VPN - Some websites are not loading completely - A plea for help

Hello all!

I am extremely new to the edgemax/edgerouter world, and addmitedly do not have the strongest grasp of network architecture.  However - I work for a small company so my head gets to wear the network admin hat from time to time.

Short story - company moved, we purchsed an edgemax router to replace our old router/firewall solution, and we have a new ISP.  I was able to get the edgemax router configured pretty easily at our new location with our new block of IPs, get the firewall rules tweaked so we can actually segment the networks, etc.

As a final step, I followed this guide: https://help.ubnt.com/hc/en-us/articles/205220840-EdgeMAX-PPTP-VPN-with-local-users-RADIUS to get a basic VPN set-up going so that we can remote in if needs be.  During my on-site testing (using a cell-modem) I was able to connect to the VPN and access internal resources just fine.

However, follow up remote tests have shown that some external requests (think standard HTTP calls) don't seem to ever return, despite seeing connections otherwise.  This makes the experience of being connected to the VPN very annoying, especially as the hosted communications platform we use will fail to relay messages as long as we are connected to the VPN.

Based on my searching of this forum and other resources, common wisdom seems to be the MTU settings are set to high, but after 3 hours last week of tweaking MTU configurations I don't think that is the issue (though I would be happy to be wrong if it would just start working).  

As it stands, websites like google.com and bing.com load just fine, while many other sites either fail to load or only load partially (example: foobar2000.org failes to load all together, glip.com loads partially but is unusuable).  These same sites will work on computers that are on the network, so I do not believe it is a firewall issue.

If anyone has any tips/tricks/solutions to offer me I would greatly appreciate it, as I just seem to be finding the same articles over and over that don't seem to provide a solution at this point.

Below is a masked version of our current config:

firewall {
all-ping enable
broadcast-ping disable
group {
address-group ADMIN {
description Administrators
}
address-group DEVELOPERS {
description "Developer IPs"
}
address-group PROD_SQL {
description "Production SQL Servers"
}
address-group PROD_WEB {
description "Production Web Servers"
}
address-group TEST_SQL {
description "Test SQL IP Address"
}
address-group TEST_WEB {
description "Test Website Addresses"
}
port-group RDP {
description "Remote Desktop Connection Port"
port 3389
}
port-group SQL_PORT {
description "SQL Server Port"
port 1433
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name DOMAIN {
default-action accept
description "Domain Firewall"
rule 1 {
action accept
description "Allow ADMIN RDP"
destination {
group {
address-group PROD_WEB
port-group RDP
}
}
log disable
protocol tcp
source {
group {
address-group ADMIN
}
}
}
rule 2 {
action drop
description "Drop PROD RDP"
destination {
group {
address-group PROD_WEB
port-group RDP
}
}
log disable
protocol tcp
}
rule 3 {
action accept
description "Allow TEST SQL Access - DEV"
destination {
group {
address-group TEST_SQL
port-group SQL_PORT
}
}
log disable
protocol tcp
source {
group {
address-group DEVELOPERS
}
}
}
rule 4 {
action accept
description "Allow TEST SQL Access - ADMIN"
destination {
group {
address-group TEST_SQL
port-group SQL_PORT
}
}
log disable
protocol tcp
source {
group {
address-group ADMIN
}
}
}
rule 5 {
action accept
description "Allow ADMIN PROD SQL access"
destination {
group {
address-group PROD_SQL
port-group SQL_PORT
}
}
log disable
protocol tcp
source {
group {
address-group ADMIN
}
}
}
rule 6 {
action drop
description "Block SQL Access"
destination {
group {
port-group SQL_PORT
}
}
log disable
protocol tcp
}
rule 7 {
action drop
description "Block PHONE (ETH2)"
destination {
group {
address-group NETv4_eth2
}
}
log disable
protocol all
source {
group {
}
}
}
}
name MACHINES {
default-action accept
description "Phone Jacks"
rule 1 {
action drop
description "Block PROD SQL Access"
destination {
group {
address-group PROD_SQL
port-group SQL_PORT
}
}
log disable
protocol tcp
}
rule 2 {
action drop
description "Block PROD RDP Access"
destination {
group {
address-group PROD_WEB
port-group RDP
}
}
log disable
protocol all
}
rule 3 {
action drop
description "Block TEST SQL Access"
destination {
group {
address-group TEST_SQL
port-group SQL_PORT
}
}
log disable
protocol all
}
rule 4 {
action drop
description "Block TEST RDP Access"
destination {
group {
address-group TEST_WEB
port-group RDP
}
}
log disable
protocol all
}
}
name OTHER {
default-action accept
description "Phone Jacks"
rule 1 {
action drop
description "Block PROD SQL Access"
destination {
group {
address-group PROD_SQL
port-group SQL_PORT
}
}
log disable
protocol tcp
}
rule 2 {
action drop
description "Block PROD RDP Access"
destination {
group {
address-group PROD_WEB
port-group RDP
}
}
log disable
protocol all
}
rule 3 {
action drop
description "Block TEST SQL Access"
destination {
group {
address-group TEST_SQL
port-group SQL_PORT
}
}
log disable
protocol all
}
rule 4 {
action drop
description "Block TEST RDP Access"
destination {
group {
address-group TEST_WEB
port-group RDP
}
}
log disable
protocol all
}
rule 5 {
action drop
description "Block DOMAIN (ETH1)"
destination {
group {
address-group NETv4_eth1
}
}
log disable
protocol all
}
rule 6 {
action drop
description "Block PHONES (ETH2)"
destination {
group {
address-group NETv4_eth2
}
}
log disable
protocol all
}
rule 7 {
action drop
description "Block Domain (SOURCE ETH1)"
log disable
protocol all
source {
group {
address-group NETv4_eth1
}
}
}
rule 8 {
action drop
description "Block PHONES (SOURCE ETH2)"
log disable
protocol all
source {
group {
address-group NETv4_eth2
}
}
}
}
name PHONES {
default-action accept
description "Phone Jacks"
rule 1 {
action drop
description "Block PROD SQL Access"
destination {
group {
address-group PROD_SQL
port-group SQL_PORT
}
}
log disable
protocol tcp
}
rule 2 {
action drop
description "Block PROD RDP Access"
destination {
group {
address-group PROD_WEB
port-group RDP
}
}
log disable
protocol all
}
rule 3 {
action drop
description "Block TEST SQL Access"
destination {
group {
address-group TEST_SQL
port-group SQL_PORT
}
}
log disable
protocol all
}
rule 4 {
action drop
description "Block TEST RDP Access"
destination {
group {
address-group TEST_WEB
port-group RDP
}
}
log disable
protocol all
}
rule 5 {
action drop
description "Block DOMAIN (ETH1)"
destination {
group {
address-group NETv4_eth1
}
}
log disable
protocol all
source {
group {
}
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log disable
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 1 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 2 {
action accept
description "Allow PPTP Port 1723"
destination {
port 1723
}
log disable
protocol tcp
}
rule 3 {
action accept
description "Allow PPTP GRE"
log disable
protocol gre
}
rule 5 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address MASKED/24
description Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 192.168.0.1/24
description Domain
duplex auto
firewall {
in {
name DOMAIN
}
}
speed auto
}
ethernet eth2 {
address 192.168.20.1/24
description Phones
duplex auto
firewall {
in {
name PHONES
}
}
speed auto
}
ethernet eth3 {
address 192.168.30.1/24
description "Guest Network"
duplex auto
firewall {
in {
name MACHINES
}
}
speed auto
}
ethernet eth4 {
address 192.168.40.1/24
description "Vending Network"
duplex auto
firewall {
in {
name OTHER
}
}
speed auto
}
ethernet eth5 {
duplex auto
firewall {
in {
name OTHER
}
}
speed auto
}
ethernet eth6 {
duplex auto
firewall {
in {
name OTHER
}
}
speed auto
}
ethernet eth7 {
duplex auto
firewall {
in {
name OTHER
}
}
speed auto
}
loopback lo {
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name Guest-Network {
authoritative disable
subnet 192.168.30.0/24 {
default-router 192.168.30.1
dns-server 192.168.30.1
lease 86400
start 192.168.30.20 {
stop 192.168.30.243
}
}
}
shared-network-name LAN2 {
authoritative disable
subnet 192.168.20.0/24 {
default-router 192.168.20.1
dns-server 192.168.20.1
lease 86400
start 192.168.20.38 {
stop 192.168.20.243
}
}
}
shared-network-name Vending-Network {
authoritative disable
subnet 192.168.40.0/24 {
default-router 192.168.40.1
dns-server 192.168.40.1
lease 86400
start 192.168.40.20 {
stop 192.168.40.243
}
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
listen-on eth3
listen-on eth4
listen-on eth5
}
}
gui {
https-port 443
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
gateway-address MASKED
host-name ubnt
login {
user MASKED {
authentication {
encrypted-password MASKED
}
level admin
}
}
name-server 74.40.74.40
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
traffic-analysis {
dpi enable
export enable
}
}
vpn {
pptp {
remote-access {
authentication {
local-users {
username arodman {
password MASKED
}
username rogerw {
password MASKED
}
}
mode local
}
client-ip-pool {
start 192.168.0.30
stop 192.168.0.40
}
dns-servers {
server-1 192.168.0.10
server-2 192.168.0.1
}
mtu 1400
wins-servers {
server-1 192.168.0.10
}
}
}
}