Bufferbloat is temporary latency due to buffers being filled during moments that data isn't able to be sent over the line. This is often an issue for cable internet customers because of the shared nature of the cable system. It's most noticeable in online gaming, and sometimes in VoIP applications, where low latency is extremely important and a sudden 300+ms delay becomes noticeable, even if it's just for a moment. It's not so much a slowness issue as it is a latency issue. There are a couple of different ways that you can add Codel to the traffic shaper. The best way for you might be different than someone else depending on what other traffic shaping is being done. If you're not doing anything else, then you can add Codel directly to an interface in the traffic shaper. That has worked great for me, raising my Bufferbloat score from a D to a B.

Thanks! I just realized that reply-to is still being set on automatically generated rules for VPN traffic even though I have 'Disable reply-to' enabled in System->Advanced->Firewall & NAT (see my post above showing the rules).  It appears I would need to override that too. EDIT:  It looks like my rules on the WAN interface allowing udp 500 and ESP protocol are overriding those auto-generated rules.  I don't see any packet counts on those auto-generated reply-to rules. pfctl -vsr | grep -A 2 "reply-to" I see all packet counts at 0  "Packets: 0".

"No issues running 2.3.x on esxi 5.1.x" That is nice to hear but that is not a supported configuration from even vmware.. Since they do not support the version of freebsd pfsense is running on.. freebsd 10.x is not supported by vmware until 5.5u2 so while it might work, it is not a combination that should be used..  You need to update your esxi to 5.5u2 at min to be inline with what vmware says their product supports. http://www.vmware.com/resources/compatibility/search.php?deviceCategory=software [image: vmwaresupport.png] [image: vmwaresupport.png_thumb]

This is the method I prefer: https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN

I found that under gateway > settings > advanced options I enabled it and I got net access in ma pfsense machine. But for lan its not loading any web pages. I cant ping to the given gateway (via pfsense console), but can ping Google. and when I traceroute  Google, It shows * after the public ip (in the gateway portion) and then traced Google.

You seriously broke something in the process. You'll have to reinstall via USB. If you're getting the same end result screen as what you show there when booting from USB, then you aren't actually booting from USB. Probably because it's not a properly written bootable USB drive.

That's almost certainly your modem. 4 ms is too low for it to be traversing the coax and looks to be too consistently 4 ms for that as well. I haven't heard of anyone else seeing anything like that. Though there is some buggy firmware going around on TWC for SB6183 modems, I'd only heard of it breaking IPv6, not doing stupid things with IPv4. See this thread for instance, and the links to dslreports there. https://forum.pfsense.org/index.php?topic=108971.0

@Clouseau: Okey - I have the same problem than diablo266 - should I start a new thread? Not if you actually have the same problem. At this point, this is a well-established known issue, and we don't need any further specifics as we have a replicable test case and are working on finding the root cause. Can follow here for updates: https://redmine.pfsense.org/issues/6296

as my daughter would say "like a boss" worked a treat,  many thanks to you sir :)

If you upgraded from 2.3 beta, you may still have 250ms as the polling interval. This was the default earlier in the beta process. The current default is 500ms. FWIW, by default dpinger uses a data payload of 0 bytes, so the packets are much smaller than a standard ping which is a 56 byte payload.

Thank you. I will read and try it. Best,

I had no problem with this board. I followed an instruction in the forum. Gently –-- <soapbox>Just because it worked and you "had no problem" doesn't mean it's a good idea.</soapbox>