RT-AC3100 stable on v386.2_6 what do I miss by NOT updating

[consorts]

Hi Gang, long time no post

I setup this router years ago, and kept updating till I noticed this version was so rock solid
I could go a year without having to reboot my router or have any gui grief accessing it.
I don't notice any ddos attacking or malware client detections on any of our 20 devices
nor any unusual dn/up activity on the traffic-analyzer statistics.

I am NOT running anything on of an external memory stick.
I host 2x3 sid, use wan and lan qos, history is disabled
aiprotection is enabled = no threats, aicloud is disabled
advanced-wan DNSFilter is the only fancy thing we do
(using 1111 and 9999 for dns).

so bottom line question is;
should i risk updating the firmware, or just leave well enough alone.
if i should update, could you tell me what i may have been missing?
i'm more concerned with high occurrence wild threat mitigation,
not features added or refined - as i'm not missing any i care to use.

 

[Ripshod]

You're missing a lot more than below (at least one release skipped)..
I would definitely upgrade if you use, or have ssh enabled. Some changes to QOS too. Up to you (I would).

386.13 (7-Apr-2024)
  - NOTE: all the models supported by Asuswrt-Merlin on the
          386_xx series are now officialy on Asus' End of Life
          list, which means unless there are new major security
          issues, no new updates will be provided by Asus.

          Asuswrt-Merlin will tentatively attempt to continue to
          provide updates and fixes until the end of 2024, at which
          point all the 386_xx models will no longer be actively
          maintained.

  - UPDATED: openvpn to 2.6.10.
  - UPDATED: miniupnpd to 2.3.6.
  - UPDATED: tor to 0.4.7.16.
  - UPDATED: OUI database used by networkmap and the webui.
  - CHANGED: QOS/Classification page can now resolve local IPv6
             addresses.
  - CHANGED: Display tracked connections on the QoS/Classification
             page even if QoS isn't set to Adaptive QoS.
  - CHANGED: Prevent the use of Apple's iCloud Private Relay
             when enabling "Prevent client auto DoH".
  - CHANGED: NAT Passthrough page - removed the "Enabled + NAT
             Helper" option as the firewall no longer blocks
             traffic when set to disabled.  This is back to the
             former behaviour, where this setting only controls
             whether or not to load the NAT helper.  You might
             need to readjust that setting if you had previously
             changed it.
  - CHANGED: SIP, RTSP and H323 ALG (NAT helpers) are now
             disabled by default, as these legacy features tend
             to create issues with modern VoIP setups.
             This change will only apply to people doing a
             factory default reset of their router.
  - FIXED: CVE-2023-48795 in dropbear.
  - FIXED: Various issues with the QOS Classification page.
  - FIXED: UPNP leases without a description would not appear
           on the Forwarded Ports page.
  - FIXED: web server crashing when entering certain settings on
           the Network Filter Page.  Bypassed bug in closed source
           validation code for now.
  - FIXED: Concurrent cronjob changes through cru could cause
           collisions, leading to missing jobs (dave14305)
  - FIXED: CVE-2023-5678 & CVE-2024-0727 in openssl (backport from
           Ubuntu by RSDNTWK)

 

[Tech9]

should i risk updating the firmware

It's up to you. You can make a backup and test newer versions for yourself. Something not right - flash your preferred firmware back and restore the backup. If you don't want to mess with good working router, your router is locked down with nothing exposed to Internet, your clients are also updated and secured and you know what are you doing online - you'll be fine with the firmware you are happy with. Some folks will try to scare you with missing updates, but if you look closely at vulnerabilities fixed most are unlikely to happen, require specific conditions or access to internal network already.

 

[consorts]

thanks for the prompt reply

Enable SSH = LAN only
Allow SSH Port Forwarding = No

as for QOS logic, I doubt we'll miss new refinements
I mostly use WAN QOS to improve overall latency
ethernet lan fiber we average 6ms to central office
and LAN QOS so visiting relatives do not hog all
our bandwidth when some huge game updates.

https://imgur.com/Pjo4kFC

ignore the usb stick, we stopped using it long ago
that wire over the cover is for a USB Blower btw back & wall
I'm going to take down and dust blow the router tomorrow,
so I'll check back later today in case I missed anything critical.

 

[Tech9]

I mostly use WAN QOS to improve overall latency
and LAN QOS so visiting relatives

There is not really LAN QoS on this router. What you have is Bandwidth Limiter only for Guest Networks. This option is NAT acceleration incompatible and your 300/300 ISP plan is very close to what the CPU can actually process. You may want to disable Bandwidth Limiter and use Adaptive QoS only - may improve the latency situation. Guests on 2.4GHz network are technology limited to about 90Mbps anyway.

 

[consorts]

There is not really LAN QoS

thanks, i follow all that. I adaptive qos 240:240 on my 300:300 ISP and get wired results like;

https://imgur.com/divX2L5

my GW2 game ping is 40, and family uses video conferencing apps all day without complaint.
i primarily limit a few lan & 5.0 clients by their mac id, we only use 2.4 for printers and obihai.

 

[Tech9]

Whatever works best for your needs. There is no universal best settings.

 

[consorts]

Whatever works best for your needs. There is no universal best settings.

still,
if as you say bandwidth limiter and traditional qos may be stressing out the cpu
i'll try only leaving adaptive qos enable, and see if it yeilds the desired results.
thanks again.

 

[L&LD]

Is it a good idea to keep up with Firmware updates?

I have had issues in the past when updating firmware and Internet speed, But it may have just been a fluke, Should I keep up with the updates? If so On all routers or the nodes as well? What about ones acting as access points? Thanks

www.snbforums.com

Use the link above to save your current configuration.

Flash the latest version of the firmware available to secure your router/network as much as possible.

Note you may need to perform a full reset to factory defaults without using any saved backup config files to fully/properly test the new version.

If needed, you can always use the link to get back to where you are now. But you're best served by always being as up to date as possible on firmware.

Also note that your AC class router will be going EOL soon. Be prepared.

 

[consorts]

your AC class router will be going EOL soon. Be prepared.

it already is...
good thing i leave it's update notifications disabled
https://www.asus.com/event/network/eol-product/

 

[L&LD]

Yes, EOL by Asus, but RMerlin is still supporting it.

Notifications don't unmake EOL.