Here is my complete configuration, maybe there's something missing.
I cannot see anything missing there, rather some redundant parts - I'd remove the
action=mark-connection rules from
mangle and the
connection-mark=!local condition from the first
action=fasttrack-connection rule, because the two
action=accept rules matching on
local=>!local and on
!local=>local placed before the
action=fasttrack-connection one are sufficient to prevent packets to/from 10.10.10.0/24 from making their connections fasttracked. So you can re-enable the first fasttracking rule, and remove the second one which is shadowed by the "accept established/related/untracked" one anyway. But that's not a solution of the Netflix issue, that's just saving a few CPU cycles per packet.
But since fasttracking is not what breaks your Netflix connections, enable the first
action=change-mss rule, and add another one which will look the same except that 10.10.10.0/24 will be used as
dst-address rather than
src-address.
If this doesn't help, it is not an MTU/MSS issue.