You can try latest firewall4
wget -O /usr/share/ucode/fw4.uc https://github.com/openwrt/firewall4/raw/dfbcc1cd127c78fc61bb870d36d2512b571d223b/root/usr/share/ucode/fw4.uc
wget -O /usr/share/firewall4/templates/zone-mssfix.uc https://github.com/openwrt/firewall4/raw/dfbcc1cd127c78fc61bb870d36d2512b571d223b/root/usr/share/firewall4/templates/zone-mssfix.uc
wget -O /usr/share/firewall4/templates/ruleset.uc https://github.com/openwrt/firewall4/raw/dfbcc1cd127c78fc61bb870d36d2512b571d223b/root/usr/share/firewall4/templates/ruleset.uc
Oradd some more of my own developments
wget -O /usr/share/firewall4/templates/ruleset.uc https://github.com/openwrt/firewall4/raw/fe27543b55e55b71cbba1502d7f569058111e0f9/root/usr/share/firewall4/templates/ruleset.uc
For somewhat lighter offload entry/exit. https://github.com/openwrt/firewall4/pull/22
AND
https://github.com/openwrt/firewall4/pull/37 reducing per-packet inspection weight
wget -O /usr/share/firewall4/templates/zone-mssfix.uc https://github.com/openwrt/firewall4/raw/90436c00e52c70de312b60cefb8d7b97c0974ae2/root/usr/share/firewall4/templates/zone-mssfix.uc
run fw4 check right away, then either service firewall restart or restore original files accessible via /rom/usr/share/...
Best is to compare with stable test eg https://www.waveform.com/tools/bufferbloat which does not include your IP in shared reports (before and after and then wifi)