Mastering LVS: Understanding Load Balancing Modes and Configuration

LVS Overview

LVS is a kernel-integrated load scheduler with powerful performance, supporting millions of concurrent connections.

LVS Cluster Concepts

VS: Virtual Server, the LVS server itself.

RS: Real Server providing services.

CIP: Client IP address.

VIP: IP address published by LVS for external access.

DIP: Internal IP address of LVS used to receive client requests (the VIP).

Client access flow: CIP → VIP → DIP → RIP

LVS Working Modes

lvs-nat: modifies destination IP (DNAT) for multiple target IPs.

lvs-dr: manipulates MAC address encapsulation.

lvs-tun: adds an extra IP header to the original request packet.

lvs-fullnat: modifies both source and destination IPs of the request packet.

LVS NAT Mode

NAT

NAT (Network Address Translation) includes SNAT and DNAT.

SNAT: source IP is changed when packets leave the internal network.

DNAT: destination IP is changed for responses from the external network.

Difference: external‑to‑internal requests use DNAT, internal‑to‑external use SNAT.

LVS‑NAT

LVS‑NAT is essentially multi‑target IP DNAT; the forwarded IP and port can map to different machines.

Workflow:

When a client (CIP) sends a request to VIP, LVS changes the destination IP and port to the real server’s RIP before forwarding via DIP.

When the real server replies, LVS replaces the source IP and port with its own VIP before sending back to the client.

RIP and DIP must be on the same network.

Response packets returning via the same path increase LVS load.

VS must run Linux; RS can be any OS.

LVS DR Mode

DR (Direct Routing) is LVS’s default mode; it does not modify IP or port, but re‑encapsulates the packet with a new MAC address for forwarding.

Workflow:

The client’s request MAC is changed to the MAC of LVS’s DIP; the destination MAC is the RIP of a selected real server, which also has the same VIP, allowing the RS to reply directly to the client.

All RS share the same VIP as LVS.

Clients must send requests to the LVS, not directly to RS.

RS RIP can be private or public; RIP and DIP must be in the same IP network; RS gateway must not point to DIP.

LVS and RS must be on the same physical network.

Ensuring client requests reach LVS:

Method 1: Configure static ARP binding on the router.

Method 2: Disable ARP replies on RS so requests go through LVS while replies bypass it.

arp特殊报文：免费arp，用来探测网络中是否存在地址冲突。

arp响应和主动讯问：

响应：当接收到arp报文的时候，主机会进行回应，通过ip地址得到mac地址

主动讯问：主机会主动向外告诉别人自己的ip对应的mac地址

Disabling RS ARP responses via kernel parameters:

#将VIP绑定在回环网卡上，通过设置内核的参数实现不响应arp报文和静默模式。
#不响应arp的免费报文
[root@data_server ~]# cat /proc/sys/net/ipv4/conf/lo/arp_ignore
0

#是否开启静默
[root@data_server ~]# cat /proc/sys/net/ipv4/conf/lo/arp_announce 
0

LVS TUN Mode

TUN mode allows RS and DIP to be on different physical networks, similar to DR but without the same‑network requirement.

Workflow: the original IP information is unchanged; an additional IP header (source DIP, destination RIP) is added. After processing, RS sends the response directly to the client.

RIP and DIP can be on different physical networks; RS gateway generally must not point to DIP, and RIP can communicate with the public Internet.

RS OS must support tunneling.

LVS FULLNAT Mode

Workflow: both source and destination IPs of the request packet are rewritten. When a client accesses LVS, the source IP is replaced by DIP and the destination by RIP; the response returns to DIP, and LVS forwards it to the client. NAT模式只会修改目标地址 VIP is a public address; RIP and DIP are private and usually not in the same IP network, so RIP’s gateway should not point to DIP.

RS receives requests with source DIP, so it replies to DIP, and LVS forwards the reply to the client.

Both request and response pass through LVS, enabling port mapping.

Note: This mode is not supported by default kernels and requires kernel modifications.

Comparison of LVS Modes

NAT: DIP and RIP share the same IP network; RIP gateway must point to DIP.

DR: DIP and RIP share the same IP network; RIP gateway must not point to DIP for fastest performance.

TUN: RIP and DIP can be on different physical networks; RS gateway generally must not point to DIP, and RIP can communicate publicly.

FULLNAT: RIP and DIP may not be in the same IP network but must be reachable.