Possible MTU/MSS Clamp issue

Hi all.
I've just installed LEDE 17.01.1 on one of my TP-Link TL-WDR4300 v1.
I am encountering a problem, but I am not sure it's related to LEDE.
My setup is like this:


I cannot bypass the ISPBOX as it is acting as a VoIP box and because it has a VDSL modem but no bridged mode is configurable.
The ISPBOX is NATting all data traffic from its WAN to the LEDE box WAN, where the TCP:443 port is then forwarded to the server.
It's actually a double NAT.
Server, LEDE and ISPBOX lans all have MTU:1500.
The LEDE box is acting also as a wifi AP (the ISPBOX has wifi disabled).

If I access the server (HTTPS) from the internal LAN and/or the internal wifi, everything works fine.
It also works fine if I use the LEDE box SSH server as a "dynamic proxy" for my browser.
If I access it from the internet I can do initial negotiation and also web application login (HTTPS).
Then anything else doesn't work: the client browser (Chrome) remains in "creating a protected connection" forever.
I can see packets being sent from the server and being received from the client.
But the page never arrives.
I can connect to the LEDE box via SSH and HTTPS (the latter on a TCP port other than 443).

I think it could be an MTU/MSS clampling issue on either my LEDE box or on the ISPBOX (or even both).

I cannot be sure the problem isn't on the ISP side mangling with port 443, so I am asking about any hint on how to troubleshoot this situation.

Thanks in advance.