If it behaves the same when the tunnel is established via another ISP, I agree with you that it does not look like an ISP issue. Hence it needs to sniff a single connection to a web site that fails and see what exactly is going on there. So find a web site that does not work, find out its IP address, and sniff traffic to&from this address on ether1 into a file. Then try opening that site and open the file in Wireshark once the attempt fails. You should see whether the server repeatedly retransmits some large packet, which would indicate that neither the PMTUD nor the change-mss rules worked, so that large packet makes it to your router but not further via the tunnel, or whether something else is wrong there.
You may also consider following this link.