How old is your router?

Topic

New Reply

I saw a recommendation yesterday that you should review your router and if it was older than two years, consider replacing it. I think that’s a bit ex
[See the full post at: How old is your router?]

Susan Bradley Patch Lady/Prudent patcher

9 users thanked author for this post.

ve2mrx, Ascaris, Nibbled To Death By Ducks, woody, SueW, wdburt1, HiFlyer, Alex5723, Fred

Reply | Quote

Replies

I see no option on mine even mentioning anything resembling updating. I’m forced to assume it’s automatic and I have no say in any of it. Lovely.

Reply | Quote

Check it out on the maker’s website?

Reply | Quote

Sometimes there are no settings within ISP provided router interfaces to check, as well as having branded things to the ISP and not the OEM. Hence, a user is at the mercy of the ISP and their update cadence.(whether it be security astute or not)

Windows - commercial by definition and now function...

4 users thanked author for this post.

ctRanger, jburk07, Mele20, Myst

Reply | Quote

We just lost an ASUS AC3100 RT-AC88U that was just under two years old and still covered under its warranty.

Don’t know if it just gave up the ghost or got hit with a power surge.

We have also recently lost a modem and the C drive on one of our workstations.

All were fed through a Cyber Power 685AVR battery backup and backup power provide by a generator.

Reply | Quote

A lot of the security concerns seem to relate to WiFi – would that be a fair comment given that some users, myself included, do disable WiFi and only use a router to make wired connections from the modem to multiple PCs?

2 users thanked author for this post.

Cybertooth, Microfix

Reply | Quote

Seff wrote:

A lot of the security concerns seem to relate to WiFi

The only issue with WiFi is the KRACK attack, and that needs updates to all WiFi devices, not just your router.

Router issues are separate and can allow your network to be attacked from the internet, without any local access required.
To check your basic router security you should check ALL ports using the GRC ShieldsUP! port scanner.

cheers, Paul

2 users thanked author for this post.

Ascaris, Cybertooth

Reply | Quote

AFAIK, GRC scanner checks for open ports, not software vulnerabilities!

For vulnerability scanning, better use something like Nessus. Scan from the inside AND outside for a good picture.

Martin

Reply | Quote

I did say “basic security”.
If none of the router ports are open it is extremely difficult to find software vulnerabilities from the internet, so hackers will move onto easier targets.

Due diligence is all you can do from a normal user perspective.

cheers, Paul

Reply | Quote

For years and years routers have been getting amazing custom firwares by many very talented people mostly for free.

You need to have a router with the right chipset offcourse. One that that firmware makes use off. When you make use of this then the age of your router from a safety standpoint becomes meaningless. Often such firmwares add extra abilities that where not even there when you bought your router.

The list of custom firmwares is way to long to list here but some famous ones are:

dd-wrt, tomato, merlin, etc.

For my own router an Asus RT-N66U like 10 years old! I use a Fork of Merlin:

[Fork] Asuswrt-Merlin 374 LTS release 45EC

Buying a router model today that is not supported by homebrew in some way is a crime against the environment! Not to mention your wallet. Buying a second hand router to then flash with a custom firmware is a great money saver. Such a router provides a secure connection to the internet for many years.

W10&11 x64 Pro&Home

2 users thanked author for this post.

Ascaris, Mele20

Reply | Quote

Am I doing something wrong as when I click on the Shields up link I just get a message saying Browser reload suppressed and to just go back with the browsers back button? This on FF, Chrome and Edge.

Eliminate spare time: start programming PowerShell

Reply | Quote

I think you ment that reply for Paul T.

The GRC site uses a dynamic link for the Shields Up page that is different and unik to every user.

Try navigating to the GRC main page then follow the links to the Shields Up page.

W10&11 x64 Pro&Home

1 user thanked author for this post.

access-mdb

Reply | Quote

Great marketing ploy. Replace your computer, car, house etc too.

Update the firmware. Don’t contribute to the people behind that comment.

Byte me!

2 users thanked author for this post.

HiFlyer, Nibbled To Death By Ducks

Reply | Quote

Michael Horowitz’s web site is excellent, and I have purchased and am using the router he recommended.  His emphasis on putting the user in control and addressing vulnerabilities in practical ways was just what I was looking for.

3 users thanked author for this post.

TaskForce141, Kirsty, scoobydoo

Reply | Quote

Replacing a router so often is useless. ONLY then when your manufacturer never brings out updates. Often the el cheapo routers are affected. One of the advantages of most routers is that they are easily maintained and kept safe by new firmware. The jumps forward in speed are not worth mentioning anymore, especially not wired connections. Wireless: if you have AC, you’re good to go for years to come.

Reply | Quote

My router is ooooold, 2006/2007 era with last firmware update in 2008. I have WPA2 set and I’m away from any population in the desert. The speeds I get are not worth updating the router since it still works great.

I have thought about getting a new router but it seems like they all want to go through the “Cloud” which I do not want to do. There is no 5 GHZ out here so that would be a waste also since they all seem to come with that now.

Don't take yourself so seriously, no one else does 🙂
All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

Reply | Quote

CADesertRat wrote:

My router is ooooold, 2006/2007 era with last firmware update in 2008. I have WPA2 set and I’m away from any population in the desert.

I’m not suggesting anyone throw away their old routers (I loathe planned obsolescence), but it’s not necessarily about the wireless connection. It is possible that there may have been vulnerabilities in the wifi stack in the router’s operating system that could expose it to wireless attackers if they’re within range, but that’s not the only potential threat. If you connect the router to the internet (and it is not behind another router or gateway), any vulnerabilities to unsolicited packets from the WAN (internet) are coming directly to the router, and that can still present a risk. That’s the kind of vulnerability that the recommendations are really trying to address.

CADesertRat wrote:

I have thought about getting a new router but it seems like they all want to go through the “Cloud” which I do not want to do.

You can turn that off and do it all locally. My new router (Linksys) has that ridiculous cloud feature, but it is off by default, and until you create a Linksys account and link it to the router and the device you want to use to control it, it will remain off. I can’t imagine why I would want to control the router settings from a smartphone when I am not at home, aside from some highly unlikely hypotheticals where I may have left the router in an insecure state but forgotten about it, only to remember it when I am out and not able to get back home right away to secure it. Other than that, I am only concerned that my router is working properly when I am at home using my home LAN. When I am out, I’m not home, so not being able to use my home network isn’t a concern until I am home.

It’s a marketing gimmick, as far as I can tell. It’s got to have an “app” and the word “cloud” in its description for maximum coolness value. In practical terms, anything I could do with the app, I can do locally in the conventional way from within the network itself.

CADesertRat wrote:

There is no 5 GHZ out here so that would be a waste also since they all seem to come with that now.

The 5 GHz connection is used to connect the router and the client devices, just like the 2.4 GHz band you’re presumably using now, so you can use 5 GHz anywhere there is electricity to power the router (you don’t need internet service to have a wireless LAN connection). All you need is a router or WAP that can use 5 GHz and a client device that can also use it, as pretty much all new laptops, tablets, and smartphones can. If not, laptops can usually have a new wifi card installed to give them new capabilities, which I have done with several laptops in the past, including the G3 (now two years old) that I am using now to write this. The notable exceptions are HP laptops manufactured more than a few years old and Lenovo laptops, which will reject unapproved wifi cards and refuse to boot.

My router from 2008 or so (no longer in service) is dual-band, and I have been using the 5 GHz band since I bought it new with my 2008 Core 2 Duo laptop, which came with a dual-band wifi card (an Intel 4965AGN).

Those are wireless-N devices, which could connect at bit rates up to 300 Mbps, good for up to about 25 megabytes per second transfer. That’s well above my 40 Mbps internet speed, but I also use the wireless connection to transfer files and perform backups over my LAN.

The most common current type of dual-band routers or wifi cards is wireless-AC, which is what my Linksys router (which I got for 25 dollars some months ago) and my laptops use. It connects at 866 Mbit/s, good for up to about 70 megabytes a second. It’s not quite as fast as my wired ethernet (gigabit, up to about 115 megabytes a second), but it’s good enough that I often don’t bother to connect the cable to back up the laptops to the backup server.

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

3 users thanked author for this post.

Cybertooth, CADesertRat, wdburt1

Reply | Quote

Keep in mind that more and more people are moving to a household with no traditional computers.  The entire house is full of ipads and android tablets and -zero- traditional networking devices.  So this move to the app is needed because for many households there is no way to get to a traditional networking device.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

None of those devices has a web browser?

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

Ascaris wrote:

None of those devices has a web browser?

Not meant to sound snarky, if it came off that way, btw.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

Same here 🙂 Some old netgear wpn824 2007 that was free from isp but its behind ics on win10 for a couple of mobile phones.

Reply | Quote

I think you might be confusing the 5G (5th generation) wireless phone technology with Wi-Fi that’s using the 5GHz radio frequencies. Absolutely not related.

As for firmware updates (or keeping up-to-date anything touching Internet!), if it hasn’t been updated in 18 months, it’s probably vulnerable.

Martin

Reply | Quote

My router was manufactured more than three years ago, but it was replaced earlier in the year due to a hardware failure. My router and WAP are separate since I need the WAP installed in a different area of my home to get a solid Wi-Fi signal everywhere (tried mesh networking, and even it was flakey due to my wall insulation). My WAP is less than a year old.

I’m “set” because I’m using all Cisco Business grade gear for the router and WAP. Both have active service contracts I keep renewed, and both are set to automatic firmware updates, so they usually receive firmware updates shortly after a firmware update is released.

I recently also signed up for a branch license to Cisco Umbrella that’s installed on the router, and it’s already protecting my network from malware.

Nathan Parker

Reply | Quote

[Nibbled To Death By Ducks]

Very interesting read, as Networking is one of the “Terra Incognito” areas on my IT map. (A little bit known, some signs saying “Here there be dragons,” lots of white areas etc.) Everything checked out pretty well on the GRC and other sites mentioned.

Only problem is, I have a Sagemcom Fast 5260 which I rent from my ISP; this has advantages and disadvantages:

Disadvantages:

1. It nicks me for $7 a month; (I wasn’t planning on having to stay here later than February/March when the Pandemic hit, so much for that.)

2. It’s made by Sagemcon; they have horrible reviews.

3. For some reason, when you try and re-name the connection, it totally freaks out and can’t even find the computer. As I have had just about enough of offshore support’s bad phone connections and broken English (sometimes together), I just let the *&^% thing advertise it’s own SSID.

4. The ISP never tells you WHEN they do this or WHAT is being updated. (I guess the average person couldn’t make heads or tails of it anyway.) Having a connection issue I can’t troubleshoot right now, this is a real pain; for all I know, it could be due to some firmware update they slipped in. (Yes, I have tried the Networking forum here; no joy.)

Advantage (one, but significant):

1. It belongs to my ISP, and force-feeding it firmware updates is THEIR problem. (Oh, they swear they do this regularly.)

As to turning it off when not in use, well, it’s in use at all hours of the day and night here, so it just would be more of a pain than anything, IMHO.

Inasmuch as I am entitled to have an opinion of this, I take a teeny-tiny but of an issue with Steve Gibson’s attitude on Ping!; He seems to think it’s horrendous, but a lot of things break when you disable it, as I have found. A lot of info out there suggests that this is no longer the horror it once was as a vulnerability to hacking. My router is set to “low ping” (there’s Low, Medium and High settings. I don’t know the technical difference, but mine is set by default to “Low”.)

I always owned my own router/gateway, and had a fellow from my old PC group who was excellent at Networking set it up for me; it was a Linksys DD-WRT with Linux firmware, and seemed to be pretty good save for it’s broadcast signal strength.

Unfortunately, as I move around a bit, we lost touch, and I’m pretty much on my own with this stuff. Articles and sites like those indicated really help! Thanks!

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

• This reply was modified 4 years, 4 months ago by Nibbled To Death By Ducks. Reason: grammar

1 user thanked author for this post.

Cybertooth

Reply | Quote

Nibbled To Death By Ducks wrote:

It belongs to my ISP, and force-feeding it firmware updates is THEIR problem.

Except when their lack of updates allows hackers onto your network.
You should check the basics yourself.

cheers, Paul

3 users thanked author for this post.

ve2mrx, Nibbled To Death By Ducks, Ascaris

Reply | Quote

[Nibbled To Death By Ducks]

True. It comes down to “Who do you trust?”

The ISP  is Charter/Spectrum, so one would THINK a large outfit would want to protect themselves against Liability lawsuits* and do it right….but you have a point. I’ll add it to my list of “the 1000 things”.

*OTOH, I’ll bet there’s something in the T&C that exonerates them from hackers, along with fire, “Inherent Vice”, etc…I’ll have a look at that too. :/

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

• This reply was modified 4 years, 4 months ago by Nibbled To Death By Ducks.

Reply | Quote

According to a Reddit thread, there are no firmware updates available, and this is an ISP-only model.

However, it checked out as secure on two test sites, and Routercheck.com says “There are no security issues for this router.” 🙂

I think I have done my “due diligence”.

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

Reply | Quote

Firmware for ISP-provided devices is usually installed remotely by the ISP when they see a need for it. If it causes service issues, increases support calls or causes bad publicity, chances are it will get fixed.

I once ran a Nessus scan on my provider’s Sagemcom all-in-one DSL/fiber router and the report was appalling. It took a while to get in contact with the right people and report the issue list to them. I had tried normal tech support but got no return on that. I had to go to management to get a reply.

I explained to them the severity of the vulnerabilities (worst was a remote ssh port open to Internet running on a years-old easily exploitable version of the software) and the risk it posed to their users and the resulting negative publicity it would generate. I then cited news articles on other ISP devices with vulnerabilities so they can read about the possible consequences.

After a few weeks, I was told an update had been pushed and it had. I checked it and my issues where fixed!

Still, that router has horrible firmware (after more than a year, it still hard-crashes if you give it an IPv6 packet, among others) so I “stack” my own EdgeRouter through it using PPPoE passthrough. Best of both worlds : IPTV just works, VoIP phone line just works, I get all the features I need on my stable, reliable router.

Get the management or shareholders scared. They will fix it 🙂

Martin

Reply | Quote

I always buy my own router rather than rely on the ISP router – I want to control my network myself, and also want a better grade of router. I have been using a Netgear R6300v2 router since Feb 2014, and it has been totally reliable throughout. It is a dual band 802.11ac router, with a Netgear EX3700 access point as a separate access point for house coverage. My internet connection is a 40mbps FTTC. Both devices get regular Netgear firmware updates – the last in July 2020 – advised to me by email.

The setup is more than sufficient for my home needs, which generally has about 10-12 active devices and can have two HD streams running. From a performance point of view, I am very happy, and it falls into “if it ain’t broke…” category. If the firmware updates are coming, I assume I am reasonably secure, and I do occasionally check the GRC site.

I’m not inclined to change it until I need a new feature or it breaks, but at nearly 7 years and running well, I think I bought quality. In these circumstances, 2 years looks incredibly short to ditch your router, and if it really were necessary that would be a massive criticism of the industry. After all, routers have been around for a long time.

Chris
Win 10 Pro x64 Group A

1 user thanked author for this post.

Cybertooth

Reply | Quote

? says:

is anyone here using ax? Susan’s link to consumer reports about wi-fi 6 sent me looking:

https://en.wikipedia.org/wiki/IEEE_802.11ax

i usually go to the newest supported gateway my isp supports. right now it is xyxel c3000z ac…

Reply | Quote

AC is more than fast enough for home / small business computing requirements IMO.
AC = 800Mb/s = near ethernet speed.
AX = 11Gb/s = ultra high speed ethernet (10Gb).
Internet = 20 – 100Mb/s = 10% of your network speed.

cheers, Paul

1 user thanked author for this post.

Chris B

Reply | Quote

I agree. I have never had a problem with my ac network being able to keep up with my 40mbps broadband, nor with the demands I put on it on the LAN. Also, wifi6 kit is a good deal more expensive than ac, so why pay good money for capacity I will not use. The wifi6 prices will come down in due course, anyway.

Chris
Win 10 Pro x64 Group A

Reply | Quote

? says:

thanks for the replies Paul and Chris. i must have been asleep at the switch since CL has already deployed the wi fi 6:

https://www.centurylink.com/home/help/internet/modems-and-routers/greenwave-c4000.html

now if santa will only spring for the gateway and some newer faster radios i’ll be set to battle the neighbors in ax…

Reply | Quote

Nibbled To Death By Ducks wrote:

Inasmuch as I am entitled to have an opinion of this, I take a teeny-tiny but of an issue with Steve Gibson’s attitude on Ping!; He seems to think it’s horrendous, but a lot of things break when you disable it, as I have found. A lot of info out there suggests that this is no longer the horror it once was as a vulnerability to hacking. My router is set to “low ping” (there’s Low, Medium and High settings. I don’t know the technical difference, but mine is set by default to “Low”.)

This is a bit of a problem with oversimplification in a lot of places.

Some people get the idea that, because “ping” is a security issue, you need to disable ICMP altogether.

And disabling ICMP completely leads to all kinds of problems whenever any component along your traffic path does something unexpected. For example a “destination-unreachable / reason code 4” is perfectly normal if any number of completely normal equipment type boundaries happen to exist along your route, and if that’s blocked…

1 user thanked author for this post.

Nibbled To Death By Ducks

Reply | Quote

[Alex5723]

pHROZEN gHOST wrote:

Update the firmware

Update the firmware? Most, if not all, Manufacturers of routers don’t update firmware beyond a year.
The best way is to test your router for open ports (GRC) and harden the settings, authorize access using MAC address, set your connected hardware with fix IP and block any other IP, install DD-WRT, OpenWrt, .. providing router support.

• This reply was modified 4 years, 4 months ago by Alex5723.

Reply | Quote

Alex5723 wrote:

Update the firmware? Most, if not all, Manufacturers of routers don’t update firmware beyond a year.

My router (Netgear) is still getting firmware updates 6+ years on. See my post above.

Chris
Win 10 Pro x64 Group A

Reply | Quote

Chris B wrote:

My router (Netgear)

My previous router (Netgear) never got firmware support.
My current Optic Fiber router (Technicolor DGA2232) got 1 update in a year.

Reply | Quote

My Netgear WNDR3700 (v1) stopped getting updates waaaay back in the day, even though updated revisions of the unit (with the same model number) were still listed as current models.

I kept using that router for ten years after I bought in in 2008, with DD-WRT, but otherwise, I would have been stuck with the old, old firmware, while the company that made it reserved its updates for newer revisions of the same model. I’d shake a fist at Netgear in particular, but it’s a problem across the consumer router industry. You just never know how long its support will last when you buy it– and that’s not just a router problem.

As I mentioned before, I have an Android tablet (from a Korean manufacturer whose name rhymes with Samsung)… it came from the factory with Android 4.0.4 (Ice Cream Sandwich), released in March 2012, and its final update came that same year, to Android 4.1.2, Jelly Bean. Not even a whole year after I bought it brand new in the store, and it got its last update. Now, eight years past my last update, I still have it and it still works well, and the apps that still run on it work fine, despite its slow performance compared to more recent models. Like a router that works fine but is cast aside because its manufacturer doesn’t bother to release updates once they already have your money, it’s obsolete artificially, not as a natural result of the progression of technology, and I loathe that.

All of this discussion has gotten me off my butt to get DD-WRT onto the Linksys router I mentioned above, and it is not going well. The procedure for installing it is convoluted and difficult, but I should be able to handle it… yet I haven’t been able to get it done. All of the steps reported as working by the various people out there haven’t, and I am tired of messing with it already.

I bought the unit because it was on sale super cheap ($25 for a dual-band AC router, and this was some time ago), but I did check to make sure it had DD-WRT support before I bought it. I just didn’t realize how convoluted the process would be (compared to my WNDR3700, which was very easy).

As such, I think I will buy a new unit that’s on sale now for Black Friday and give that a shot. I hadn’t planned on this until now, so it is fortuitous that this discussion came up right now, when the sales are still on (most of them aren’t just the actual Friday anymore). I see the TP-Link Archer C7 has a DD-WRT installation procedure that looks as easy as that of my WNDR3700, and OfficeMax has it in stock for pickup for $50.

I have never used a TP-Link before, and maybe it will come with great firmware that does all I want it to… but for how long? This way there’s a plan B if they don’t support it, or if their firmware has missing features.

I’ve criticized MS much recently, but at least with Windows, you know when you buy it exactly how long the OS will get security support, and the support period dwarfs just about everything else. That’s one thing I applaud MS for.

People may think of a router differently than a laptop or desktop PC, but (like a tablet or phone), it is a small computer in there running an OS (Linux, nearly always), and all the same reasons to get updates apply. Do any of them have a predefined support period other than “buy it and find out?” I’d be interested to know if anything in the consumer segment has such a promise.

Without such a guarantee, if I can’t get aftermarket firmware onto it, I’m not interested (unless I get it at a bargain basement price). I now know to check not just that it has a DD-WRT/OpenWRT/etc. firmware available, but that the procedure for installing it is reasonable and doesn’t take black magic to make it happen.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

Ascaris wrote:

I have never used a TP-Link before, and maybe it will come with great firmware that does all I want it to

Nope, it didn’t.

Grabbed the latest DD-WRT and flashed it on the router, and it’s up and running nicely with the new firmware. Definitely recommended for anyone who wants an inexpensive 802.11AC router that is easy to set up with custom firmware.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

I use an Archer C7 with DD-WRT, works nicely for not a lot of money.
DD-WRT is not the easiest to configure and the doco leaves a lot to be desired, but if you have a spare machine you can dedicate to setting it up and know what you are doing, it is very powerful.

cheers, Paul

Reply | Quote

I used DD-WRT in the past but although there were frequent new firmware builds available, much time was lost figuring out, while reading 20+ pages threads, what recent version was stable for long term use. If you want to tinker and have time to spare, fine, but it’s not for most people. So, I gave up wasting time on this.

I got Ubiquiti EdgeRouter Lites for me (and my family, I am their IT support department) with UniFi WAPs. No more monkeying around, no more “you’re on your own”, much less time lost. Bonus: I can manage everything from my management server. I already manage their ESET  antiviruses, why not the network too?

Sure, those routers are ISP-grade, not user-grade, but I learned to do it. Then, I just have to look at the management server to see if updates are available, backup the routers and trigger the updates! Of course, I read the release thread on the forum first and wait a week or two before I do, but it is EASY.

Looking for something simpler to configure? Get some router in the UniFi line instead of the Edge line.

My rule of thumb: If it’s been more than 18 months since the last router firmware update, replace it. It’s been abandoned!

Regarding automatic updates: Trust, but verify! Sometimes, they fail to work.

Remember : Vulnerabilities in networking equipment makes them suceptible to remote attacks. This is also true for ANY network-connected devices! (The “s” in IoT is for security 😉

Martin

Reply | Quote

ve2mrx wrote:

I used DD-WRT in the past but although there were frequent new firmware builds available, much time was lost figuring out, while reading 20+ pages threads, what recent version was stable for long term use. If you want to tinker and have time to spare, fine, but it’s not for most people. So, I gave up wasting time on this.

With my WNDR3700, I would typically just grab the most recent version and install it, and see how it worked for me. Nearly always, it worked well. There may have been bugs in features I didn’t use, but if I didn’t notice them, they didn’t bother me. If one build didn’t work, I would go back and try another one. One of them managed to soft brick the router, but it was not hard to use tftp to debrick it and get it working. If you’re not a techie-type, that possibility may not be for you, but if you are, it’s not hard.

I know what you mean regarding the long threads of people commenting about any given release on the DD-WRT forum, but if the people commenting about things not working are not using the same model router as you (each forum is based on the maker of the router CPU/SoC, not the model of router), what they report may not have any relevance to you. I sometimes would search for the model number of my router and see if anyone with my actual model had posted. If not, I would just give it a shot, knowing that if it gets bricked again, I can fix it in a few minutes.

I’ve had more trouble with the official firmware for my Netgear WNDR3700 router than most builds of DD-WRT. The Netgear forums were packed to the rafters with complaints about the buggy official firmware (and I encountered several of these bugs), and Netgear representatives would visit the forum and try to gather information about the issue, and they would tell us the new firmware is being worked on.  Then everyone would momentarily be happy when they did release that new version, often to be disappointed yet again.

And then Netgear just stopped, both with the posting in the forum and with the updates. That experience played a role in how I view aftermarket firmware versions (where if one does not work well, you have many others to pick from) vs. the factory firmware (where if the factory versions all stink and they decide not to fix it, you have no other choice).

I had similar experiences with D-Link back in the day. The Zyxel I had was solid from the start, and remained so until it was obsolete. I had a Motorola router that had some bugs in the firmware when I first got it, but the update fixed it, and it was solid afterwards.

I don’t grab every new build DD-WRT comes out with. Every so often I would go to the forum and see how things are going, reading just the first bit of the thread about the newest build, and see whether I wanted to give it a shot. Of course, being the nerd I am, I find this kind of thing to be a recreational activity, not a chore.

And if DD-WRT isn’t your thing, the other alternative firmware versions (like OpenWRT) will usually have a version for your router if DD-WRT does.

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

ve2mrx wrote:

AFAIK, GRC scanner checks for open ports, not software vulnerabilities!

For vulnerability scanning, better use something like Nessus. Scan from the inside AND outside for a good picture.

Martin

I looked up Nessus and it looks interesting, but I stopped when I read the EULA and it says they claim the right to audit my usage of the software.

The standard response to that is that this is a free version of the software, why would they audit the use of that. The reply to this response is that if they have no intention of auditing usage of their free software, then they could explicitly exclude it from the audit provision, but they have not.

Any other router security-checking software out there that one might use?

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

Well, the free license is for non-commercial use. I guess they reserve the right to audit if they suspect you are avoiding paying for a commercial license by using the free personal license for commercial use?

At least, they never audited me while I use it to check my personal network… And I never expect them to.

Martin

1 user thanked author for this post.

Cybertooth

Reply | Quote

Your router’s security stinks: Here’s how to fix it

Most home Internet routers have serious security flaws, with some so vulnerable to attack they should be thrown out…

“If a router is sold at [a well-known retail electronics chain], you don’t want to buy it,” independent computer consultant Michael Horowitz said in a presentation.

“If your router is given to you by your internet service provider [ISP], you don’t want to use it either, because they give away millions of them, and that makes them a prime target both for spy agencies and bad guys.”

Horowitz recommended that security-conscious consumers instead upgrade to commercial routers intended for small businesses, or at least separate their modems and routers into two separate devices. (Many “gateway” units, often supplied by ISPs, act as both.) Failing either of those options, Horowitz gave a list of precautions users could take….

Reply | Quote

Interesting enough, Spectrum supplied both WiFi router AND modem separately. The router is an Arris.

There’s also the 800-lb gorilla in the room no one’s spoken of: MONEY.

Mr. Horowitz probably has an unlimited budget, and maybe gets paid for reviewing routers, not to mention routers supplied by vendors for test and review. The rest of us without a money bin sometimes have to make a choice on a scale with performance/security on one end, and $$$ on the other.

The question being hitting the right price/security=value point.

And, IMHO, anyone who buys a router from NetGear is walking a teetery line; I used to know someone who worked there, and, well…they’ve made good ones and some real bombs…or Nest for that matter. Personal Experience with The Chocolate Factory’s hardware has led to a lot of swearing. Uh-uh, no thanks.

This is a LARGE subject! Susan, you sure know how to pick the topics! Thanks! This is fun. 🙂

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

1 user thanked author for this post.

Chris B

Reply | Quote

Interesting comment NTDBD. I have bought quite a number of Netgear routers, switches and a NAS and always been happy with them.

Chris
Win 10 Pro x64 Group A

Reply | Quote

Nibbled To Death By Ducks wrote:

And, IMHO, anyone who buys a router from NetGear is walking a teetery line; I used to know someone who worked there, and, well…they’ve made good ones and some real bombs…

Probably true, but are any of the other consumer routers any better? I’ve had firmware quality issues (some that were later fixed, some not) with several different brands of routers (all three of the ones I’ve had long enough to judge: Netgear, D-Link, Motorola), and the problem with not releasing new firmware updates after the unit is out of warranty has hit all three too.

In terms of components, I did have my Netgear WNDR3700 router start slowing down in wireless speed some time ago, and I opened it up to check the electrolytic capacitors, and sure enough, several of them were bulged. I replaced them and the router was back up to speed, but it was disappointing that Netgear had used low-tier capacitors. My D-Link, by contrast, had top-tier capacitors, and they never bulged. I never looked at the capacitors on the Motorola.

My newer routers, a Linksys EA6500 and a TP-Link Archer C7, are too new to be able to know anything about reliability or future firmware support. The C7 specifically is already running DD-WRT, which was the reason I bought it. It’s as easy to flash the DD-WRT firmware as it is to flash the factory firmware in the C7 (as with my Netgear WNDR3700). The Linksys used to be that easy with older versions (before I had mine), according to the DD-WRT wiki, but they started signing the firmware, which meant that once it had the updated firmware on it, it would reject the unsigned DD-WRT firmware from that point forward. Mine already had the newest factory firmware on it before I discovered this, and it is probable that the one it came out of the box with was also too new for an easy DD-WRT installation.

It was such a breath of fresh air to have all of the options in DD-WRT again… the factory firmware in most consumer routers is really lacking by comparison.

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

Chris B wrote:

and always been happy with them

If you are security conscious you shouldn’t be so happy, unless your setup your routers… as install-and-forget.

79 Netgear Routers Vulnerable to Serious Security Flaw

758 different firmware versions are vulnerable to a remote attack, and Netgear has yet to release security patches.

1 user thanked author for this post.

Nibbled To Death By Ducks

Reply | Quote

That looks like the firmware update that was pushed to me on 12 July.

Chris
Win 10 Pro x64 Group A

1 user thanked author for this post.

Alex5723

Reply | Quote

“In total, some 758 different firmware versions contain the vulnerability, which Netgear has used across 79 different router models for the past 13 years.”

Thanks, Alex, I was trying to be diplomatic about it and not “Tell tales out of school,” but it looks like PC Magazine beat me to it last June.

758? Gee, they’re not trying hard enough; I know they could make it to 800 if they really applied themselves…

As for NEST, I have had three of their “SMART” CO2/Smoke detectors in standalone mode (no “Smart mode”) go toes up on me in three years. I am using the last one for skeet shooting.

“Pull!” <sfx: both barrels-BOOM!>

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

1 user thanked author for this post.

Cybertooth

Reply | Quote

This is why it’s essential to prevent outside access to your router and for you to test that there is no access.

cheers, Paul

Reply | Quote

I am sad to write that if your router is vulnerable, having closed its firewall doesn’t necessarily prevent it from being abused.

That’s because to know if the port is open or closed/stealth, the packet has to be handled. Pwnage can happen there! The test is there to protect the internal network and detect mis-configured routers, not defective or vulnerable routers.

If your router is vulnerable, you have two options to secure it: fix the vulnerability with an update, or unplug it (WAN or power will do).

Martin

Reply | Quote

ve2mrx wrote:

That’s because to know if the port is open or closed/stealth

This is not the case.

For an exploit of the internal web server (for example) the packet has to be passed to the web server process.

A firewall / router only needs to read the first segment of a packet to find the port and if there is no rule to pass that packet it is dropped and the firewall is “stealthy”.

cheers, Paul

Reply | Quote

Exactly. I was oversimplifying.

My point was that by the time the router knows to what port a packet is “going” to, it has been buffered and parsed. A vulnerability there and the router is potentially pwned, even if the port is closed/stealth/open. That’s the part of the stack that the GRC port test “abuses” to see if open/closed/stealth.

This means that anything logically handling packets can be vulnerable. This includes network card drivers too! I can see a buffer overflow causing damage (with a bit of luck).

Martin

Reply | Quote

Packets are a maximum size so it’s easy to drop oversized ones and prevent that sort of buffer overflow. It’s only when the content is handled incorrectly that you have problems and that is not done at the firewall or when passing packets on to the network / internal processes.

cheers, Paul

Reply | Quote

Ascaris wrote:

Probably true, but are any of the other consumer routers any better?

Good point. I also had major problems with a Linksys router some years ago. The DHCP server failed to work on the wifi part of the LAN. From the comments I saw, lots of people had the problem, and Linksys acknowledged the issue on the phone, yet they never solved it. What really annoyed me was they deleted all posts about it on their forum, and also the time I wasted trying to sort it out. I swore never to buy another piece of kit from them, and haven’t. Mind you, that was some time ago and I should probably lift the ban now!

Chris
Win 10 Pro x64 Group A

Reply | Quote

Re: Netgear’s End of Service Policy

The following is from Netgear’s website:

End of Service Products
NETGEAR discontinues support and maintenance firmware releases, including security updates, for certain technologically obsolete products which have not been manufactured for 3 or more years, or longer where required by law.

This allows us to focus investments on supporting newer technologies and great new experiences. End of Service dates do not change the product’s limited warranty period.

For these reasons, if your product’s model and version number is past its End of Service date, we recommend you purchase the latest version or newer more advanced products. All versions of products listed are end of service unless otherwise noted by version number.

Reply | Quote

@280park Nevertheless my Netgear R6300 router is 7 years old, working fine, and still getting updates. The last was 23/12/20. I’ll only upgrade when it breaks or I find a new feature I really want.

A lot of manufacturers put this last paragraph in their terms – quite self serving, isn’t it? I’m glad my car/fridge/washing machine etc aren’t automatically deprecated after 3 years. 🙂

Chris
Win 10 Pro x64 Group A

Reply | Quote

This page from Netgear’s website includes lists of end of service products grouped by product type.

https://www.netgear.com/about/eos/

Your R6300 router is not listed in the router category.

Netgear’s policy of discontinuing support “for certain technologically obsolete products which have not been manufactured for 3 or more years” does not help the consumer determine the status of a Netgear product because there apparently is no way to determine when Netgear has stopped manufacturing a particular product. It seems that the only way to know definitely if a product has reached end of service status is by reference to the above list.

1 user thanked author for this post.

Chris B

Reply | Quote

Sadly, to know this, you need to subscribe to a mail list or (if you are lucky) get notified by the router web interface.

Most routers go obsolete and unsupported silently, semi-forgotten by their owners… As long as they work.

Martin

Reply | Quote

Mine are old I have a newer one in a box but the antenna is in another box and I haven’t had the energy to look or set it up.  Mine stopped getting updates years ago I am sure it’s time, just not sure how many threats are around me as my location is physically remote.

Reply | Quote

Physically remote isn’t relevant when you are connected to a worldwide network!

You are one vulnerability away from being pwned, everyone is. That’s why everything touching the network must be supported and maintained. A network driver in your computer could get you pwned, your router even more as it is facing Internet and gets scanned multiple times per day.

Maybe you could run a vulnerability scan on it and get hard data?

Martin

Reply | Quote

It’s just a laziness issue haha taking it out of the box and putting antenna on isn’t a big deal in just dreading any feedback from other users in the house who have a hard time with technological change.   But yes I’ll replace it soon you’re right.

Reply | Quote

I used my Netgear WNDR3700 (v1) router for something like 10 or 11 years, and it’s still up to date on firmware even now, using DD-WRT. I’d not have replaced it if I didn’t want greater speed on the wifi.

Now I am using a TP-Link Archer C7, also with DD-WRT. I bought that model specifically because there was a DD-WRT version for it that was easy to install.

The Netgear would have been obsolete (by reason of too many security vulnerabilities) long ago if not for the aftermarket firmware. The Archer is still in support as far as I know, but the DD-WRT is so much more configurable, if you’re into that kind of thing!

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote