The best values for those are the defaults. Hardware Checksum Offloading = Unchecked TSO = Checked LRO = Checked You do not want TSO or LRO active on a firewall/router.

@johngoutbeck So NO answer. Does this mean traffic shaping cannot be done for a transparent tunnel?

Without a proxy there is no concept of ensuring a client gets directed to the same backend for subsequent requests, and no way to handle removing a down/unresponsive server from the pool of available targets.

@steveits And it is fixed! Whew. Now if I can just get the box to check for updates reliably, which is yet another new issue, albeit a minor one!

@magikmark Thanks very much for the tailored advice. The fq_codel error logs are pulled from /var/log/system.log so they also show in the GUI under Status/System Logs/System/General. For whatever reason the errors promptly ceased after an unrelated update & reboot, so I have not had a chance to apply and monitor the suggested values. The 'observer effect' no doubt. ️

@steveits Ahh thank you, I did Google quite a bit but didn't find that. I hope there's a solution soon.

@rb625 traffic shaper can do this https://docs.netgate.com/pfsense/en/latest/trafficshaper/altq-scheduler-types.html#hierarchical-fair-service-curve-hfsc I’ve not used HFSC but there are tutorials online. CBQ has limits and “borrowing” but I had some challenges getting it to work. IIRC one has to set borrowing on the parent queue as well.

@level4 Thankyou, it worked

@jeremyj-0 Unfortunately for me, setting it to CoDel didn't help at all. I think we and many others have different environments, so it is hard to compare. I think I need to learn how to profile both system and network first. Because before I can solve it, I have to find out if it is something with software, hardware, or maybe my ISP is breaking everything. But each part needs different tools to investigate it properly. Also, I'm making it even harder by using proxmox.

@nocling yep - I'm using the same rule order. I think the "Pass" option for CoDel (in the documentation) meant that it gets re-ordered to the top of the list when it should be the last thing. I've put it at the end of my list of traffic shaping "match" rules and bufferbloat tests seem consistent in behaviour to the "pass" rule at the end of all floating rules.

@christos3105 That would be my understanding, but, if it is WAN Out that would normally always be allowed anyway (since normal rules are processed when packets enter an interface).