|
Hi florent,
You can do it that way, just take care of your LVS/FW CPU and memory. Using
NAT CPU is solicited, if your FW is already solicited you must resize your
LVS/FW hardware.
Personnaly I prefer desociate LVS & FW because of maintenance needs (and
cost, LVS can work efficiently on a small box).
If you plan to the same box to run LVS & FW the NAT and portforwarding will
be done on the box directly, it is the simplest design.
If you plan to dissociate LVS and FW you can increase your security level
implementing portforwarding on the FW box forwarding stream to the LVS NAT
VIP. That way the LVS VIP can use internal address IP. (on the FW box set
portforwarding rules with ipmasqadm)
Best regards,
Alexandre
|
