Without a proxy there is no concept of ensuring a client gets directed to the same backend for subsequent requests, and no way to handle removing a down/unresponsive server from the pool of available targets.
@magikmark
Thanks very much for the tailored advice. 👍
The fq_codel error logs are pulled from /var/log/system.log so they also show in the GUI under Status/System Logs/System/General.
For whatever reason the errors promptly ceased after an unrelated update & reboot, so I have not had a chance to apply and monitor the suggested values. The 'observer effect' no doubt.
@rb625 traffic shaper can do this
https://docs.netgate.com/pfsense/en/latest/trafficshaper/altq-scheduler-types.html#hierarchical-fair-service-curve-hfsc
I’ve not used HFSC but there are tutorials online.
CBQ has limits and “borrowing” but I had some challenges getting it to work. IIRC one has to set borrowing on the parent queue as well.
@jeremyj-0 Unfortunately for me, setting it to CoDel didn't help at all.
I think we and many others have different environments, so it is hard to compare. I think I need to learn how to profile both system and network first. Because before I can solve it, I have to find out if it is something with software, hardware, or maybe my ISP is breaking everything. But each part needs different tools to investigate it properly. Also, I'm making it even harder by using proxmox.
@nocling yep - I'm using the same rule order. I think the "Pass" option for CoDel (in the documentation) meant that it gets re-ordered to the top of the list when it should be the last thing. I've put it at the end of my list of traffic shaping "match" rules and bufferbloat tests seem consistent in behaviour to the "pass" rule at the end of all floating rules.
@christos3105 That would be my understanding, but, if it is WAN Out that would normally always be allowed anyway (since normal rules are processed when packets enter an interface).
There are many ways to approach this but my suggestion does take icmp and other protocols out of the equation. The firewall floating rule ONLY includes tcp and udp. I just installed pfsense the other night and curiously ran into the same issues running ping and traceroute with my windows laptop having the “repeating” issue along with dropped pings. This change resolved my issue and still controls bloat. Cake has this feature aimed towards a 11:1 or higher rate.
Finding a way to drop duplicate acks is another avenue worth exploring for extending the ingress bandwidth at the expense of more cpu usage. I started with openwrt and the sqm folks learning much over the years.
@enesas How are you doing it? It matters whether you have a web server or something like Teams. The web server is an incoming connection; Teams is outgoing.
For the latter see if this helps:
https://forum.netgate.com/post/1084271
@michmoor Normally that faster connection is the primary WAN (its failover, so it only uses the cable until it goes down) but it's still crap because the upload is so low. 50Mbps doesn't go very far when you have multiple machines fighting for it.
And then when my cable ISP (annoyingly often) goes out and it fails over to running off Starlink, and in some cases (like my work laptop) I can't control it to separate the backup traffic from "needs to work all the time" traffic because I'm not an admin and they set it up to run everything over VPN that pfsense can't see the content of, so I need to find some alternative way to prioritize per-host.