Everything turns out to be very simple. As with http, the provider's DPI intercepts subscriber requests and sends fake responses from the server. In the case of https, the protected content cannot be spoofed, so a fake packet is sent with the RST flag. By disabling such packets, we get real responses from the server:
/ip firewall filter
add action=drop chain=forward disabled=no in-interface=pppoe protocol=tcp src-port=443 tcp-flags=rst packet-size=40 ttl=equal :120
PS A lot of packets fall under this rule, and no problems were found, but for more accurate processing, you can set additional conditions, in my case packet-size=40 and ttl=equal:120 (for windows systems) and ttl =equal:56 (respectively for *nix systems) and now the rule counter is incremented only when accessing prohibited https sites. A rule with a value of ttl=56 sometimes works unnecessarily, and no problems were noticed. I looked at the ttl values ​​in fake packets from the provider and reduced them by 1 in the rules.

Blocking, apparently, is carried out by the domain name (IP address) of the entire site. You can't get around without a VPN or proxy.

No VPN or proxy.

I use Rostelecom, with a white ip, through chrome I go where I want with the help of ordinary blocking crawlers. I can not understand the essence of the question?

Minimum cost and profit with this: altvpn.com/57a6551c822c4.html

Are the instructions still up to date? tech4fun does not open (the database, or something has fallen), I looked in the Google cache. What I have:
1. Without setting - the warning.rt.ru page
2. With the addition of the first rule (fixed on warning.rt.ru), the page disappeared, instead of it ERR_CONNECTION_RESET
3. With the addition of a line about https - nothing has changed.
Что я делаю не так? :)