We're having a problem where private IPs in our office LAN experience an interesting set of bad network troubles stemming apparently from all NAT egress traffic packets getting duplicated.

We have NAT working fine on other routers, but this one uses ipip tunnels to communicate through it's local DIA. I can't find any other material difference between our known working configurations and this one.

For the client, this leads to certain websites hosted on certain CDNs (most notably AWS) to timeout 100% of the time. Sites that cannot be browsed can, however, be pinged unless they are also unpingable from all source ips.

I've attached an abridged copy of the offending config.
I've included everything within 2 steps of being conceivably relevant while blowing away everything that would either make reading the config more tedious or else leak potentially sensitive data.
I've also attached a .pcap file for both the Mikrotik and the Office PC making a single (ill-fated) attempt to browse to http://www.speedtest.net through this NAT for reference.

If anybody has any insights as to why this config might lead to this symptom, we'd sure appreciate some pointers.

Thank you!

- - Jesse Thompson
Webformix, Bend OR

This sounds more like an MTU-related issue since there are tunnels involved....
If you're blocking all ICMP, you could be breaking path MTU discovery...
You could try using the TCP clamp mss feature to force a lower MTU on TCP sessions going through the tunnel.