Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Poor IPv6 performance through HAProxy

    Scheduled Pinned Locked Moved IPv6
    1 Posts 1 Posters 583 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Hypocrisy1597
      last edited by Hypocrisy1597

      I am experiencing terrible upstream performance when connecting to my global IPv6 address through haproxy (about 0.02mbps vs 40 mbps). This issue only impacts upstream performance. The ipv4 address works fine. HAProxy running on pfsense forwards to several docker containers on my LAN based on hostname. I've run every test I can think of to try to make sense of this:

      • Open containers public ipv6 address through firewall and connect directly - Good performance
      • Port-forward port 8080 on WAN ipv6 address (same as haproxy listens on) to direct translate to containers ipv6 address - Good performance
      • Pick new ipv6 address on network, 1-off from container's v6 address; create alias and bind haproxy to listen - Poor performance (0.02mbps)
      • Configure haproxy to proxy to container's ipv6 address instead of ipv4 address - Poor performance
      • Change port for haproxy SSL termination from 443 to 8443 - Poor performance
      • Try haproxy-devel 0.62_10 - poor performance

      This is clearly not an ISP problem (xfinity) since ipv6 performance directly to the container or through a port forward is good. They also do not seem to be filtering on port 443 (specifically with ipv6, ipv4 traffic to port 443 is good) since changing to 8443 also gives poor performance.

      I'm just totally lost as to what to try next. The only way I've been able to get good performance is by bypassing haproxy for ipv6, or sticking to ipv4. I'm pretty certain that haproxy shouldn't even care if its listening on a v4 or a v6 address.

      Running haproxy 0.61_7 on pfsense 2.6.0-RELEASE

      my haproxy config file:

      
      
      # Automaticaly generated, dont edit manually.
      # Generated on: 2023-02-19 20:36
      global
      	maxconn			10000
      	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
      	uid			80
      	gid			80
      	nbproc			1
      	nbthread			1
      	hard-stop-after		15m
      	chroot				/tmp/haproxy_chroot
      	daemon
      	tune.ssl.default-dh-param	2048
      	log-send-hostname		haproxy
      	server-state-file /tmp/haproxy_server_state
      
      listen HAProxyLocalStats
      	bind 127.0.0.1:2200 name localstats
      	mode http
      	stats enable
      	stats refresh 10
      	stats admin if TRUE
      	stats show-legends
      	stats uri /haproxy/haproxy_stats.php?haproxystats=1
      	timeout client 5000
      	timeout connect 5000
      	timeout server 5000
      
      resolvers globalresolvers
      	nameserver local 127.0.0.1:53
      	resolve_retries 20
      	timeout retry 5s
      	timeout resolve 10s
      
      frontend Default-443-merged
      	bind			<ipv4-ip>:443 name <ipv4-ip>:443   ssl crt-list /var/etc/haproxy/Default-443.crt_list  
      	bind			<ipv6-ip>:443 name <ipv6-ip>:443   ssl crt-list /var/etc/haproxy/Default-443.crt_list  
      	mode			http
      	log			global
      	option			httplog
      	option			http-keep-alive
      	option			forwardfor
      	acl https ssl_fc
      	http-request set-header		X-Forwarded-Proto http if !https
      	http-request set-header		X-Forwarded-Proto https if https
      	timeout client		30000
      	acl			speedtest	var(txn.txnhost) -m str -i speedtest.<redacted>
      	use_backend speedtest_pool_ipvANY  if  speedtest 
      
      backend speedtest_pool_ipvANY
      	mode			http
      	id			105
      	log			global
      	http-response set-header Strict-Transport-Security max-age=31536000;
      	rspirep ^(Set-Cookie:((?!;\ secure).)*)$ \1;\ secure if { ssl_fc }
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	option forwardfor
      	server			speedtest speedtest.<docker>:80 id 101 check inter 20000  weight 100 resolvers globalresolvers 
      
      
      

      Screenshot of packet capture of poor performance test:
      0d0b7a12-de40-481e-8b24-7bf7204a0c3b-image.png

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.