@johngoutbeck So NO answer. Does this mean traffic shaping cannot be done for a transparent tunnel?

Without a proxy there is no concept of ensuring a client gets directed to the same backend for subsequent requests, and no way to handle removing a down/unresponsive server from the pool of available targets.

@steveits And it is fixed! Whew. Now if I can just get the box to check for updates reliably, which is yet another new issue, albeit a minor one!

@magikmark Thanks very much for the tailored advice. The fq_codel error logs are pulled from /var/log/system.log so they also show in the GUI under Status/System Logs/System/General. For whatever reason the errors promptly ceased after an unrelated update & reboot, so I have not had a chance to apply and monitor the suggested values. The 'observer effect' no doubt. ️

@steveits Ahh thank you, I did Google quite a bit but didn't find that. I hope there's a solution soon.

@rb625 traffic shaper can do this https://docs.netgate.com/pfsense/en/latest/trafficshaper/altq-scheduler-types.html#hierarchical-fair-service-curve-hfsc I’ve not used HFSC but there are tutorials online. CBQ has limits and “borrowing” but I had some challenges getting it to work. IIRC one has to set borrowing on the parent queue as well.

@level4 Thankyou, it worked

@jeremyj-0 Unfortunately for me, setting it to CoDel didn't help at all. I think we and many others have different environments, so it is hard to compare. I think I need to learn how to profile both system and network first. Because before I can solve it, I have to find out if it is something with software, hardware, or maybe my ISP is breaking everything. But each part needs different tools to investigate it properly. Also, I'm making it even harder by using proxmox.

@nocling yep - I'm using the same rule order. I think the "Pass" option for CoDel (in the documentation) meant that it gets re-ordered to the top of the list when it should be the last thing. I've put it at the end of my list of traffic shaping "match" rules and bufferbloat tests seem consistent in behaviour to the "pass" rule at the end of all floating rules.

@christos3105 That would be my understanding, but, if it is WAN Out that would normally always be allowed anyway (since normal rules are processed when packets enter an interface).

@dennypage There are many ways to approach this but my suggestion does take icmp and other protocols out of the equation. The firewall floating rule ONLY includes tcp and udp. I just installed pfsense the other night and curiously ran into the same issues running ping and traceroute with my windows laptop having the “repeating” issue along with dropped pings. This change resolved my issue and still controls bloat. Cake has this feature aimed towards a 11:1 or higher rate. Finding a way to drop duplicate acks is another avenue worth exploring for extending the ingress bandwidth at the expense of more cpu usage. I started with openwrt and the sqm folks learning much over the years.

@mloiterman DiffServe Code Points? What do u mean? All DNS queries are given the same priority as the TCP ack. Creat a floating rule that would intercept queries on your DNS resolver provider. The way I set up my DNS is somethin like this: AdGuard Home for pfSense Then I use NextDNS for my upstream DNS What optimization have you done on your pfsense? Have you tried playing around with the System Tunables?

@slu The ixl driver doesn’t support ALTQ traffic shaping. You can use Limiters though.