Understanding SLB: How Server Load‑Balancing Modes Operate and Their Packet Flows

1. Background of SLB

SLB (Server Load Balancing) distributes client traffic across multiple servers using a virtual IP (VIP). The client sees only the VIP, while real server (RS) IPs remain hidden, preventing overload and improving service reliability.

2. Three Transmission Modes of SLB

SLB works in three modes:

Reverse‑proxy mode

Transparent mode

Triangle mode

Each mode handles packet processing differently, but all require client requests to first reach the load‑balancer.

3. Reverse‑Proxy Mode

In reverse‑proxy mode, the load balancer acts as an external proxy for internal servers. When a client request arrives, the balancer records source/destination IPs, ports, and protocol, then rewrites the destination IP to the selected RS while keeping the source IP as the balancer’s downstream interface. The RS replies to the balancer, which then rewrites the source IP back to the VIP before sending the response to the client.

Packet capture shows the TCP three‑way handshake between client and balancer, followed by the balancer establishing a separate TCP connection with the RS, modifying IP addresses accordingly.

Analysis reveals that the RS sees the balancer’s IP as the client source, so the client’s real IP is lost; adding an X‑Forwarded‑For header can preserve it.

4. Transparent Mode

In transparent mode the RS is unaware of the balancer; the client’s IP is preserved. The balancer forwards the client’s packet to the chosen RS without altering the source IP. The RS replies directly to the client; the balancer only rewrites the source IP to the VIP before forwarding.

Packet traces show identical TCP handshakes to the reverse‑proxy mode, but the HTTP request’s source IP remains the client’s.

5. Triangle Mode

In triangle mode the balancer selects the optimal RS and forwards the packet at layer‑2 using the RS’s MAC address while setting the source IP to the VIP (typically on a loopback interface). The RS then replies directly to the client using the VIP as source, and the balancer does not modify the returning traffic.

Analysis shows that TCP handshakes follow the 4‑layer SLB flow, and the RS must have a route to the client and the VIP configured on its loopback; otherwise packets are dropped.

6. Summary

Reverse‑proxy mode hides client IPs from RS, allowing firewall rules based on the balancer’s IP and higher security; adding X‑Forwarded‑For can expose the original client IP. Transparent mode preserves client IPs, while triangle mode offers minimal processing on the balancer, suitable for high‑throughput or many‑connection scenarios.