Leave a Router eternally running or reboot from time to time?

What's your take on this?

Do you leave your OpenWRT router permanently running (as long as there is power supply) or do you reboot your device in regular intervals?

Are there any advantages / disadvantages or security implications for both approaches?

Looking forward to your viewpoints...

Energy considerations aside, I recommend leaving it running, aside from service/maintenance like upgrades, certain configuration changes, etc.

OpenWrt and most of the hardware targeted by the system should be able to run 24/7/365 and remain rock solid. If it doesn't, there is a problem that needs to be investigated. Rebooting the device at regular intervals may keep it running smoothly, but it really just means the problem is being masked by the reboots, not solved. It's always best to troubleshoot and hopefully solve the root cause of the issue that is causing problems -- misconfigurations are a common source of such problems, or there may be bugs which should be reported and resolved at the source.

EDIT: I just checked the uptime of the OpenWrt VPN endpoint at my dad's house ~3000 miles away. It's been running for 306 days; the last downtime was likely related to a sysupgrade when I was last there. During the pandemic, I was unable to visit for ~2 years or more, so it would have had an uptime in line with that schedule (and I think that there wouldn't have even been power glitches in that time because there is a UPS + "home standby" backup generator).

8 Likes

My sister's router got rebooted when she moved. I'm a lazy slob and haven't updated it "for a while."

09:41:38 up 432 days, 16:03,  load average: 0.15, 0.87, 0.61
11 Likes

There are different schools on this topic for different reasons.

The biggest reason I moved to OpenWrt was to get rid of the standard operating procedure of normal home routers, in other words “reboot whatever happens to solve whatever problem” and repeat that every day because nothing really works on some OEM firmwares.

On the other hand, the only way to clean up home router intruder bots of different types are to make a reboot, but they will come back once booted again if there is a security hole so only a reboot isn’t a long term solution anyway.
But again, I have never seen a confirmed living bot in a OpenWrt router here in the forum?

But sometimes when the ISP have done some work it seems that OpenWrt firmware have big problems getting internet on WAN working again, and the quickest way to solve this is simply to pull the plug and make a cold restart. It is possible to make a network restart also but that takes a lot longer time than simple cold reboot.

2 Likes

add option broadcast '1' in /etc/config/network under section config interface wan or check the box in LUCI interfaces > wan > advanced settings.

1 Like

I think rebooting has nothing to do with security.
My router reboots once a day. The time and adblock are updated.
I configured the time update so that it would only be updated with a reboot, so that the router would not always keep port 123 open.
Well, for security, I blocked protocols such as igmp, icmp, pim, rdp.
And I don't advise doing this if you don't understand what you're getting into.
The hardest part is getting the router to work with blocked icmp, but I did it.
Also blocked some ports, for safety, just in case, and there are different cases.
I am one of those who are called paranoid, they offer me a tinfoil hat, but I don’t pay attention to such people, I don’t care what they think about me.
In terms of electricity, the router does not consume anything, there is no point in turning it off to save money.
In terms of security, it's up to you.
If you don't trust your smartphones, computers or TVs, then turning off the router won't help you much, you'll turn it back on anyway :slight_smile:

You don't have to reboot for either function - just FYI.

3 Likes

Not how it works. There's no need to open the port at all in the firewall to allow the router to request time updates.

5 Likes

Please don't sell crack to kids, ok?

5 Likes

No advantge in reboot outside upgrading kernel.

2 Likes

I have really no idea what you have done in your setup. But once synchronized and checked the NTP client will move to a fixed 32min update interval.

1 Like

Additionally, it's an outbound connection, so as @krazeh noted, altering of the firewall to open 123/udp is also unnecessary.

2 Likes

After my previous response I had a check and there's an entire thread about their 'approach' to ntp. Suffice to say, like most networking related things, they had no idea what they were doing and refused to accept any advice that didn't fit their 'worldview'. It's an actual miracle they have working internet access, despite their many many attempts to break it in the pursuit of 'security'...

4 Likes

These kind of posts just beg for adding a thumbs down flag to the forum.

5 Likes

Isn't the default OpenWRT firewall setup sufficiently secure without having to make any modifications?

The following is the default behaviour, correct?

  1. Accept incoming and outgoing traffic to wan, and drop forwards.

  2. Reject all incoming and forwards from wan, and only allow outgoing.

1 Like

BINGO!!! As good as you’ll get right out of the box!

And as you’ve seen in this thread, those that know better will pounce on anything that shouldn’t ever be done.

1 Like

Nope, that is not default behaviour.

1 Like

"Accept (forwarding) traffic from LAN to WAN - and allow forwarding between interfaces assigned to LAN zone - Outgoing from LAN interfaces Allowed - also Allow Input from LAN"

"Reject all Input on WAN and Reject Forwarding from interfaces assigned to WAN zone - Outgoing from WAN interfaces Allowed"

3 Likes

Sounds like Dunning is pranking us... Or, maybe it's Kruger.