A $30 surge suppressor will not prevent this from happening again. You can see the fakespot review, for what it's worth.
Even a nearby lightning strike will overcome surge protection.
As far as I know and have seen, eliminating the path for the conducted radiation is best, if not the only, way to prevent problems in the future.
I didn't see anything in the AT&T list for fiber. It looked like all cellular.
Be careful that the AT&T 'fiber' is fiber to the home, not fiber to somewhere near your neighborhood.
A few years ago, an AT&T salesman knocked on my door and tried to sell me fiber. There wasn't an inch of fiber in our neighborhood. I suspect it was fiber to the DSLAM and DSL to the home. It topped out at 40 Mbps.
Spectrum was cheaper and faster for the price.
This ^^.
I was having similar problems with a TP-Link C9. Tested with iperf
PC->router->PC, wired
iperf indicated that the C9 topped out at 432 Mbps. Other than a static IP address on the WAN port, the C9 was in the default config.
I'm not sure where the .40. address is coming from. My Arris modem's admin page lives at 192.168.100.1. I don't need to do anything to my router to access it.
The router knows that it doesn't own a 192.168.100.x subnet and forwards that traffic 'toward' its default router, where the modem will reply. Not all modems use the .100. subnet. Arris and Motorola do.
In a typical (Arris/Motorola) config, if you watch the ethernet traffic while the modem is coming up and the router is DHCP'ing for its WAN address, you will see the WAN get 192.168.100.xx address until the modem negotiates with the ISP. The modem will then drop and restore link to the router forcing the router to do another DHCP request. The response to this second DHCP request receives the public IP address for the router's WAN port.
If you run wireshark on a PC connected to the modem while powered off, then power on the modem, you should see a gratuitous ARP advertising the modem's IP and MAC addresses. This will probably be the management IP address of the modem.
It may be easier to find a sorcerer that can turn the leaden WRT32X into enough gold to buy a pfSense firewall, an ethernet switch and a WiFi6e Access Point.
While the WRT32X does look like a capable xxWRT contender, the networking gods will raise the drawbridge on low latency and high throughput while your packets venture into the dark magical VPN world.
Presuming that you are not subscribed to more than about 500 Mbps, down, a DOCSIS 3.1 modem will not improve much.
If your current modem uses the Intel Puma 5, 6 and maybe 7 chipsets, then a new non-Intel modem may make a difference. If you are not having problems, then a DOCSIS 3.1 modem will probably not improve anything.
If your provider will soon support DOCSIS 4.0, I would wait.
I haven't done extensive testing, but the Eeros are OK APs when placed in bridge mode. However, that neuters most of the intended functionality and severely limits their configurations. They don't support PoE and don't support VLANs.
If you already have them, give them a try. If you are looking to buy them, I'd look at some other WiFi6 AP.
TL;DR, you should be OK.
This article may have some more info. The way that I'm reading the article, the Eeros create a virtual switch fabric and to correctly do that the Eeros need to know what's connected to each of their ethernet ports and each their WiFis.
What I cannot figure out, is if everything is wire-connected to the first downstream port, will the virtual fabric be correctly set up. I cannot see why not. The Eeros should be able to figure out where everything is (relative to the Eero's) whether wired or wireless and, thus, forward traffic in the correct direction.
It only seems like there may be a problem if an Eero is not at the entry-point/gateway/router for the rest of the network or the Eeros are all configured in bridge-mode.
To keep it simple (don’t want to cut/terminate my own cable) I’m getting a female/female wall plate.
Does this mean that you want to use a patch cable behind the wall?
If so, make sure it's CMR (riser/between floors) or CM (not between floors) rated.
Monoprice if you are in the US.
250' are pretty long 'patch' cables. Are the cables in walls or a plenum? Use CMR or CMP rated cables, respectively.
In all likelihood, the 'modem' is a router and each apartment is on a switch port routed through the ISP's router.
A firewall-only solution will protect the devices that you have connected to the ethernet port in your apartment. Juniper, Xophos, etc.
A firewall-only solution is not typical of consumer-grade equipment. If double-NATing is not a problem, your own router is the solution.