Thanks. Adding this to my FAQueue.
I applied “iptables -A INPUT -p tcp --dport 443 -j REJECT” on pi-hole but there is no change. Still takes 1 Minute to load http://www.heise.de
If you are using IPv6, you would need to add that rule to your
ip6tables as well.
Hello, thanks to all for answers. For me, i add rule about port 443 and REJECT on ip6tables and nothing changed.
I try this request “https://gacz.hit.gemius.pl/xgemius.js” it is on ad list, and is piholed
In https, browser waiting and stop on timeout. Not answer from Pihole
In http, browser gets the answer var x = “Pi-hole: A black hole for Internet advertisements.” very quickly.
What i know, is no limitation on connection between client and pihole. Both machines are in private network.
I try flush iptables and ip6tables on pihole and try to load nothing changed, set one rule to iptables and ip6tables for REJECT port 443, nothing changed.
I put off personal firewall on windows client too, nothing changed.
Can i test it somehow ? Is command, where webserver on pihole answer on https ? I dont know for now, how to find, where is fault.
Thanks to all for the time.
If you can use the
F12 inspector on your client browser and take a look at the exact call that is causing the timeouts you may be able to see what asset it is that is causing the timeouts. If the browser rendering is blocking and waiting for a response, they typically show as red colored errors during the process.
As for HTTPS, since that requires a Certificate that matches the domain name to be valid, it’s difficult to enable that for the Pi-hole pages. It would be considered a form of a Man In The Middle attack as we would be impersonating the encrypted communications between the browser client and the end server, which should be encrypted from client to server.
Hmmm, i understand, it makes sense.
All long requests, ending at timeout, are on https.
Then I do not understand why REJECT is not working. Is this function only between Unix systems ? Because my all clients running under Windows OS. It looks like the ICMP response is not returned from pihole firewall to browser to stop wait and end request.
The command it just on the Pi-hole server itself, the clients should be redirecting their requests for blocked domains to the Pi-hole server, and seeing the REJECT on port 443, they should be immediately stopping the attempt at rendering the asset and continue on with the rest of the page.
Can you post your
sudo iptables -nvL and
sudo ip6tables -nvL and lets see what is configured.
Here is my configurations iptables.
I tried to install unix OS (no Windows OS) on another virtual machine, set DNS to pihole and go to on problamatic webpage and ? It works… no timeout error, only connection refused. Webpage loaded quickly.
It means, that problem is on windows side, or windows OS dont know REJECT ? Can anyone test it ?
I found it, but i dont know, how to fix it.
Pi-hole REJECT connection only for clients in the same address range as he is. Pi hole answer for all clients on http, but on https no.
There should be no restrictions on the private network.
Websites pihole work well for everyone, DNS too…
What I found out:
traceroute to script.ioam.de (2a01:5740:1000:3301:dee6:8e74:7152:5bc1) from 2a01:5740:1000:3301::12, 30 hops max, 16 byte packets
1 pihole (2a01:5740:1000:3301::12) 2999.96 ms !H 2998.66 ms !H 3000.02 ms !H
I think slow websites are related with IPv6. If you turn off IPv6 pihole answers like greased lightning. Only IPv6 resolution is slow.
You can see that with script.ioam.de which is blocked by pyhole. Both routes v4 and v6 are resolved by pihole. IPv4 in 0.3 ms and IPv6 in 3 seconds. This is the delay.
Has anybody an idea how to fix this?
This is sometimes the case:
After setting the right IPv6 address everything works perfect.
Thanks for your help.
I ran into a similar problem. I’m using IPv4 only. Mac and Linux clients would get an immediate “connection refused” for pi-holed https resources, but the same request from a browser on Windows would hang for ~20 seconds before timing out. I was using the iptables REJECT rule given above on the pi-hole server.
However there are several ways to reject a connection. By default iptables will send an ICMP port-unreachable, which Windows seems to ignore. I modified the rule to be iptables -A INPUT -p tcp --dport 443 -j REJECT --reject-with tcp-reset which fixed the problem for Windows clients as well as the others.
Possibly Windows Firewall was blocking the incoming ICMP packet and adjusting its inbound rules would have fixed this also.
@oo12 Would you know what the ip6tables equivalent of that rule might be?
ip6tables is the interface to the IPv6
Yes, I wanted to reject port 443 on ipv6 as well but I’m not familiar with writing rules
I’ve started receiving ipv6 from my ISP this week. Since then I’m experiencing some loading time issues, which seem to go away when pihole’s on v4 only. That’s why I’m reading all these “slow sites” “slow loading” threads, which I never cared for when I was on IPv4 only, hehe.
Should be the exact same command as listed, just with
ip6tables as the command.
ip6tables -A INPUT -p tcp --dport 443 -j REJECT --reject-with tcp-reset
And remember to save your rules so they are applied on reboot, by default they are not saved. https://www.thomas-krenn.com/en/wiki/Saving_Iptables_Firewall_Rules_Permanently
Thanks! I thought ip6tables would be different. I make rules… on pretty GUIs (pfsense). It didn’t improve the loading times though. I’ll start a new thread for IPv6.