pfSense + HAProxy + local speedtest throughput

I’m having an interesting phenomenon happening with throughput on a locally-hosted speedtest server.

I have a librespeed speedtest server running in a docker container on my Synology nas (DS920+). I also have pfSense running HAproxy on a home-built router. All of my connectivity is set up the way I like it (took me a while to get it all straight but I’m happy with it now). It’s running great, but there’s a funny throughput issue I’ve run into:

If I browse (internally) to the speedtest server directly by IP:Port and run a test, I get a symmetrical 1 Gbps up/down.
If I browse (internally) to the speedtest server by speed.“domain”.com, routing through the HAProxy, I get nearly exactly 100 Mbps both up and down.

I thought there was some sort of throughput limiting going on with HAProxy or something but then:
I opened the firewall up to external access then browsed (from a very speedy external network) to speed.“domain”.com through the pfSense/HAProxy where I was able to get 10 Mbps down/ 230 Mbps up (which matches my ISP rates speeds exactly). This proves that HAproxy is able to keep up with my true internet speed when accessing the speedtest from an external network.

Why do I get so limited when browsing through HAProxy from the same network?

Other info: I do have DNS Host Overrides configured for the speed.“domain”.com address, pointing at the HAProxy Virtual IP.

A guess is that you have it passing through some limiters, such as codelQ.

I thought that too, but I have nothing configured under traffic shaping. I have no limiters set up. Is that potentially my issue? Do I need to have a base configuration to get better performance?

Maybe, it’s not an issue I have encountered before.

I’m several years too late to this but I’ve got the same kind of setup as the OP and the same performance issue.

Did you ever manage to solve the problem?

@mindguerrillas In the interest of not leaving you hanging, I’ll reply but it won’t be satisfying: I never did resolve this. I ended up running a reverse proxy (Traefik) on my external server, and have since moved my firewall to OPNsense. I liked the idea of having the reverse proxy on the gateway/firewall itself, but I think separating them makes more sense in many ways.

Thanks for getting back to me on this.

It’s a shame that there was no solution found for this. Despite this, I’ll be sticking with pfSense and HA proxy. For what I use it for this more of an irritant than a deal breaker.

Thanks again for your quick reply.