I'm in Australia, I have "Fiber To The Home". This passes through the NBN box on the outside wall, to the NBN modem inside the wall, and thence to my mid-range ASUS AC1900 Dual Band router. Firmware has been upgraded to 2020-ish but I intend to upgrade to the latest in a couple of weeks.
All known devices/MAC adresses have been itemised in the DHCP. Some of these are WiFi connections. I do not use the WPS button at any time, ever. NAT is on, UpnP is off. Port Forwarding is on, NAT Passthrough is off.
The Admin password is (IMHO) reasonably strong, >10 characters @ 96 density (soon to be upgraded, will be longer), the PSKs very much stronger. All are randomly generated in my spreadsheet. The router is routinely offed for 10 minutes at the end of every month.
Is there anything I need to do to improve security against external attackers that does not involve air-gapping the router from the real world?
Thank you for the interest you have shown. I have learnt a few things I did not know before, and the security solutions are nowhere near as fearsome as I had imagined.