vSZ behind router, add 2nd node to cluster

Completely agree with Harald,

It's a really  bad idea, cluster doesn't work over Internet links. Don't even try! Even if you will be able to install it, you are guaranteed to have problems later, as Internet isn't stable enough.

This can be done only if you have 2 locations, which are not actually that remote, but say in the same city and connected by direct fiber link, preferred -- L2. Than cluster will work normally, same way, as when all nodes are located in one server room.

Hope it helps.

Thanks for your input guys. 

Suppose we meet the conditions described above, and both nodes are behind NAT routers, what port(s) should be forwarded for the cluster interfaces to connect?

Build a vpn between both networks, that would be the easiest way.

The exact ports are in the vsz documentation.

I'm not sure clustering is supported behind nat. I'd be very surprised if it works at all. As others mentioned, a vpn is your best bet as I don't think the clustering interfaces are nat aware -as opposed to the main AP-facing nic. 

In SZ 5.2 a 1-to-1 NAT is supported and it can be configured under the cluster config.