I think I found the solution to the “boot” leak and changing servers leak:
Disable masquerading on WAN on Firewall.
See this new thread: