I have got about 6 old Wdnap 350's with a WMS5316 controllers a couple of Drayteks, with all sorts of functionality. All are N 300mbps set at low power when they on and I have a box of them and other stuff I got in joblots for spares cheap off ebay that I brought cheaply over the years.
I am perfectly happy with them they do what I set them to do.
I remembered Netgear doing something similar in 2016 for the model up but not like this. I can't find the article now but as I remember if you upgrade to a certain firmware, they had two types I think, with some of their routers which is remote access controlled from their webservers for a monthly fee you can't revert back and I think it might have been the WDNAP360 ceiling dome thing.
I think I came across a firmware for the wdnap350 that had both options and a choice would appear after a factory reset and I read I can install that firmware and downgrade to standalone on that model. That sounds nice to have choices where you could do it for mass amounts of them when needed for convenience maybe temporary use where it could be reverted but I stayed away from the models that had that limitation/restriction as I did want to waste time and money with the risk of it automatically updating and then having start an argument on the phone to get them to replace it or it being a loss where it ends becoming no functional.
A while ago I sent back a Netgear WAC124 (wi-fi access point) for exactly this reason. Although it had the capability to be managed locally in the usual way, it would refuse access to the local admin interface if it had an internet connection, and insist on using an account via a Netgear server instead.
I replaced it with a WAC104 instead, which has no such limitation.
A little better than Linksys but it still sounds like harassment to me.
Great... Downgrading the Firmware of your internet router...
The one device that will always be susceptible to outside attack, that is the first, and in most SOHO settings your only, defense... Welcome to the next botnet
*Just do not buy that crap.
I don't know what's worse. Under attack from the manufacturer with their bullshit and spying or put at risk and possibly attacked with no longer maintained firmware by people who are not the manufacturers.
* The irony is you don't have buy these things they can be given to you as part of the contract by some ISP'S like the one I mentioned Gigaclear.
The good thing is that Gigaclear told me that was not the main router, it was just a freebee to help improve the wireless situation in the home.
Joke: Say I got one of these for free. I don't want this bullshit crippling stuff in my box of goodies designed and set by principle to restrict and insult the user. I don't want other people to find it in the dumpster and "experience" this "new cloud/app ecosystem bullshit" that is forced upon them. So I think it will be better for the "ecosystem" to burn it up in my trashcan and watch that magic smoke escape.
If you don't want to use your ISP provided router/CPE and wants to use your own router
I have some given to me which I find handy when I suspect there are problems with the broadband or physical line to rule out my equipment.
It is all in the cupboard on standby which I just swap out the VDSL cables over so my ISP can run tests and they have remote access to it I think through TRS069/ACS? and yes there are options to switch it off if I wanted to. Once they they are satisfied that all the tests have been done and if there is a fault they send out Openreach to investigate further.
One flaw with their router which is a Technicolour DWA0120 is that they set it to expose the built in webserver to port 80 of the gateway IP so anybody including the proxy server I tried it with can access it. No option to switch that off in the User or Engineers menu and no telnet access to do so. The config file and be decryped and encrypted but needs to be signed with a key for it to accept it. I spoke to someone a couple of months ago and apparently I can request them to switch off port 80 web server from being access by the gateway IP if I turn on the remote access stuff and they are able to connect to it. I think they refer to that as a dictionary "attack" when trying to guess the passwords if not trying by known vulnerabilities and no password attempt lockout policy is set.