BestHub
Sign in
Operations 12 min read

How to Build a High‑Availability NAT Load Balancer with LVS and ipvsadm on Linux

This guide walks through planning a NAT architecture, preparing Linux hosts, configuring route and LVS servers, setting up real servers with httpd, creating an LVS NAT cluster, testing client access, and persisting ipvsadm rules for reliable load balancing.

Raymond Ops
Raymond Ops
Raymond Ops
How to Build a High‑Availability NAT Load Balancer with LVS and ipvsadm on Linux

1. NAT Architecture Diagram

2. Environment Preparation

2.1 Host Planning

主机名  IP地址
route   LAN:192.168.87.132 WAN:192.168.10.12
lvs     LAN:192.168.87.131
rs-01   LAN:192.168.87.129
rs-02   LAN:192.168.87.130
client  WAN:192.168.10.4

2.2 Linux route server configuration

2.2.1 Configure WAN IP address

# cat /etc/sysconfig/network-scripts/ifcfg-ens33
BOOTPROTO=static
IPADDR=192.168.10.12
PREFIX=24
GATEWAY=192.168.10.2 # gateway
DNS1=192.168.10.2

2.2.2 Configure LAN IP address (rs same subnet)

# cat /etc/sysconfig/network-scripts/ifcfg-ens36
BOOTPROTO=static
IPADDR=192.168.87.132
PREFIX=24
GATEWAY=192.168.87.2

2.2.3 Enable FORWARD

echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf
sysctl -p

2.3 Linux LVS server configuration

2.3.1 Configure LAN IP address

# cat /etc/sysconfig/network-scripts/ifcfg-ens36
BOOTPROTO=static
IPADDR=192.168.87.131
PREFIX=24
GATEWAY=192.168.87.132 # router IP

2.3.2 Add VIP (ens36:1)

cp /etc/sysconfig/network-scripts/ifcfg-ens36 /etc/sysconfig/network-scripts/ifcfg-ens36:1
# edit /etc/sysconfig/network-scripts/ifcfg-ens36:1
BOOTPROTO=static
NAME=ens36:1
DEVICE=ens36:1
ONBOOT=yes
IPADDR=192.168.87.200
PREFIX=24

2.3.3 Enable FORWARD

echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf
sysctl -p

2.4 rs-01 server IP configuration

2.4.1 IP address

# cat /etc/sysconfig/network-scripts/ifcfg-ens33
BOOTPROTO=static
IPADDR=192.168.87.129
NETMASK=255.255.255.0
GATEWAY=192.168.87.131 # points to LVS LAN IP

2.4.2 Add host route (not needed in production)

route add -host 192.168.87.132 gw 192.168.87.200
# because using same subnet for NAT, without this the outbound route is missing
# 192.168.87.132 router IP, 192.168.87.200 VIP
route add -host client_ip gw route_ip

2.5 rs-02 server IP configuration

2.5.1 IP address

# cat /etc/sysconfig/network-scripts/ifcfg-ens33
BOOTPROTO=static
IPADDR=192.168.87.130
PREFIX=24
GATEWAY=192.168.87.131 # points to LVS LAN IP

2.5.2 Add host route (not needed in production)

route add -host 192.168.87.132 gw 192.168.87.200
# same comment as above
route add -host client_ip gw route_ip

2.6 Install httpd on rs-01 and rs-02

2.6.1 Install httpd

yum install httpd -y

2.6.2 Write homepage

echo "rs-01" > /var/www/html/index.html   # on rs-01
echo "rs-02" > /var/www/html/index.html   # on rs-02

2.6.3 Start httpd

systemctl start httpd

2.6.4 Test access

# curl 192.168.87.129
rs-01
# curl 192.168.87.130
rs-02

3. Configure LVS NAT

3.1 Create LVS cluster

ipvsadm -A -t 192.168.87.200:80 -s rr

3.2 Add real servers to LVS cluster

ipvsadm -a -t 192.168.87.200:80 -r 192.168.87.129:80 -m
ipvsadm -a -t 192.168.87.200:80 -r 192.168.87.130:80 -m

3.3 Query cluster status

ipvsadm -L -n
# Output shows TCP 192.168.87.200:80 rr with two real servers (192.168.87.129 and 192.168.87.130)

4. Client test access (gateway address method)

4.1 Change gateway IP to router IP

# edit /etc/sysconfig/network-scripts/ifcfg-ens33
IPADDR=192.168.10.4
PREFIX=24
GATEWAY=192.168.10.12
DNS1=192.168.10.2
systemctl restart network

4.2 Access VIP address

# curl 192.168.87.200:80
rs-02
# curl 192.168.87.200:80
rs-01

5. Client test access (direct router IP method)

5.1 Remove client gateway

5.1.1 Delete GATEWAY

# edit /etc/sysconfig/network-scripts/ifcfg-ens33
BOOTPROTO=static
IPADDR=192.168.10.4
PREFIX=24
DNS1=192.168.10.2
# no GATEWAY field

5.1.2 Restart network and test

systemctl restart network
# curl 192.168.87.200:80
curl: (7) Failed to connect to 192.168.87.200: Network is unreachable

5.2 Configure SNAT and DNAT on router

5.2.1 DNAT (incoming)

# forward router address 192.168.10.12 to VIP 192.168.87.200
iptables -t nat -A PREROUTING -d 192.168.10.12 -j DNAT --to 192.168.87.200
# forward port 80
iptables -t nat -A PREROUTING -d 192.168.10.12 -p tcp --dport 80 -j DNAT --to 192.168.87.200:80

5.2.2 SNAT (outgoing)

# outbound: translate 192.168.10.0/24 to router 192.168.10.12
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to 192.168.10.12

5.3 Test accessing router IP

# curl 192.168.10.12
rs-01
# curl 192.168.10.12
rs-02

6. Persist ipvsadm configuration rules

6.1 Save configuration

ipvsadm-save > /etc/sysconfig/ipvsadm

6.2 Load or remove rules with systemctl

systemctl start ipvsadm
systemctl stop ipvsadm
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

load balancingLinuxNATLVSipvsadm
Raymond Ops
Written by

Raymond Ops

Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment