SRX

 View Only
last person joined: 5 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Source NAT port allocation doesn't switch to round‑robin

    Posted 13 days ago

    Hi all,
    I'm trying to change the source port allocation method to round‑robin for Source NAT on an SRX300.

    I disabled port randomization with:

    set security nat source port-randomization disable

    However, the device still doesn't behave like round‑robin; port allocation appears to remain sequential (or at least not round‑robin) across flows.

    Here is the relevant Source NAT configuration:

    set security address-book global address HOST_1 1.1.1.1/32
    set security nat source pool POOL_1 address 2.2.2.2/32
    set security nat source rule-set TRUST_UNTRUST from zone trust
    set security nat source rule-set TRUST_UNTRUST to zone untrust
    set security nat source rule-set TRUST_UNTRUST rule SOURCE_NAT_1 match source-address-name HOST_1
    set security nat source rule-set TRUST_UNTRUST rule SOURCE_NAT_1 then source-nat pool POOL_1
    set security nat proxy-arp interface reth1.0 address 2.2.2.2/32



    ------------------------------
    MAKIKO YAMADA
    ------------------------------


  • 2.  RE: Source NAT port allocation doesn't switch to round‑robin

    Posted 13 days ago

    This may be a silly question but what would a round-robin port allocation look like? If one connection gets port 16001, for example, what port should the next connection get?  Not 16002??



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 3.  RE: Source NAT port allocation doesn't switch to round‑robin

    Posted 13 days ago

    I happen to agree that it might be a round robin type action. I need to read the docs again but If you would like to know if have disabled port randimization and the desired effect is noticeable. It is in fact best. No holds barred.



    ------------------------------
    Adrian Aguinaga
    B.S.C.M. I.T.T. Tech
    (Construction Management)
    A.A.S. I.T.T. Tech
    (Drafting & Design)
    ------------------------------

    Original Message


  • 4.  RE: Source NAT port allocation doesn't switch to round‑robin

    Posted 9 days ago

    Thanks for the question.

     

    What I initially expected as round‑robin behavior was simple sequential
    allocation like N, N+1, N+2, and so on.

     

    After additional testing, what I see is a bit mixed:
    - With FTP traffic, the source ports do not appear to be allocated as
      N, N+1, N+2, …
    - For TCP traffic that maintains only a single connection at a time,
      the source ports *do* seem to follow N, N+1, N+2, …

     

    Based on this, I suspect that for TCP applications maintaining multiple
    simultaneous connections, the port selection behavior is not strictly
    sequential and does not behave as I initially expected.

     

    Unfortunately, I have not been able to find any documentation that clearly
    explains the port allocation algorithm in this case, so I cannot conclude
    more beyond these observations.


    ------------------------------
    MAKIKO YAMADA
    ------------------------------

    Original Message


  • 5.  RE: Source NAT port allocation doesn't switch to round‑robin

    Posted 9 days ago

    With FTP in particular you may have the FTP Application Layer Gateway involved in calling for a port allocation besides the regular flow, so I suspect the ALG is ignoring the sequential allocation setting.

    The same may apply to other traffic handled by the various ALGs.



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message