On the GW the netstat -tulpen output shows dhclient as working on all interfaces including the internal network. This is very bad especially since its not just listening. The only place where dhclient makes sense is the outer NIC of the GW where its a trusted NAT network that assigns dynamic addresses - however it should never be looking at the internal network for anything.
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name udp 0 0 0.0.0.0:16151 0.0.0.0:* 0 11238 858/dhclient udp 0 0 0.0.0.0:68 0.0.0.0:* 0 11262 858/dhclient udp 0 0 10.152.152.10:5300 0.0.0.0:* 0 18054 3435/tor udp6 0 0 ::: (sanitized*) :::* 0 11239 858/dhclient
*Sanitized since I am not familiar with IPv6 addresses
The Tor UDP connection is unusual too. Any idea what that is about?