Symptom:  TLS handshake timeout for https sites (which are blocking icmp)  in all browsers

 

Cause:  MTU discovery failure + decreased MTU due to ppoe.

 

Fix:  Enable MSS clamping in iptables

      iptables  -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu