLORER. INTERNET EXPLORER. I’ll say that again: INTERNET EXPLORER. Yes, if you’re on any version of Windows from the last fifteen years you’re guaranteed that it will be installed… but Windows does a kick-ass job with executing “” based on the default handler — at least for the last ten years. Who the hell launches Internet Explorer?

I grab the web link and hop over to Firefox, and start the configuration process. It asks me to register my own email address, which only allows you 30-60 seconds to receive the email and enter the verification code. This is email, which is by definition a best-effort, non-real-time communication medium. I timed out twice and then gave up (another black mark). It identified my installed drives (both — I only had two installed on this first attempt), and prompted me to select drives and define which RAID level I wanted. I clicked through, there was a nice progress ring, and then I was in. It then prompted me if I wanted to update the firmware to 3.1! Sure! If it was broken, I wanted to know anyway. I approved the installation, the device restarted, I went back in and WTF. Launch the Control Panel, and there’s an unformatted list of links. Click into one, and it’s a little better — the content is there, even if broken. I deleted the RAID cluster I had temporarily formed, and turned the entire unit off to add three more drives. Turned it back on… and have to go through the initialization steps again. Apparently it doesn’t do well if you delete all the storage, which is alarming. Go to try to create a RAID6, and the UI just… doesn’t work. The drop downs are visible, but changing the value doesn’t always work. Try to enable encryption, and SOMETIMES it prompts you for your password. SOMETIMES. The Create button doesn’t consistently work, either. I was rapidly losing patience at this point.

I gave up, and came back the next day. I opened the F12 debug tools in Firefox to observe network activity (my theory was that it wasn’t loading either a CSS or Javascript file) — but no 404s. Continued trying to use the broken UI, and almost threw the entire unit out the window. Then I remembered there was another option: I hit Ctrl+F5, which forces the entire site to reload, forcing a refresh of the cache… and things magically started working. What does this tell me? Noontec’s engineers don’t properly version their resource files, and set an entirely too long TTL for a local-network device. The UI was broken because I had logged in — once — the day before to the previous version. They have no version qualification in their resource paths (which would automatically force a reload), and have a minimum of several hours in their time-to-live (I assume at least 24 hours) for a device typically on a local network. Is this bad? No. Again, it’s amateur. On a public website, you wouldn’t go back to it — depending on when you last visited, the entire site would stop working. For static content, this isn’t as big a deal. For dynamic, interactive content, this is crippling — hence I almost couldn’t test it out. Once I figured out THEIR bug, I was finally able to configure a 5-drive RAID array and get down to testing it.

PERFORMANCE: 3/5 – This may be an unfair rating, and partially arbitrary. Once I have another device I can configure in a RAID5/RAID6, I’ll update this.

Read performance pretty much saturates the 100MBps Gigabit ethernet connection. I tested via an isolated subnet behind a router (the Archer C7) supporting no other devices, connected via CAT6 cables. I used LAN Speed Test (registered!) to try a random assortment of 20 file sizes between 2MB and 5 GB written to the default public share on the TNAS device, with Network Recycle Bin turned on. The TNAS was not otherwise doing anything, nor was the source desktop. LAN Speed Test writes a file, then reads it back to verify it, then deletes it. I tried against four different RAID configurations, all with the same 5 8TB drives; in all cases I waited while the drives configured, then restarted the TNAS, then waited until the TNAS web interface indicated the array was “Good.” I tried: RAID5, RAID5 with encryption, RAID6, and RAID6 with encryption.

Encrypted results vary far more wildly than the unencrypted results. READ speeds for both RAID5 and RAID6 hovered above 95MB/s at all file sizes. WRITE operations on both RAID5 and RAID6 were about 50MB/s, clearly not saturating the network bandwidth, and likely constrained by the requisite parity calculations. Surprisingly, RAID6’s two distinct parity calculations didn’t more significantly impact throughput — but I don’t have CPU utilization information for this time, so I can’t guarantee that two cores were involved in RAID6 versus only one for RAID5.

Encrypted READS were closer to 90MB/s — with a single customer. WRITE speeds similarly dropped by about 5MB/s.

Because RAID5/Encrypted had a lot more noise than any other, I did a second run against RAID5 with encryption enabled — but this time with 100 samples.

While these numbers bore out the same general indicators, it also was very noisy, and lead me into my next set of data.

With encryption enabled, the CPU utilization on all cores are hammered at about the same rate:

If you notice, all four CPUs show a nearly identical noise pattern, with frequent spikes to 100% utilization. What was I doing? I had the TNAS web interface open to capture this data, and was running the aforementioned RAID5/encrypted speed test. This tells me the device may support RAID and encryption — but it’s not designed for it. But this is a $500 (or to me, $300) device, so the fact that it’s not built for hardcore processing isn’t a dreadful black mark.

So why 3/5, and why the equivocation? I believe the CPU load and the saturation point on the RAID5/6 for writes is too high. But until I have another “recent” device to compare it to, it’s just whim. Read speeds seem fine. I expected RAID5 write speeds to be higher than RAID6 (should be 3x slower than a direct write due to the parity block, with RAID6 4x slower). But… I could be wrong.

APPLICATIONS: 1/5 – Just as with Qnap and Synology devices, Terra-Master OS devices (“TNAS” devices) have available a list of web-installer apps for extending the functionality of the TOS3. The list of available apps is nearly impossible to find online (I couldn’t find it while shopping, at least), so here’s the list. Please note the number of apps with “v1.0”, meaning they’ve NEVER BEEN UPDATED.

  • Emby Server v3.2
  • Elephant Drive v3.1
  • Transcoding v1.0, Description “null”
  • Mail Server v1.0
  • MySQL Server v1.0
  • Transimission v1.0
  • WordPress v4.8.1 (current: 4.9.2)
  • SugarCRM v6.5.23
  • Apache Tomcat v1.2
  • Node.js v5.8 (current: 8.9.4LTS, 9.4.0 Current)
  • rclone v1.37

    iTunes Server v1.1

  • Aria2 v1.32
  • DLNA Media Server v1.1.5
  • Net2FTP

    Gcc Build tools v1.0

  • SVN Server v1.0 (“Version management tool, which is frequently used in the software development project and can realize storage, sharing and privilege management of history versions such as codes and documents.”)

    Java Virtual Machine v1.0

  • Plex Media Server v1.10
  • Dropbox Sync v41.4.80
  • Clam Antivirus v1.0

In short: 21 apps. One without any description. At least two painfully out of date. One which has such poor information (“null”) I’m not even sure why I should install it. Java is currently on version 10, not 1.0. I didn’t bother tracking down the others. The selection is just dismal — but it is there. You can even login via SSH and install your own apps — but if you want apps that are already configured to work with your NAS? You’re out of luck.

CONCLUSION: 2/5 – A good external case and polite packaging (they include a screwdriver!) was brought down by cheap plastic trays; solid READ performance was brought down by unexpectedly low WRITE performance; and the nail in the coffin was the numerous small unprofessional choices their engineering choices make.

I mentioned the installation package issue and the CSS issue to a friend, and his response was, “This is the product you’re going to trust your data to?” He’s right. When it comes right down to it, I do not feel comfortable trusting this unit with my data — even though I have other offsite backups. In my delusional moments, I want docker and virtualization support and to be able to play with it — but I am not going to complain that this device doesn’t have what it doesn’t have. But a certain level of polish is expected for me to trust irreplaceable data to a unit, and there was just one too many cases of rolling my eyes and shaking my head at the “amateur hour” exhibition. Even the new 3.1 discovery software — now with installer! — is unsigned, and the MSI is authored by “Default Company Name”, created on “6/21/1999”. This might be a fine device if I just want to play with it — but I can’t trust it.

One thought on “NAS Review: TerraMaster F5-420: Some nice touches, but not worth the risk

Leave a Reply

Your email address will not be published. Required fields are marked *