Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy very bad performance / throughput

    Cache/Proxy
    haproxy performance throughput pfsense+
    2
    4
    152
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AndyD
      last edited by

      Hi everyone,

      I have a working setup with HAProxy for both HTTP and HTTPS (no offloading) to serve different subdomains by two different backend servers.

      The problem is that HAProxy is reducing the throughput to roughly 1/50 of the value without HAProxy involved.

      Download speeds via HAProxy only reach about 1MB/s max (more often closer to 500kB/s). This is for both HTTP as well as HTTPS. When bypassing HAProxy with a port forward from public ports 81/444 to ports 80/443 of one of the backend servers, download speeds reach 50 MB/s consistently. That is also the expected value to saturate the ISP uplink. ...

      CPU usage is no issue as it stays below 10%. AES-NI CPU Crypto is enabled.

      More background:

      • PFSense is the WAN router on the network.
      • All traffic is passing through it without any performance problems. The only issue is with traffic which is handled by HAProxy running on it.
      • The network itself is rather small and contains only the two backend servers.
      • PFSense+ 24.04
      • HAProxy 2.9.10-4bcaece
      • Hardware: Netgate 1537 appliance

      Any suggestions what the issue may be?

      A 1 Reply Last reply Reply Quote 0
      • A
        AndyD @AndyD
        last edited by

        @AndyD One addition: Portforwarding from PFSense to an HAProxy running on RHEL behind it leads to the expected high download speeds.

        I used the PFSense-HAProxy config file to configure the HAProxy on RHEL (with only minor changes to make it compatible). So I guess it is not a general issue with the HAProxy config but in particular with HAProxy running on PFSense.

        1 Reply Last reply Reply Quote 0
        • A
          AndyD
          last edited by

          To answer my own question: The problem is due to TCP packet reordering, which the default TCP stack of freeBSD 15 does not handle very well.

          The solution would be to activate the RACK TCP stack available in freeBSD. However, pfSense+ has this feature of stock freeBSD disabled.
          https://freebsdfoundation.org/our-work/journal/browser-based-edition/networking-10th-anniversary/rack-and-alternate-tcp-stacks-for-freebsd/

          I created an issue on the PfSense redmine and ask anyone experiencing similar issues to support it: https://redmine.pfsense.org/issues/15813

          P 1 Reply Last reply Reply Quote 2
          • P
            planetinse @AndyD
            last edited by planetinse

            @AndyD Finally an explanation what happened after 2.4 where HAProxy performance dropped like a stone :), lets hope this comes to CE version too.

            1 Reply Last reply Reply Quote 1
            • First post
              Last post