Hello, thanks for reply. I sorta like the IPv6 idea. But, let me explain a bit further:
- Cisco routers/NAT do not randomize source ports by default.
- pfSense does randomize by default, but you can disable it - which we have.
Source port randomization is... 1.1.1.1 tcp 55555 to 2.2.2.2 tcp 443 when NAT'd becomes 1.1.1.1 tcp 31673* to 2.2.2.2 tcp 443. * is the randomized source port.
I know in theory non-random ports are more vulnerable to certain attack vectors, but in practice - it's not even in my top 10 list of worries.
I opened a case with Meraki support. We'll see...