I once had to give my ISP access to my modem (can't 100% remember why), and after they were done they started telling me that the admin passwords had to stay the exact same as what they set them to.
Fine. ok. The minute they finished what they had to do I changed the password to an ultra hard password, then sat down and composed a very nasty email to them about that "policy"
Yes this is common with some ISP's. Sadly people don't know the extent of their ISP's intentions, and some of these intentions are not for the users benefit.
If the ISP has full access to modem/router:
1. Check if they updated your firmware?
2. Is your modem one of those affected by port 32764 being open?
3. Did you check for other user accounts on the router?
4. Look for any opened ports exposed to WAN side.
Some interesting info to read:
These are very nice indeed. Not sure how capable they are to handle multiple VPNs connections with pfSense but that wouldn't matter if OpenVPN Server plugin was installed on unRAID.