Sorry that I’m answering late, I was busy changing my internet provider ( previous one was expensive ), and also I was busy taking care of my bird (sadly we lost him)
In the past few days, that I didn’t have internet connection on my wifi, everything was fine
The Klipper Connection Failed screen happened much, much less than the times that I had internet on my router
Now that I have internet in my router, I tried something
I started uploading a file on WhatsApp, and when I was doing that connection appeared as fast as old times
about my connection that you asked me to provide as a picture
Also, I finally found what is happening to our internet ( I asked two network experts about that )
(I don’t understand any of the things that they said, and I translated them using ChatGPT)
first explanation
The state of the Internet in Iran after the recent clashes with Israel has undergone significant changes, especially from a technical perspective and in terms of communication protocols. These changes appear to be part of the government’s security strategies to control and monitor Internet traffic. In the following, we will scientifically analyze these changes, their possible reasons, and their implications for TCP, UDP protocols, and V2Ray configurations, based on available information.
1. Disruption of the TCP protocol for DNS (tcp://8.8.8.8):
The TCP protocol is used for DNS queries that require high reliability, since it relies on mechanisms like handshaking and acknowledgment to ensure data delivery. The malfunction or blocking of TCP indicates the intentional imposition of restrictions at the network infrastructure level.
2. Disruption of the UDP protocol for non-standard ports (udp://9.9.9.9:9953):
Filtering non-standard ports is likely part of a strategy to restrict circumvention tools (such as VPNs and V2Ray) that often use uncommon ports to conceal their traffic. This measure aims to reduce access to foreign servers and increase monitoring of domestic traffic.
3. High latency in DoH servers:
The DoH protocol uses HTTPS (port 443) to send DNS queries in encrypted web traffic, making it harder to detect and filter. However, the high latency may result from bandwidth throttling or targeted monitoring of HTTPS traffic.
Cloudflare Radar data shows that after the recent clashes, Iran’s Internet traffic has drastically decreased (by up to 97% at certain times), and the mix of HTTP protocols has changed, with HTTP/1.x (the older version) now accounting for a larger share compared to HTTP/2 and HTTP/3. This may indicate attempts to restrict newer, more secure protocols like HTTP/3, which operates over QUIC and UDP.
Conclusion:
The state of the Internet in Iran following the recent clashes indicates an intensification of filtering and surveillance policies aimed at controlling cyberspace and limiting access to foreign information. The imposed restrictions on TCP and UDP for DNS and the failure of V2Ray configurations are the result of advanced filtering techniques such as DPI (Deep Packet Inspection) and TLS fingerprinting. These measures not only make Internet access more difficult but also have broad implications for freedom of expression, the digital economy, and user privacy.
secend explanation
Cloudflare Under the Shadow of New Firewall Filtering Changes
According to GFW-Knocker’s analysis, all regular Cloudflare IPs have been whitelisted under the new firewall filtering changes. This means that only the SNI of well-known websites is allowed to pass through, while all other sites and personal domains are blocked—whether fragmented or not. Regardless of whether they are officially filtered or not, they are not permitted to pass.
On port 443, lesser-known websites are completely blocked, and even unfiltered personal domains are inaccessible. Moreover, if you try to access a well-known site using a fragmentation method, the firewall won’t be able to correctly read the domain name and will block it too. In short, until the firewall is certain that the domain is on the allowed list, it will not let the connection proceed, even if it’s a normal browser accessing a normal site.
On port 80, the ws protocol is completely blocked. If the word websocket appears in a packet, it will be filtered. Even if you send the data in fragments, the packets will stop passing after the seventh packet.
So, what can be done? The real answer is clear: freedom for Iran. But until that happens, the only option is to use various stealth techniques—tricks that, if made public, will be blocked by the censors.
For Cloudflare’s port 80, an xhttp packet-up configuration without TLS, using a domain that is not yet filtered and with the fakeHost option enabled in the Mahsa core, still works. Of course, there is always the risk that the domain will be blocked. The good news is that the Mahsa core will soon be updated so that this type of configuration can work with filtered domains on all Cloudflare IPs.
For Cloudflare’s port 443, since Cloudflare’s IP ranges are whitelisted, they are practically useless for bypassing and there’s not much that can be done. There are some options like using scanners, the ECH method, manipulating ClientHello, or asking Cloudflare administrators to enable Domain Fronting, but the chances of success are low.