How SLB Works: Reverse Proxy, Transparent, and Triangle Modes Explained

Background

Server Load Balancing (SLB) distributes client requests across multiple real servers (RS) behind a virtual IP (VIP). The load balancer rewrites packet headers according to the selected transmission mode to avoid overloading any single server.

Transmission Modes

SLB operates in three L4/L7 modes, each defining how source and destination IP/port fields are modified.

Reverse‑proxy mode – the balancer acts as a proxy; both source and destination addresses are rewritten.

Transparent (pass‑through) mode – the balancer forwards the packet unchanged for the source IP, only rewriting the destination to the selected RS; the reply is rewritten back to the VIP.

Triangle mode – the balancer forwards the original packet to the RS; the RS is configured with the VIP on a loopback interface and replies directly to the client. The balancer does not modify the reply.

Test Topology

All packet captures were performed with tcpdump and Wireshark on both client and RS interfaces.

Client IP: 10.8.21.40

Load‑balancer downstream interface: 172.16.75.83

Virtual IP (VIP): 172.16.75.84

Real Server 1 (RS1): 172.16.75.82

Real Server 2 (RS2): 172.16.75.85

Reverse‑Proxy Mode

When the balancer receives a SYN from the client (src 10.8.21.40, dst VIP 172.16.75.84, dst‑port 80), it records the original fields, replaces the destination IP with the selected RS (e.g., 172.16.75.82), keeps the destination port, and changes the source IP to its downstream interface (172.16.75.83) with a random source port. The RS replies to 172.16.75.83; the balancer rewrites the source back to the VIP and forwards the packet to the client. Consequently the RS never sees the client’s real IP. Adding an X‑Forwarded‑For header in the HTTP request can expose the original client address.

Transparent (Pass‑Through) Mode

In this mode the balancer forwards the client packet unchanged for the source IP. The RS receives the original client IP (10.8.21.40) as the source and the VIP as the destination. After processing, the RS sends the reply directly to the client. The balancer intercepts the reply only to replace the source IP with the VIP before forwarding.

Triangle Mode

Upon receiving the client SYN, the balancer selects an RS and forwards the packet unchanged (source remains 10.8.21.40). The RS is configured with the VIP (172.16.75.84) on a loopback interface, so its reply uses the VIP as the source address. Because the balancer does not alter the reply, the client receives a packet directly from the VIP, while the RS communicates with the client without additional processing by the balancer.

Key Observations

Reverse‑proxy mode hides the client IP from RS, improving security but requiring header injection (e.g., X‑Forwarded‑For) if the original client address is needed.

Transparent mode preserves the client IP at the cost of less control over RS traffic.

Triangle mode minimizes balancer processing, suitable for high‑throughput or large‑connection scenarios, provided the RS can route to the client and has the VIP configured on a loopback interface.