Load Balancer with LVS

LVS Load Balancing Setup

  • One machine with two network adapters:
    • External (Bridged, in our case)
    • Internal (Host-only)

    Linux Virtual Server (LVS) operates on Layer 4 (TCP/UDP).

  • Two machines with one network adapter each, connected via the internal network.

    For setup instructions you can use the article Infrastructure 2 NIC’s .

Install Required Packages

On Server 1 (LVS Load Balancer). Install LVS:

				
					sudo dnf install ipvsadm

LVS Configuration

Main config file location:

				
					/etc/sysconfig/ipvsadm-config

Create the IPVS rules file (if it doesn’t exist):

				
					sudo touch /etc/sysconfig/ipvsadm

Enable and start the service:

				
					sudo systemctl enable --now ipvsadm

Check service status:

				
					systemctl status ipvsadm

Check existing IPVS rules:

				
					sudo ipvsadm -l

Create a Virtual HTTP Service on Port 80:

				
					sudo ipvsadm -A -t <ext-ip-of-server-1>:80 -s rr

Explanation:

    -A: Add a new virtual service

    -t: TCP-based service

    – <ext-ip-of-server-1>:80: The VIP (Virtual IP) clients connect to (Server 1’s external IP)

    -s rr: Use round-robin scheduling methodAdds a backend servers to the load balancer.

Add Backend (Real) Servers to the Load Balancer:

				
					sudo ipvsadm -a -t <ext-ip-of-server-1>:80 -r <ip-of-server-2>:80 -m
sudo ipvsadm -a -t <ext-ip-of-server-1>:80 -r <ip-of-server-3>:80 -m

Explanation:

    -a: Add a real server

    -r <ip>:80: Backend server’s IP and port

    -m: Use masquerading (NAT)

Check the Current IPVS Rules: 

				
					sudo ipvsadm -l

Configure Firewall on Server 1 (Load Balancer)

Open the HTTP service in relevant zones:

				
					sudo firewall-cmd --add-service=http --permanent --zone=external
sudo firewall-cmd --add-service=http --permanent --zone=trusted

Reload the firewall to apply changes:

				
					sudo firewall-cmd --reload

On Backend Servers (Server 2 and 3)

Install Apache:

				
					sudo dnf install httpd

Enable and start the service:

				
					sudo systemctl enable --now httpd

Create a custom index page:

				
					echo 'Hello from <server-name>' | sudo tee /var/www/html/index.html

Allow HTTP in the firewall:

				
					sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd –reload

Important Note on Firewall and LVS Conflict

There can be conflicts between firewalld and LVS.

Currently, I haven’t found a complete solution. Even after:

  • Whitelisting worker IPs
  • Allowing HTTP in the correct zones

…it didn’t help. Therefore:

    🔧 For training and testing, it’s better to disable firewalld temporarily.

⚠️ Do not do this in production!

				
					sudo systemctl disable firewalld

Testing

Open a browser and go to:

  • http://<ext-ip-of-server-1>
  • Refresh the page multiple times.

You should see:

  • Hello from server 2
  • or Hello from server 3

…changing on each refresh.

Save the Configuration

LVS rules are stored in runtime only.

To make them persistent:

sudo ipvsadm-save -n | sudo tee /etc/sysconfig/ipvsadm