SRX

Hi all,
I'm trying to change the source port allocation method to round‑robin for Source NAT on an SRX300.

I disabled port randomization with:

set security nat source port-randomization disable

set security address-book global address HOST_1 1.1.1.1/32
set security nat source pool POOL_1 address 2.2.2.2/32
set security nat source rule-set TRUST_UNTRUST from zone trust
set security nat source rule-set TRUST_UNTRUST to zone untrust
set security nat source rule-set TRUST_UNTRUST rule SOURCE_NAT_1 match source-address-name HOST_1
set security nat source rule-set TRUST_UNTRUST rule SOURCE_NAT_1 then source-nat pool POOL_1
set security nat proxy-arp interface reth1.0 address 2.2.2.2/32

------------------------------
MAKIKO YAMADA
------------------------------

This may be a silly question but what would a round-robin port allocation look like? If one connection gets port 16001, for example, what port should the next connection get?  Not 16002??

------------------------------
Nikolay Semov
------------------------------

I happen to agree that it might be a round robin type action. I need to read the docs again but If you would like to know if have disabled port randimization and the desired effect is noticeable. It is in fact best. No holds barred.

------------------------------
Adrian Aguinaga
B.S.C.M. I.T.T. Tech
(Construction Management)
A.A.S. I.T.T. Tech
(Drafting & Design)
------------------------------

 

 

 

 

------------------------------
MAKIKO YAMADA
------------------------------

Original Message:
Sent: 01-05-2026 19:01
From: eugene1973
Subject: Source NAT port allocation doesn't switch to round‑robin

I happen to agree that it might be a round robin type action. I need to read the docs again but If you would like to know if have disabled port randimization and the desired effect is noticeable. It is in fact best. No holds barred.

------------------------------
Adrian Aguinaga
B.S.C.M. I.T.T. Tech
(Construction Management)
A.A.S. I.T.T. Tech
(Drafting & Design)
------------------------------

With FTP in particular you may have the FTP Application Layer Gateway involved in calling for a port allocation besides the regular flow, so I suspect the ALG is ignoring the sequential allocation setting.

The same may apply to other traffic handled by the various ALGs.

------------------------------
Nikolay Semov
------------------------------

Original Message:
Sent: 01-07-2026 22:33
From: MAKIKO YAMADA
Subject: Source NAT port allocation doesn't switch to round‑robin

Thanks for the question.

 

What I initially expected as round‑robin behavior was simple sequential

allocation like N, N+1, N+2, and so on.

 

After additional testing, what I see is a bit mixed:

- With FTP traffic, the source ports do not appear to be allocated as

  N, N+1, N+2, …

- For TCP traffic that maintains only a single connection at a time,

  the source ports *do* seem to follow N, N+1, N+2, …

 

Based on this, I suspect that for TCP applications maintaining multiple

simultaneous connections, the port selection behavior is not strictly

sequential and does not behave as I initially expected.

 

Unfortunately, I have not been able to find any documentation that clearly

explains the port allocation algorithm in this case, so I cannot conclude

more beyond these observations.

------------------------------
MAKIKO YAMADA
------------------------------


Original Message:
Sent: 01-05-2026 19:01
From: eugene1973
Subject: Source NAT port allocation doesn't switch to round‑robin

I happen to agree that it might be a round robin type action. I need to read the docs again but If you would like to know if have disabled port randimization and the desired effect is noticeable. It is in fact best. No holds barred.

------------------------------
Adrian Aguinaga
B.S.C.M. I.T.T. Tech
(Construction Management)
A.A.S. I.T.T. Tech
(Drafting & Design)