A self signed cert that doesn't change, that the browser remembers and expects from the ip of the router, is perfectly secure. It's like ssh trust on first use, where the first use is a private direct connection between the machine and the router with no possibility of man-in-the middle.
If the cert changes on every boot, the first use trust is invalidated.
If the cert changes on every boot, the first use trust is invalidated.