Common security practices are to keep a router for as long as it’s receiving security patches. Once it’s EOL, then replace it.
I have a Gl.iNet router using the latest firmware that just released recently. However, the router is based on OpenWRT and is running v21.02 when the latest OpenWRT official version is 24.10.3. On OpenWRT’s website v21.02 is considered EOL.
So should this router be considered EOL? Should the whole company not be worth buying from since everything sold is immediately EOL? I don’t understand enough about cyber security to know how significant the jump is from v21.02 to v24.10.3.
PS. I know these routers can be flashed with straight OpenWRT but this is for the sake of my thought experiment.
openwrt uses linux kernel that is very near latest (LTS) release. they kinda have to do this for support added for new devices and new wifi standard and so on.
a company that supports its own limited product range doesn’t need newest kernel that much. because contrary to popular belief most kernel changes are not security related. and their devices don’t change hardware wise.
but having said all of that if I were you and my device was supported by openwrt, I would probably migrate to openwrt and be free of a small company limited support.
Okay, that makes sense. I do have another router with OpenWRT that I’m learning. Once comfortable enough I’ll switch it over.
some router have some features that are not in openwrt. like (hard) speed limits per device and some other management apps. they are not magic apps married to hardware and if someone wanted he is free too create them in openwrt himself.
but if you don’t need any of those niche apps(features) then going to openwrt (if your device is officially supported) makes a lot of sense.
if you use premade images from openwrt (I make images with their image builder) there is not much of learning curse besides some jargon (sysupdate, binray, repo).
in last years I used openwrt and then added the apps that I usually install on it after an upgraede and just make an image and upload that to device. but that is in the future and is not noob way to do it (it is not hard but it is not just click-and-done)
one of the reason that I went that way was because the default image didn’t include webui (you heard that right) because of size constraints and wifi was disabled by default (for security so that user had to enable it and add custom password).
now those steps are included in official image.
GLiNet has a support page that states if the product is no longer receiving updates. If they are still pushing out updates for it, then I would consider it active.
Even though their OS is based on 21.02, its still their own fork of openwrt. Hopefully theyre back porting security fixes.
I hadn’t seen that page on their website, thanks. I would hope you’re right. That would make the most sense
It essentially depends on what level of support you require.
End Of Life is a concept, not generally a fixed point in time … even though the likes of Microsoft are attempting to rewrite history and making everyone move off Windows 10 by a specific date.
And just like in that situation, you have options.
You can consider your relationship with Microsoft at an end and install a different OS, or you can continue the relationship and buy new hardware even though there’s absolutely nothing wrong with what you currently have.
The same is true for a router.
The decision around EOL is about what happens next.
Do you want to yell at the supplier if it breaks, or will you realise that yelling only happens if you spend money on lawyers, and in the meantime you can move on with your life and decide on an alternative path.
My car is worth $700 or so, even though I bought it new 15 years ago. Is it at the end of its life? It’s still getting me from here to there and back.
On the subject of a product receiving security updates I don’t believe EOL is a concept. It is or it isn’t. If you choose to keep using it then physically it isn’t non-functional but likely has security vulnerabilities none the less.
Also, an old car isn’t a good example. The product style is different. You bought it knowing that’s what you’re getting and it’s not designed to get years of updates that when ends can affect the driveability.
The point I was trying to make is that End Of Life is in the eye of the beholder. Just because it doesn’t get any updates from the manufacturer, doesn’t mean that the user has to throw it away.
Similarly, a user can give the device to a second hand store and the next user can use it … and so on.
As I said, it is not a fixed date or concept.
generally yes. but we are talking about a public network facing device that is usually the first line of defense against wide Net.
that needs to be updated for new threats. those threats are not as extensive as 20 years ago (a lot of stuff are way better) but there are still bugs that appear in router as seen by news about routers hack that sometimes pop up.
