As I said, the router’s WWAN IMEI is a bit like a MAC address that is bound to a hardware brand and type. But unlike simple MAC spoofing, you cant bypass that without some very advanced spy level hack skills and that’s can even be a criminal offence in some countries. (IMEI numbers are involved in network and cell tower authentication.) The carrier expects a link with a device that has the IMEI of a voice handset - and the Netgear cant do this.

Your carrier might work with the Netgear just fine, but that will only due to how motivated the carrier is to dectect and police this breach of their terms. You can buy the Netgear, but there is a risk that you’ll get cut. The only way to defeat this reliably is via the method I’ve given you, which is akin to exploiting a technical loophole.

I suspect this all boils down to commercial factors for the carrier, and this is triggered via the the amout of data you download.

If you are in the top few percentile of all plan users you will absolutely draw attention to yourself. I tend to believe that these sorts of scans are only performed against top abusers. Like small credit card fraud there is a an accepted cost built in because the cost of surveillance and correction can be much higher that the cost of the fraud itself.

If you just use a common about of data you may never have any issue becasue it takes resources to track and manage abusers, and if that user is within an average user profile it actually works against the carrier to cut you off because its just revenue.

Yes this is likely, which is why using a device that reports voice capabilties to the carrier (ideally a 2nd phone) as the modem is the safest way. The rest is sort of mid level TCP/IP networking fun. I’ve been running for 3 years with no issues this way.

The spare phone as a modem is the only foolproof way unfortunately.

With a router, devices connected behid this creates an an extra hop and this can be detected in the TTL, but you mileage may vary if you put a sim in a WWAN enabled router. It might work or it might not.

I’ve tried a number of methods with different carriers. Some dont limit this sort of thing via technical surveileance, they just deploy an acceptable use policy. (but these are typically the carriers that give you unlimited data BUT with a maximum speed cap) The faster the link, the more likely you will encounter proactive surviellance.

EDIT: This below usb modem link is also a voice enabled device that you can build a raspi phone out of, and it also can recieive SMS, making it likely it reports as a voice enabled device, which is what carriers usually stipualte. I’ve had no issues with multiple SIM plans in it.

I use this IOT type usb industrial modem plugged into my OpenWRT router as my failover link which is viraully plug and play in linux, The benefit with this is I can also use this modem on other professional study projects for testing and its much cheaper that a spare phone. Its just another cheaper option to think about.

https://www.waveshare.com/sim7600g-h-4g-dongle.htm

Oh yeah I forgot to ask, do you use iphone or android?

If you use iphone you need to run a little script in the background to stop the phone asking for you to trust the connection and stopping the link every so often. I’ve added it for others that might search this solution later…

#!/bin/sh
# Make iPhone tethering stay alive on OpenWrt

# After you successfully trusting the iPhone for tethering, copy files with name like
# /var/lib/lockdown/12345678-9ABCDEF012345678.plist to /etc/lockdown/locks.
# That way, you won't have to set up trust again after router reboots.
if [ -e /etc/lockdown ]
then
mkdir -p /var/lib/lockdown
cp -f /etc/lockdown/* /var/lib/lockdown/
fi

# lockdown records restored, now we can launch usbmuxd. Don't launch it sooner! (this is run from inet.d)
usbmuxd

# We are up and running now. But unfortunately if your carrier signal is weak, iPhone will
# drop connection from time to time and you'd have to unplug and replug USB cable to start tethering
# again. Script below automates that activity.

# First wait a bit - we just brought the interface up by usbmuxd
sleep 60

# If we see iPhone ethernet interface, try to ping iPhone router's address (172.20.10.1).
# When the ping is unsuccessful, rebind iPhone ethernet USB driver and wait for things to settle down
while :
do
for i in /sys/bus/usb/drivers/ipheth/*:*
do
test -e "${i}" || continue
ping -w 3 172.20.10.1 &> /dev/null
if [ "${?}" -ne 0 ]; then
echo "${i##*/}" > "${i%/*}"/unbind
echo "${i##*/}" > "${i%/*}"/bind
sleep 15
fi
done
sleep 1
done
EOF

Yes, but you can work around any imitations if you are clever and understand their means of detection.

The carrier can tell whether the sim card is in a phone vs tethered to a router and shared. They can track this in two ways.

1. via the IMEI number of the phone, some carriers will detect if the sim is not in a voice device, so placing the sim in a 4/5G enabled router may be esily tracked & detected.
2. Tethered to a router via USB can be detetected via the TCP/IP TTL value. With every hop on a netowrk, the TTL of packets is reduced in increments. The carrier can look at the TTL it expects vs the TTL is sees t odetermin that there are more hops downstream of the phone, which will be added by a router.

But this can all be defeated

You simply tether your phone to a router over USB as if it is a WWAN interface. OpenWRT is a great router OS to do this (I have done this with both iphone and adroid, though android is simplest)

AFrom there, with the WWAN setup up, all you need to do is re-increment the TTL by 1 at the router to compensate for the extra hop and your router is invisible to the carrier.

This is done in the OpenWRT firewall custom config: (here is a example I am using in my config, - “wan_iphone” is the usb tethered phone interface name)

iptables -t mangle -I POSTROUTING -o wan_iphone -j TTL --ttl-inc 1

Your carrier wil have no idea!

I concur with u/Bellegr4ine amd will add a little more:

• If your WAN is PPOE then another more elegant solution that might fit is to set up 3 ports on a on the manged switch for use in FRONT of the main router, and have your cable/carrier WAN ethernet output and the wan interfaces of both the wifi router and the pfsense all plugged into these ports.
  • This creates a shared carrier WAN VLAN in front of both firewalls.
  • In most cases, both wifi router and pfsense should get their own public IP, basically splitting one internet connection into two separate public IPs. Many carrriers cant limit this to suport landline phone services
  • This scenario will also work where the carrier also needs a vlan tag to connects to PPOE, just set the VLAN ID of the carrer the came as the carrer requires.
  • The only thing this breaks is the ability to manage QoS on the link because there are two connections, but no central QoS.
  • Both rtouer and PF sense then plug thier LAN output into the approriate VLAN ports on the managed swirch.

I do this and is allows me to run a family LAN network and also to have a completely separate internet environement for my lab

Debian, always debian for server type things, BUT, it might be more versatile to put VMware ESXi on it. (or Proxmox)

https://github.com/itiligent/ESXi-Custom-ISO

This repo has working scripts to inject into the ESXi installer ISO with all the drivers you need to get your NUC running as a virutalization host. (Recently VMware was aquired and all the community driver sites were taken down, so other online build tools stopped working)

I run a homlab with a cluster of ESXi NUCS , its just sooooo useful especially when developing code for differnt platforms or just quickly learning things and tinkering about.

I had your exact same problem in my old brick house that is hard to cable and not so great for wifi range. More powerful wifi wont add much as the wifi power is all limited to what the connecting device can also send back, and that wont change. You need to re-shape the wifi coverage of your home.

I run a second router configured as a dumb access point that shares the same SSID, and the connection between runs over a powerline type extender. You device will shoose the best signal to attched to automatically. Another option is mesh networking products.

google dumb access point to get started…

As long at you are under 100metres , just run cables. Run the outdoor Cat6a variety, or lay regualr in conduit, Dont run just one, run two (One for now and one for later/if something breaks.)

You can buy other point to point wireless netwoking devices as suggested below, but these will all add more power use and complexity as they are a little specialised to get working well.

Cat6a will allow you many years of cheap and reliable service and will be cheper in the long run unless you’ve got some really difficult terrain to work with.

You could also run Multi Mode fibre optic cable up to 550m with 2 cheap swiches that have an SPF port at either end. This will cost a little more, but willgive you near unlimited expansion

Oh, and another thing, make sure you dont have any security settings with your browser that can impede the CFE website on the router. Brave is good at breaking this sort of thing. Turn the router OFF for a full minute or two and disconnect power before you start the process of entering recovery mode, we need that NVRAM free of junk from the broken upload.

If you miss getting the router into recovery mode on the first try due to timing, disconnect power and wait again before starting over. This sounds odd, but a lot of junk can stay in RAM for quite a while after power off, and youre last firmware is broken so we dont know how thats going to impact.

sorry, I gave you a link but this one is better:

https://wiki.dd-wrt.com/wiki/index.php/Asus_RT-AC88U

I forgot to mention, theres actually a whole underworld of router hardware hackers out there (me included) who add custom firmware to these consumer devices - and thus never have these issues. Ever.

A part of hacking router hardware means somtimes “alternative” ways uploading unbricking are needed, and the bwlow link is one such example. Asus routers looks like they all use a simple TFP recovery mode which wont specifically need the Asus recovery app, (which is prob rubbish anyway), you just need a TFP server and the right sequence and timing of upload.

Here is a hacker’s recovery method for a similar model… Asus are likely all the same.

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1208723

Manual unbricking should be faily straight forward if you pay attention to those steps. They should also map to what the recovery app is trying to do as well, jst without the flakiness.

On a side note, these Asus models look like more security and stability hassles than they are worth OMG Asus firwares have broken so many motherboard and routers this year. Next time, buy somthing compatible with DDWRT (easy) or OpenWRT (adavnced) firmware. This always means avoiding routers with Broadcom based chipsets. Confirm future purchases with these links and play… you’ll never look back…

https://openwrt.org/toh/start

https://dd-wrt.com/support/router-database/

I’m an old datacentre guy, so please take note.

You should aim for zero public IP exposure to services. It is not good what you’ve got there.

If all those hosts are on public IPs and your’e not really in control of any upstream device to manage network traffic to them if you do this - you are at the whim of your provider.

How are you going to centrally authenticate and manage/monitor all this? You’re missing some sort of gateway that YOU control. You’ve actually drawn up a honeypot for hackers.

Please run your own virutal firewall at least, and cofigure the vswitches accordingly in layers and microsegment separate each service so one compromised system does not give over the whole network. Setup VLANs to allow for this sort of flexibility (and future flexibilty).

Depending on how may public IPS you have, consider putting everthing behind NAT or PAT. Make a separate netowork just to access the VMware kit and secure this, (no web mgmt consoled on public ips!)

What you’ve got here is asking for trouble and will be a management mess.

Create somthing like 4 tiers of network and seprate these with your firewall, or two firewalls.

1. DMZ (private IPs and nginx go here and pass through to #2 only required ports)
2. main docker and VMS (only allow access between DMZ and data layers, no outgoing/egress.
3. Your data - the core, only allow layer #2 devices that need access.
4. VMWare mangment (it called out of band netwoking) - this is where you have use a private way of accessing this network for back end manamgent. This network cant accress 1,2 or 3)

RCLONE is your friend!

Datacentre + 25 years of Linux expertise here:

Design the system around how you use your data, how important your data is, and where you want to back it up etc. Forget about chossing te platfor first…but…

Open source gives you WAY more options, Windows will just share files.

Eg Open souce NAS will ley you sync and aggregate all your cloud storage and backup apps as one single virtual cached storage directory all avaiable in your file explorer. No stupid clients and bloat. Open source will give you snapshots too. All sync happen in the backgroud with real intergrity checking. (For example, look at RCLONE as a wonderful onedrive client replacement for a virtual cloud filesystem, just run this on your NAS. )

Open source also lets you add unlimited Backblaze backup to you NAS without the business subscription (if you’ve got a few basic Linux skills.)

Open source also allows a wide array of virutual machines or containers for other handy home network utilities (think always-on pi hole, DNS add blockers etc)

Even though I have a lifetime LastPass subscripion I still choose to pay the $10 bucks and stay with Bitwarden not just becuse I wanted the yubikey support, its also just so simple to use and I love its simplicity. Its also polite and does not bring any extra bloatware. Its really quite good value. It just does its job really nicely

heres one thats worthwhile if you have thunderbolt:

I’ve bought 3 nucs to get 40GBPS networking and HA between them and then run Vmware VSAN express. From there you can go nuts with the possibilites.

https://forum.level1techs.com/t/thunderbolt-4-based-ring-network-between-intel-nucs-for-ceph-storage-on-proxmox/195285

https://www.youtube.com/watch?v=5IfArhUdAm8

what is your platform?

You will be fine with just a few simple things to make sure of:

• The hardware will probably be just fine.
• Just dont hang your data out on the internet . If you just need remote access to manage the NAS then a jump sever like Gucamole in a DMZ or container somhow will be great. If you want remote access to your actual data over SMB and such then options like Tailscale may be useful to you.
• Look into other backup methods like Backblaze or similar if the data has any value. You could even setup rync to another location.