I've tried everything in this thread, and still websites like http://www.computerbild.de/ or http://www.chip.de/Test_12430122.html load extreamly slow. In addition, not all ads are blocked, in fact especially on these sites, there still are lots of ads. i really don't know how to proceed. Currently the speed is unbearabyl slow, like 40 seconds to load 1 page.
I also have made absolutly shure that i use the PIv6 displayed by ifconfig in the Fritz.box dns server configuration aswell as in the /etc/pihole/setupVars.conf file. The same goes for IPv4.
EDIT: i also tried this:
and i have opened ports 443 and 80 to my raspberry pi on my Fritz.box and it makes no difference.
any help would be greatly appreciated, because in the current state, my pihole is basically unusable
Hi, a have a same problem like others. Some elements on web sites not aborted and browser waiting and waiting until the timeout expires (about 20sec).
All problems are on https connection and javascripts at the and of address.
I read here some threads about this, and understand recommendation to use iptables.
"sudo iptables -A INPUT -p tcp --dport 443 -j REJECT"
I try it, but no difference. I mean, that REJECT not work well or something else is wrong.
Pi-hole is instaled on fresh instalation Lubuntu on virtual machine.
DNS translate work very well. Pi-hole return own IP, when DNS name is on list, or forward when no. Pi-hole return blank page for most of requests. It work good. Pi-hole Web interface work good too.
I dont use IPv6, only IPv4. (i think)
All clients are in local network, with windows OS, with Firefox, Chrome, IE, Edge browsers.
IP tables was without records. I add only one row about INPUT 443 port with REJECT.
Since 3-4 days I have the same problem. Some sites open incredible slow. Mostly youtube with add trailers. Other videos without add trailers open normal fast.
Some news sites are als incredible slow.
Whenever "script.ioam.de" is used I will take up to a minute to load the page.
Slow loading sites are and script assets usually are a sign that browsers are requesting from port 443 (HTTPS/SSL) and not getting a reject, but instead are timing out. You could try setting up a firewall or iptables to reject on 443 instead of dropping, do you know if you have any firewalls or iptables set up on the Pi-hole device?
Hello, thanks to all for answers. For me, i add rule about port 443 and REJECT on ip6tables and nothing changed.
I try this request "https://gacz.hit.gemius.pl/xgemius.js" it is on ad list, and is piholed
In https, browser waiting and stop on timeout. Not answer from Pihole
In http, browser gets the answer var x = "Pi-hole: A black hole for Internet advertisements." very quickly.
What i know, is no limitation on connection between client and pihole. Both machines are in private network.
I try flush iptables and ip6tables on pihole and try to load nothing changed, set one rule to iptables and ip6tables for REJECT port 443, nothing changed.
I put off personal firewall on windows client too, nothing changed.
Can i test it somehow ? Is command, where webserver on pihole answer on https ? I dont know for now, how to find, where is fault.
Thanks to all for the time.
If you can use the F12 inspector on your client browser and take a look at the exact call that is causing the timeouts you may be able to see what asset it is that is causing the timeouts. If the browser rendering is blocking and waiting for a response, they typically show as red colored errors during the process.
As for HTTPS, since that requires a Certificate that matches the domain name to be valid, it's difficult to enable that for the Pi-hole pages. It would be considered a form of a Man In The Middle attack as we would be impersonating the encrypted communications between the browser client and the end server, which should be encrypted from client to server.
Hmmm, i understand, it makes sense.
All long requests, ending at timeout, are on https.
Then I do not understand why REJECT is not working. Is this function only between Unix systems ? Because my all clients running under Windows OS. It looks like the ICMP response is not returned from pihole firewall to browser to stop wait and end request.
The command it just on the Pi-hole server itself, the clients should be redirecting their requests for blocked domains to the Pi-hole server, and seeing the REJECT on port 443, they should be immediately stopping the attempt at rendering the asset and continue on with the rest of the page.
Can you post your iptables configuration?
sudo iptables -nvL and sudo ip6tables -nvL and lets see what is configured.
I tried to install unix OS (no Windows OS) on another virtual machine, set DNS to pihole and go to on problamatic webpage and ? It works... no timeout error, only connection refused. Webpage loaded quickly.
It means, that problem is on windows side, or windows OS dont know REJECT ? Can anyone test it ?
I found it, but i dont know, how to fix it.
Pi-hole REJECT connection only for clients in the same address range as he is. Pi hole answer for all clients on http, but on https no.
There should be no restrictions on the private network.
Websites pihole work well for everyone, DNS too..
traceroute script.ioam.de
traceroute to script.ioam.de (10.10.0.12), 30 hops max, 60 byte packets
1 pihole (10.10.0.12) 0.020 ms 0.005 ms 0.003 ms
traceroute6 script.ioam.de
traceroute to script.ioam.de (2a01:5740:1000:3301:dee6:8e74:7152:5bc1) from 2a01:5740:1000:3301::12, 30 hops max, 16 byte packets
1 pihole (2a01:5740:1000:3301::12) 2999.96 ms !H 2998.66 ms !H 3000.02 ms !H
I think slow websites are related with IPv6. If you turn off IPv6 pihole answers like greased lightning. Only IPv6 resolution is slow.
You can see that with script.ioam.de which is blocked by pyhole. Both routes v4 and v6 are resolved by pihole. IPv4 in 0.3 ms and IPv6 in 3 seconds. This is the delay.
I ran into a similar problem. I'm using IPv4 only. Mac and Linux clients would get an immediate "connection refused" for pi-holed https resources, but the same request from a browser on Windows would hang for ~20 seconds before timing out. I was using the iptables REJECT rule given above on the pi-hole server.
However there are several ways to reject a connection. By default iptables will send an ICMP port-unreachable, which Windows seems to ignore. I modified the rule to be iptables -A INPUT -p tcp --dport 443 -j REJECT --reject-with tcp-reset which fixed the problem for Windows clients as well as the others.
Possibly Windows Firewall was blocking the incoming ICMP packet and adjusting its inbound rules would have fixed this also.
