Hi @whereisaaron 

Thanks for posting in our business forum.

It does not add up. This seems to be a problem with that specific web.

Or do you experience the slowdown on all websites?

I assume that the web may require the ads to be loaded up first before the contents show up.

Nowadays, the web is concurrently sending the connection sessions. It should not delay the contents. Or they are forcing the ads to be displayed.

That would be something we can never change if the web page is doing so.

And supposedly, the ads you have blocked are not gonna be loaded anyway. When you set that to reply with RST, the web code may resend several times before it stops.

I don't see why it correlates to the router.

Hi @whereisaaron 

Thanks for posting in our business forum.

whereisaaron wrote

Thanks for the reply @Clive_A! The web page was an simple constructed example. The actual behaviours are more complex, but the impact is still negative. Even with parallel requests the page load may not complete for a long time. So while you can see the content, the 'spinner' will keep spinning, potentially delaying other post-page loaded behaviours. If client does do retries at you describe, the connection timeouts will keep stacking. More generally this applies to any TCP client connection that matches a blocking rule. Retries are actually more likely without a RST, since the client doesn't know the reason the connection attempt didn't work, versus telling it connections are rejected.

 

I have disabled the DPI blocking for now. Too many complaints of "slow Internet" traced to this.

 

Let me give you and even simpler web example for the ad block rule situation. Let's say you go a Google search for "new car". The first results will no doubt be sponsored links, which relay through:

 

https://www.googleadservices.com/pagead/aclk?sa=L&ai=DChcS....

 

This will be blocked, as it should. But with other DPI products I've configured over the years, it will get blocked instantly because a RST is returned to the client by the blocking firewall / router, so the user will know immediately, and is in no doubt. With Omada, the connection attempt is simply dropped / black-holed and the human is left watching the browser spin wondering what is going on, is the page just slow? How long should I wait?

 

Effects can be a simple an an application installer trying to log install statistics. Sure it only adds up to 30 seconds to that application install, but it's an unnecessary delay, easily avoided by actively blocking blocked connections with a RST.

 

Returning RST for a TCP connection attempt is simply the correct TCP protocol for rejecting a connection. Black-holing traffic is bad manners! 😅 I understand that you might not want to do that externally blocked traffic, least a reflected RST attack is possible, but interally I've always configured DPI systems to RST connection attempts, because of the drama black-holing traffic on internal networks causes. A RST reply is stateless, it doesn't create any connection tracking or other overhead for the router DPI, other than sending a packet.

 

I appreciate there are situations where dropping traffic is appropriate. Which is why I suggest this is a per-blocking-rule options.

 

In my experience other product supports both "Block" (drop) and "Reject" (RST) options; everything from pfsense to AWS firewalls (see below).

 

I hope you'll investigate the behaviour of competing products, and also test impact on clients and hopefully see the value of this 🙏

 

 

 

 

 

 

 

 

I understand your description, but I don't think it is true. 

Screenshots for the DPI rules you set on how you stop the sponsored content from Google search?

If you can provide a video, that would be great. I can directly show the video to the dev.

This stuff would be more convincing for the devs.