Hands‑On Guide: Setting Up LVS NAT and TUNNEL Load Balancing on UCloud

Practice Environment

LVS is part of the Linux kernel (module ipvs) and is managed via the ipvsadm tool. Three UCloud VMs (CentOS 7.9, 1 CPU 1 GB) are used: two real servers (RS01, RS02) and one load‑balancer (LB01). Firewall ports 22, 3389, 80, 443 are opened.

RS01: 10.23.190.76

RS02: 10.23.122.152

LB01: 10.23.21.184

Both real servers run httpd with distinct responses; LB01 runs ipvsadm.

NAT Mode Practice

NAT mode rewrites the destination or source IP of packets, allowing port translation. Real servers must share the same subnet as the load balancer.

NAT mode changes packet IP addresses, enabling port translation.

Real servers use the load balancer as their default gateway.

Install and start httpd on the real servers:

yum install httpd -y && service httpd start

echo "HelloFrom RS01/RS02" > /var/www/html/index.html

Install and start ipvsadm on LB01:

yum install ipvsadm && ipvsadm --save > /etc/sysconfig/ipvsadm && service ipvsadm start

Configure default gateway on the real servers to the LB01 internal IP:

route add default gw 10.23.21.184

Delete the previous gateway:

route del default gw 10.23.0.1

Add virtual service and real servers with ipvsadm:

ipvsadm -A -t 10.23.21.184:8000 -s rr

ipvsadm -a -t 10.23.21.184:8000 -r 10.23.190.76:80 -m

ipvsadm -a -t 10.23.21.184:8000 -r 10.23.122.152:80 -m

Enable IP forwarding:

echo 1 >/proc/sys/net/ipv4/ip_forward

Explanation of ipvsadm flags:

-A: add a virtual server

-a: add a real server

-t: TCP service

-s: scheduling algorithm (rr = round‑robin)

-m: use NAT mode

Verify with

ipvsadm -ln

and test via browser or

curl

to the LB01 external IP.

TUNNEL Mode Practice

TUNNEL mode adds an extra IP header without altering the original packet, so port translation is not supported and real servers must handle double‑encapsulated packets. Real servers can be in a different subnet.

TUNNEL mode does not change packet ports and requires real servers to process the extra IP header.

Real servers and the load balancer may reside in different subnets.

An additional DIP (10.23.21.180) is used because a VIP cannot be directly bound.

Install the ipip kernel module:

modprobe ipip

Verify loading:

lsmod | grep ipip

Adjust ARP settings:

echo 1 > /proc/sys/net/ipv4/conf/tunl0/arp_ignore

echo 2 > /proc/sys/net/ipv4/conf/tunl0/arp_announce

echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore

echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce

Disable source address verification:

echo 0 > /proc/sys/net/ipv4/conf/tunl0/rp_filter

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter

Configure the DIP on LB01:

ifconfig tunl0 10.23.21.180 broadcast 10.23.21.180 netmask 255.255.255.255 up

route add -host 10.23.21.180 tunl0

Add virtual service and real servers (using TUNNEL mode):

ipvsadm -A -t 10.23.21.180:80 -s wrr

ipvsadm -a -t 10.23.21.180:80 -r 10.23.190.76 -i -w 1

ipvsadm -a -t 10.23.21.180:80 -r 10.23.122.152 -i -w 1

Verify with

ipvsadm -ln

and routing tables.

Finally, add a static route so traffic to the DIP reaches LB01:

route add -host 10.23.21.180 gw 10.23.21.184

Verification shows successful load balancing in both NAT and TUNNEL modes, and the next article will cover DR mode with Keepalived for high availability.