Hi @whereisaaron 

Thanks for posting in our business forum.

It does not add up. This seems to be a problem with that specific web.

Or do you experience the slowdown on all websites?

I assume that the web may require the ads to be loaded up first before the contents show up.

Nowadays, the web is concurrently sending the connection sessions. It should not delay the contents. Or they are forcing the ads to be displayed.

That would be something we can never change if the web page is doing so.

And supposedly, the ads you have blocked are not gonna be loaded anyway. When you set that to reply with RST, the web code may resend several times before it stops.

I don't see why it correlates to the router.

Thanks for the reply @Clive_A! The web page was an simple constructed example. The actual behaviours are more complex, but the impact is still negative. Even with parallel requests the page load may not complete for a long time. So while you can see the content, the 'spinner' will keep spinning, potentially delaying other post-page loaded behaviours. If client does do retries at you describe, the connection timeouts will keep stacking. More generally this applies to any TCP client connection that matches a blocking rule. Retries are actually more likely without a RST, since the client doesn't know the reason the connection attempt didn't work, versus telling it connections are rejected.

I have disabled the DPI blocking for now. Too many complaints of "slow Internet" traced to this.

Let me give you and even simpler web example for the ad block rule situation. Let's say you go a Google search for "new car". The first results will no doubt be sponsored links, which relay through:

https://www.googleadservices.com/pagead/aclk?sa=L&ai=DChcS....

This will be blocked, as it should. But with other DPI products I've configured over the years, it will get blocked instantly because a RST is returned to the client by the blocking firewall / router, so the user will know immediately, and is in no doubt. With Omada, the connection attempt is simply dropped / black-holed and the human is left watching the browser spin wondering what is going on, is the page just slow? How long should I wait?

Effects can be a simple an an application installer trying to log install statistics. Sure it only adds up to 30 seconds to that application install, but it's an unnecessary delay, easily avoided by actively blocking blocked connections with a RST.

Returning RST for a TCP connection attempt is simply the correct TCP protocol for rejecting a connection. Black-holing traffic is bad manners! 😅 I understand that you might not want to do that externally blocked traffic, least a reflected RST attack is possible, but interally I've always configured DPI systems to RST connection attempts, because of the drama black-holing traffic on internal networks causes. A RST reply is stateless, it doesn't create any connection tracking or other overhead for the router DPI, other than sending a packet.

I appreciate there are situations where dropping traffic is appropriate. Which is why I suggest this is a per-blocking-rule options.

In my experience other product supports both "Block" (drop) and "Reject" (RST) options; everything from pfsense to AWS firewalls (see below).

I hope you'll investigate the behaviour of competing products, and also test impact on clients and hopefully see the value of this 🙏

Hi @whereisaaron 

Thanks for posting in our business forum.

whereisaaron wrote

Thanks for the reply @Clive_A! The web page was an simple constructed example. The actual behaviours are more complex, but the impact is still negative. Even with parallel requests the page load may not complete for a long time. So while you can see the content, the 'spinner' will keep spinning, potentially delaying other post-page loaded behaviours. If client does do retries at you describe, the connection timeouts will keep stacking. More generally this applies to any TCP client connection that matches a blocking rule. Retries are actually more likely without a RST, since the client doesn't know the reason the connection attempt didn't work, versus telling it connections are rejected.

 

I have disabled the DPI blocking for now. Too many complaints of "slow Internet" traced to this.

 

Let me give you and even simpler web example for the ad block rule situation. Let's say you go a Google search for "new car". The first results will no doubt be sponsored links, which relay through:

 

https://www.googleadservices.com/pagead/aclk?sa=L&ai=DChcS....

 

This will be blocked, as it should. But with other DPI products I've configured over the years, it will get blocked instantly because a RST is returned to the client by the blocking firewall / router, so the user will know immediately, and is in no doubt. With Omada, the connection attempt is simply dropped / black-holed and the human is left watching the browser spin wondering what is going on, is the page just slow? How long should I wait?

 

Effects can be a simple an an application installer trying to log install statistics. Sure it only adds up to 30 seconds to that application install, but it's an unnecessary delay, easily avoided by actively blocking blocked connections with a RST.

 

Returning RST for a TCP connection attempt is simply the correct TCP protocol for rejecting a connection. Black-holing traffic is bad manners! 😅 I understand that you might not want to do that externally blocked traffic, least a reflected RST attack is possible, but interally I've always configured DPI systems to RST connection attempts, because of the drama black-holing traffic on internal networks causes. A RST reply is stateless, it doesn't create any connection tracking or other overhead for the router DPI, other than sending a packet.

 

I appreciate there are situations where dropping traffic is appropriate. Which is why I suggest this is a per-blocking-rule options.

 

In my experience other product supports both "Block" (drop) and "Reject" (RST) options; everything from pfsense to AWS firewalls (see below).

 

I hope you'll investigate the behaviour of competing products, and also test impact on clients and hopefully see the value of this 🙏

 

 

 

 

 

 

 

 

I understand your description, but I don't think it is true. 

Screenshots for the DPI rules you set on how you stop the sponsored content from Google search?

If you can provide a video, that would be great. I can directly show the video to the dev.

This stuff would be more convincing for the devs.

Hi @whereisaaron 

Thanks for posting in our business forum.

Test team reviewed what you sent. Is this picture from our router?

This picture looks like the new Omada GUI. But I don't recall this feature being there.

Test team also questions what you mean.

Are you asking a question or proposing a request for a new feature? I am confused.

Hi @Clive_A thanks for reviewing my recommendation to improve Omada products!

That image is not a real image from an Omada gateway, it is a mock-up image I prepared to show the change I suggest. My suggestion is to add an extra option to DPI Blocking Rule and ACL's to be able to block using the TCP and ICMP protocols (with RST flag) - the way the RFC's say we should 😅 Default behavior can remain the same, so that this will not be a breaking change.

For the test team:

On a firewall, when you receive a TCP connection packet you want to block/reject, the correct way to do this with TCP protocol is to send a connection reset TCP packet to the sender, with the RST flag set. This tells the sender you will not accept the connection, and they will immediately stop trying. The avoids unnecessary timeout delays and retries.

Similarly, if you receive UDP or other IP packet you want to block/reject, the correct way to do this with IP protocol is to send a connection reset ICMP packet to the sender, with the RST flag set. This tells the sender you would not accept the packets, and they will immediately stop trying. The avoids unnecessary timeout delays and retries.

Currently Omada DPI and ACL blocking rules don't support rejecting traffic (RST), they only support dropping traffic ("black hole") which leaves the sender waiting for timeouts and sending unnecessary retries. It reduces IP network performance. There is a role for dropping traffic; usually for defending against external probe traffic and DDOS. In my opinion, a gateway/firewall should offer both dropping traffic ("black hole"), and rejecting traffic (return packet with RST flag).

I've configured network firewalls for 30 years, and this TCP/ICMP "reject" blocking technique is expected. If you look around the competing gateways / firewalls you'll find they all have this option. I was honestly surprised when it wasn't available in the Omada products I was configuring. Hoping we can change that together 🙏

  @whereisaaron 

whereisaaron wrote

Hi @Clive_A thanks for reviewing my recommendation to improve Omada products!

 

That image is not a real image from an Omada gateway, it is a mock-up image I prepared to show the change I suggest. My suggestion is to add an extra option to DPI Blocking Rule and ACL's to be able to block using the TCP and ICMP protocols (with RST flag) - the way the RFC's say we should 😅 Default behavior can remain the same, so that this will not be a breaking change.

 

For the test team:

 

On a firewall, when you receive a TCP connection packet you want to block/reject, the correct way to do this with TCP protocol is to send a connection reset TCP packet to the sender, with the RST flag set. This tells the sender you will not accept the connection, and they will immediately stop trying. The avoids unnecessary timeout delays and retries.

 

Similarly, if you receive UDP or other IP packet you want to block/reject, the correct way to do this with IP protocol is to send a connection reset ICMP packet to the sender, with the RST flag set. This tells the sender you would not accept the packets, and they will immediately stop trying. The avoids unnecessary timeout delays and retries.

 

Currently Omada DPI and ACL blocking rules don't support rejecting traffic (RST), they only support dropping traffic ("black hole") which leaves the sender waiting for timeouts and sending unnecessary retries. It reduces IP network performance. There is a role for dropping traffic; usually for defending against external probe traffic and DDOS. In my opinion, a gateway/firewall should offer both dropping traffic ("black hole"), and rejecting traffic (return packet with RST flag).

 

I've configured network firewalls for 30 years, and this TCP/ICMP "reject" blocking technique is expected. If you look around the competing gateways / firewalls you'll find they all have this option. I was honestly surprised when it wasn't available in the Omada products I was configuring. Hoping we can change that together 🙏

I see your point. Noted. Have shared this with the dev and related team members.

But I cannot guarantee anything in this reply. All I can do is make your voice heard. Thanks.

@Clive_A awesome! Thanks for passing that on. If the team need more information I'd be happy to help. But I think if they just look "over the fence" at the competition and copy what they do with "reject" vs "drop" rules, then Omada ACLs will make many more network admins happy 😅