I wireshark’d sys-whonix, and noticed lots of ICMP and fragmentation issues (as I was suspicious of), and found something of a fix.
SOLUTION: While allowing ICMP alone did not fix the issue, the originally proposed solution to the ICMP problem did: https://github.com/Whonix/whonix-firewall/pull/7/files
In sys-whonix, do:
sudo vi /usr/bin/whonix-gateway-firewall
- $iptables_cmd -A INPUT -m state --state ESTABLISHED -j ACCEPT
+ $iptables_cmd -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
followed by:
sudo whonix_firewall
and it fixes the issue entirely.
I see the discussion about this being a bit permissive (Have firewall accept ICMP Fragmentation Needed), but clearly ICMP alone was not enough for the LAN to not kill the connections, timing them all out.