@kirillkh Flent is a python frontend for netperf, iperf, and irtt and has many test options. E.g. the objective of the Flent RRUL test is to use ICMP and UDP to measure RTT while loading the pipe with eight TCP streams (four downloads, four uploads) - there are options to change down/up streams and there are many other tests. Flent RRUL test uses ping timestamps with ICMP to determine latency/loss - not the incrementing TTL function that you are executing with traceroute.

https://flent.org
https://github.com/heistp/irtt

@scottsh the value you enter for queue length is not used when using FQ-CoDel - CoDel is dynamically managing the queue length within each subqueue created for flows.

@Harvy66 is absolutely right, you really don't want to have hyper-threading enabled. You are inducing way more latency, especially with the limiter loaded with flows, than you probably realize. Even if pfSense was on your bare metal, hyper-threading would not be enabled if it were me.

@softener Also, CoDel is not working on your queues where QFQ is the scheduler. See this: https://forum.netgate.com/topic/137963/codel-does-not-work-on-limiter-queues-in-2-4-4

anyone?

Can you elaborate on the exact settings you used to reach that point?

Yes, thanks for the info @uptownVagrant ! Using the settings I also get A+ across the board too.

I wonder though, even after downloading 10GB of stuff, the floating match firewall rules only report 122KB in and 4.01MB out traffic/states.
What does that mean? Why doesn't it show 10GB?

The pfsense LAN 'Default allow LAN to any rule' does report the expected 10GB in...!?

Hello, All.
It seems like 2.4.4-RELEASE-p1 now is ok with limiters.
The only thing i changed: Scheduler from FIFO to QFQ.

Happy New Year!

@cwagz said in Question RE Buffer Bloat / FQ-Codel Setup:

@guardian
Use uptownvagrants setup from the “Playing with FQ_codel” thread. The message will go away.

https://forum.netgate.com/topic/112527/playing-with-fq_codel-in-2-4/815

@harvy66 said in Crash report following fq_codel setup:

Uncaught Error: Call to a member function addGlobal() on null in /usr/local/www/firewall_shaper_vinterface.php:400

This is not a shaper error, but a GUI error.
The function addGlobal() is used everywhere in the GUI.
When you access the "/usr/local/www/firewall_shaper_vinterface.php" page, everything from /usr/local/www/classes/ would get included, and one of the files exposes the addGlobal() funcion.
On your system, this didn't happen : some file or install error ?

@harvy66
Great! I hope it comes with low profile brackets.... the description says it should. if that checks out, i'm ready to go!

Excellent!! Thanks a lot!!

The easier 80/20 rule to get decent results is setup FairQ on your upload and download, and set the default queue to use Codel.

@uptownVagrant
many thanks for your help!!
I imported your config on my firewall and played around with it a bit. Sadly I didn`t get any more performance in relation to the stuck traffic at about 500 mbit/s I had before.

The PC I´m testing with has 1 Gbit onboard lan and two 1 Gbit Intel nics. The two Intel ones are the nics I´ve been using the whole time. After testing with your config I desided to switch the "LAN" port from the Intel nic to the onboard nic.

0_1544698957643_traffic.jpg

After changing this I could get full 1 Gbit/s (110 Mb/s) copy speed through the firewall-bridge, at least in one direction.
The other direction still makes only about 60Mb/s, probably because of the Intel nic on the WAN port.

So in my opinion, I struggled the whole time with some incompatible ore crappy network cards in my specific hardware constellation, which caused my traffic bottleneck through the bridge...
In principle, my configuration was correct the whole time, unfortunately it was not the hardware...

@uptownvagrant

Thanks for the assistance. The issue is now fixed. With the new floating rules the NAT, IPV4 does not break the policy rules.

@global-fx Not sure if you ever got this working but I created a bridge config for another user and posted it here: https://forum.netgate.com/post/808745

It should work for you too.

@xandercdn I have this working in my lab.

"net.link.bridge.pfil_member=1" and "net.link.bridge.pfil_bridge=0" under system tunables. Outgoing NAT is disabled WAN has an IP address for management WAN and LAN are joined in BRIDGE0 I do not have the bridge assigned under "Interface Assignments" I configured 10 Mbit/s in and out limiters using this example. I did not create the first two floating rules for ICMP since NAT is not involved in this config. If you want the limiter to only apply to a certain IP(s) you can change the source and destinations accordingly.
0_1543886890032_firewall_rules.jpg

I've attached the configuration I'm using:
0_1543886724746_config-dev-244p1.localdomain-20181203172356.xml

https://www.netgate.com/docs/pfsense/trafficshaper/limiters.html
https://www.netgate.com/docs/pfsense/book/trafficshaper/limiters.html

-Rico