Mastering LVS: Load‑Balancing Modes, Concepts, and Configuration Guide

What is LVS?

LVS (Linux Virtual Server) is a kernel‑integrated load balancer capable of handling millions of concurrent connections.

LVS Cluster Concepts

VS : Virtual Server, the LVS node itself.

RS : Real Server that provides the actual service.

CIP : Client IP address.

VIP : The public IP address advertised by LVS; clients access the cluster via this address.

DIP : The internal IP address of the LVS node used to forward client requests.

User Access Flow

Client (CIP) → VIP → DIP → Real Server IP (RIP).

Four LVS Operating Modes

LVS‑NAT

LVS‑DR (Direct Routing)

LVS‑TUN (IP Tunnel)

LVS‑FULLNAT

LVS NAT Mode

NAT (Network Address Translation) includes SNAT and DNAT. SNAT changes the source IP of outbound packets; DNAT changes the destination IP of inbound packets.

SNAT : Source address translation for internal‑to‑external traffic.

DNAT : Destination address translation for external‑to‑internal traffic.

In LVS‑NAT, the load balancer performs DNAT on the destination IP and port, mapping them to a specific real server.

Workflow:

When a client sends a request to VIP, LVS changes the destination IP/port to the chosen real server (RIP). The response from RIP is sent back to LVS, which replaces the source IP/port with its own VIP before forwarding to the client.

RIP and DIP must be on the same network.

Response packets travel the same path, increasing load on LVS.

VS must run Linux; RS can be any OS.

LVS DR Mode

DR (Direct Routing) is the default LVS mode. It does not modify IP addresses; instead, it rewrites the MAC address to forward packets.

Workflow:

The client’s request MAC is changed to the DIP’s MAC, while the destination MAC is set to the chosen real server’s IP (RIP). Each real server also owns the VIP, allowing it to reply directly to the client.

All RS share the same VIP as LVS.

Clients must send requests to the LVS (not directly to RS).

RS can use private or public IPs; RIP and DIP must be in the same IP network, and the RS gateway must not point to DIP.

LVS and RS must reside on the same physical network.

Ensuring client packets reach LVS:

Configure static ARP bindings on the router (IP ↔ MAC).

Disable ARP replies on RS so that requests are forced through LVS while responses bypass it.

arp特殊报文：免费arp，用来探测网络中是否存在地址冲突。

arp响应和主动讯问：
响应：当接收到arp报文的时候，主机会进行回应，通过ip地址得到mac地址
主动讯问：主机会主动向外告诉别人自己的ip对应的mac地址

Kernel parameter tweaks on RS:

# 将VIP绑定在回环网卡上，通过设置内核参数实现不响应arp报文和静默模式。
# 不响应arp的免费报文
cat /proc/sys/net/ipv4/conf/lo/arp_ignore   # 0
# 是否开启静默
cat /proc/sys/net/ipv4/conf/lo/arp_announce # 0

LVS TUN Mode

TUN mode allows real servers to be on different physical networks, similar to DR but without IP modification; an extra IP header (source DIP, destination RIP) is added.

Workflow: The original client IP is preserved; an additional IP header is inserted. The real server processes the request and sends the response directly to the client.

RIP and DIP can be on different networks; RIP may have public connectivity.

Real servers must support tunneling.

LVS FULLNAT Mode

FULLNAT modifies both source and destination IP addresses of the packet.

Workflow: When the client accesses the VIP, LVS replaces the client’s source IP with DIP and the destination IP with RIP. The response from RIP is sent back to DIP, which then rewrites the source back to VIP before delivering to the client. NAT模式只会修改目标地址 VIP is a public address; RIP and DIP are private and usually not in the same IP network.

RS sees the request source as DIP, so it replies to DIP; LVS then forwards to the client, enabling port mapping.

This mode is not supported by default kernels and requires source code modifications.

Comparison of LVS Modes

NAT : DIP and RIP share the same IP network; RIP gateway must point to DIP.

DR : DIP and RIP share the same IP network; RIP gateway must NOT point to DIP for fastest performance.

TUN : RIP and DIP can be on different physical networks; RIP gateway usually does not point to DIP, and RIP can communicate with the public internet.

FULLNAT : RIP and DIP may be in different networks but must be reachable.

Source: https://www.cnblogs.com/heyongshen/p/16827111.html