Bug-Related/Code-Injection Removal of Default WAN Gateway from Fresh pfSense Build

oustyxidioug

Configuration:

• Migration from clean community edition to latest pfSense Plus (Successful with no visible issues)
• No additional packages installed
• VLANs added (3 different ones)
• Intel NICs used
• No Admin changes to default WAN (Set at Automatic)
• No significant firewall rule changes other than policy routing for WAN/OpenVPN as necessary
• No NAT changes other than MANUAL Configuration selection to add path (as typically recommended by VPN-provider instructions) for routing VPN traffic through a single OpenVPN Gateway

Symptoms:

• VLANs and appropriate IPs for those VLANs work well after initial setup
• No memory issues or visible hardware issues
• The WAN Ethernet cable is sometimes purposely disconnected from modem during minor pfSense configuration changes (such as to an alias or firewall rule as needed); then it is reconnected after Admin logout
• pfSense is purposely shutdown overnight occasionally to limit attack surface
• Upon boot from those shutdown states, I notice that DNS is not available (connection must manually be recycled) and I notice that the default WAN gateway has been removed, with only the OpenVPN gateway remaining
• Upon recycle of the VPN connection, the ISP-assigned address is exposed and visible even though the default gateway under the DNS Resolver is only set to VPN

What could cause these issues: Static electrical charges during the Ethernet cable connection process? Known bugs associated with disconnecting/connecting the WAN Ethernet cabling? Or could it be an exploit that allows the bypassing of credentials, where an attacker gains control over the pfSense build?