NGINX Reverse Proxy on GNS3 VM Not Accessible Externally on Custom Port 60000

[211232637]

I’m encountering an issue with my NGINX reverse proxy setup on a GNS3 VM. The proxy works correctly when tested internally within the VM, but attempts to access it externally from my laptop result in a connection failure. I’ve verified that no additional firewalls are active in my topology. Below are the details of my configuration and the troubleshooting steps I’ve performed so far.

Setup Details:

Environment:
• Host Machine: MacBook (macOS)
• Virtualization: GNS3 VM

GNS3 GUI Details:

gns3@gns3vm:~$ apt show gns3-gui
Package: gns3-gui
Version: 2.2.50~focal1
Priority: extra
Section: net
Maintainer: GNS3 team <[email protected]>
Bugs: https://github.com/GNS3/gns3-gui/issues
Installed-Size: 25.0 MB
Depends: python3, python3-pyqt5, python3-pyqt5.qtsvg, python3-pyqt5.qtwebsockets, wireshark, vinagre, libc6 (>= 2.14), libgcc-s1 (>= 4.2)
Recommends: gns3-server
Replaces: gns3 (<< 1.4.0-1)
Download-Size: 5997 kB
APT-Sources: http://ppa.launchpad.net/gns3/ppa/ubuntu focal/main amd64 Packages
Description: GNS3 GUI

NGINX Configuration:

server {
    listen 60000 default_server;
    listen [::]:60000 default_server;

    server_name 10.10.10.111;

    location / {
        proxy_pass http://192.168.122.156:80;
    }
}

Ubuntu Server (Inside GNS3 via NAT 192.168.122.1) :
• IP Address: 192.168.122.156
• Service: NGINX serving on port 80

Issue Description:

• Internal Testing (Within GNS3 VM):
• Executing the following curl command successfully returns a 200 OK response:

curl -I http://192.168.122.156:80

Response:

HTTP/1.1 200 OK
Server: nginx/1.24.0 (Ubuntu)
Date: Wed, 30 Oct 2024 03:35:39 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Sat, 28 Sep 2024 14:22:47 GMT
Connection: keep-alive
ETag: "66f81137-267"
Accept-Ranges: bytes

• External Testing (From Laptop):
• Attempting to access the proxy using the following curl command fails:

curl -I http://10.10.10.111:60000

Error:

curl: (7) Failed to connect to 10.10.10.111 port 60000 after 23 ms: Couldn't connect to server

Diagnostics Performed:

1. NGINX Service Status:

sudo service nginx status

Output:

● nginx.service - A high performance web server and a reverse proxy server
     Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2024-10-01 01:50:58 UTC; 4 weeks 1 days ago
       Docs: man:nginx(8)
     Main PID: 70138 (nginx)
        Tasks: 9 (limit: 38401)
       Memory: 7.4M
       CGroup: /system.slice/nginx.service
               ├─70138 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
               ├─70139 nginx: worker process
               ├─70140 nginx: worker process
               ├─70141 nginx: worker process
               ├─70142 nginx: worker process
               ├─70143 nginx: worker process
               ├─70144 nginx: worker process
               ├─70145 nginx: worker process
               └─70146 nginx: worker process

Warning: journal has been rotated since unit was started, output may be incomplete.

2. Port Listening:

sudo netstat -nlp | grep :60000

Output:

tcp        0      0 0.0.0.0:60000           0.0.0.0:*               LISTEN      70138/nginx: master 
tcp6       0      0 :::60000                :::*                    LISTEN      70138/nginx: master

3. Port Scanning with Nmap (From VM):

nmap localhost

Output:

Starting Nmap 7.80 ( https://nmap.org ) at 2024-10-30 03:31 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00019s latency).
Not shown: 996 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
5000/tcp filtered upnp
5002/tcp filtered rfe
5003/tcp filtered filemaker

Nmap done: 1 IP address (1 host up) scanned in 1.26 seconds

Note: Port 60000 is not listed as open.

4. Firewall Status:
   • UFW:

sudo ufw status

Output:

Status: inactive

• iptables:

sudo iptables -L

Output:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
LIBVIRT_INP  all  --  anywhere             anywhere             

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
LIBVIRT_FWX  all  --  anywhere             anywhere            
LIBVIRT_FWI  all  --  anywhere             anywhere            
LIBVIRT_FWO  all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             gns3vm               tcp dpt:http state NEW,RELATED,ESTABLISHED
ufw-before-logging-forward  all  --  anywhere             anywhere            
ufw-before-forward  all  --  anywhere             anywhere            
ufw-after-forward  all  --  anywhere             anywhere            
ufw-after-logging-forward  all  --  anywhere             anywhere            
ufw-reject-forward  all  --  anywhere             anywhere            
ufw-track-forward  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
LIBVIRT_OUT  all  --  anywhere             anywhere            
ufw-before-logging-output  all  --  anywhere             anywhere            
ufw-before-output  all  --  anywhere             anywhere            
ufw-after-output  all  --  anywhere             anywhere            
ufw-after-logging-output  all  --  anywhere             anywhere            
ufw-reject-output  all  --  anywhere             anywhere            
ufw-track-output  all  --  anywhere             anywhere            

Chain DOCKER (1 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain LIBVIRT_FWI (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain LIBVIRT_FWO (1 references)
target     prot opt source               destination         
ACCEPT     all  --  192.168.122.0/24     anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain LIBVIRT_FWX (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain LIBVIRT_INP (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:67

Chain LIBVIRT_OUT (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:68

Chain ufw-after-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-after-output (1 references)
target     prot opt source               destination         

Chain ufw-before-forward (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-before-output (1 references)
target     prot opt source               destination         

Chain ufw-reject-forward (1 references)
target     prot opt source               destination         

Chain ufw-reject-output (1 references)
target     prot opt source               destination         

Chain ufw-track-forward (1 references)
target     prot opt source               destination         

Chain ufw-track-output (1 references)
target     prot opt source               destination         

• Note: There are no active firewall rules blocking port 60000, and ufw is inactive.

Additional Information:

• According to netstat, NGINX is listening on port 60000 for both IPv4 (0.0.0.0:60000) and IPv6 (:::60000).
• However, nmap does not list port 60000 as open when scanned from within the VM.
• There are no other firewalls or security groups active in the current network topology that could be blocking access to port 60000.
• The GNS3 VM network settings are correctly configured to allow external access to the specified port.

Questions:

1. Why is port 60000 not appearing as open in the nmap scan despite NGINX indicating it’s listening?
2. What could be preventing external access to the NGINX reverse proxy on port 60000?
3. Are there any specific GNS3 VM network configurations or host-level settings on macOS that might interfere with accessing custom ports like 60000?
4. How can I further troubleshoot to identify the root cause of this connectivity issue?

What I’ve Tried:

• Verified that NGINX is running and configured correctly to listen on port 60000.
• Confirmed that ufw is inactive and iptables does not block port 60000.
• Successfully accessed the internal server via curl within the VM.
• Confirmed that the port is listening using netstat.
• Attempted to scan ports with nmap, which did not show port 60000 as open.
• Reviewed the gns3-gui package details to ensure there are no related conflicts or dependencies affecting network configurations.

Looking For:

Advice on potential misconfigurations or overlooked settings that could prevent external access to the NGINX reverse proxy on a custom port within a GNS3 VM environment. Guidance on additional troubleshooting steps or configurations to resolve this connectivity issue would be highly appreciated.

Thank you in advance for your assistance!

[211232637]

gns3@gns3vm:~$ apt show gns3-server
Package: gns3-server
Version: 2.2.50~focal3
Priority: extra
Section: net
Maintainer: GNS3 team <[email protected]>
Bugs: https://github.com/GNS3/gns3-server/issues
Installed-Size: 50.0 MB
Depends: python3, vpcs, ubridge (>= 0.9.14), qemu-system-x86, qemu-kvm, qemu-utils, mtools, cpulimit, libvirt-daemon-system, debconf (>= 0.5) | debconf-2.0, libc6 (>= 2.14), libgcc-s1 (>= 4.2)
Recommends: dynamips, x11vnc, xvfb
Enhances: gns3-iou
Download-Size: 8780 kB
APT-Sources: http://ppa.launchpad.net/gns3/ppa/ubuntu focal/main amd64 Packages
Description: GNS3 server

[211232637]

[grossmj]

GNS3 uses websockets to get events/notifications from the server. Please try the following NGINX Configuration.

server {
    listen 60000 default_server;
    listen [::]:60000 default_server;

    server_name 10.10.10.111;

    location / {
        proxy_pass http://192.168.122.156:80;
        include proxy_params;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

[211232637]

Hey, thanks for the answer, but the problem is accessing the gns3vm outside. Accessing the node from gns3vm has succeeded thanks to your configuration.

Laptop --❌--> gnx3vm --✅--> ubuntu node (inside gns3)

I’m still encountering a challenge with accessing the GNS3VM from an external source. Could you please provide guidance or suggest any additional configurations for this?

I've confirmed that there is no issue with the router and firewall.

on my laptop:

bsi-2-2100046@Elbos-MacBook ~ % curl -I http://10.10.10.111
curl: (7) Failed to connect to 10.10.10.111 port 80 after 6 ms: Couldn't connect to server

bsi-2-2100046@Elbos-MacBook ~ % nmap -p 60000 10.10.10.111
Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-25 09:16 WIB
Nmap scan report for 10.10.10.111
Host is up (0.051s latency).

PORT      STATE  SERVICE
60000/tcp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds

bsi-2-2100046@Elbos-MacBook ~ % telnet 10.10.10.111 60000
Trying 10.10.10.111...
telnet: connect to address 10.10.10.111: Connection refused
telnet: Unable to connect to remote host

bsi-2-2100046@Elbos-MacBook ~ % nmap -p 22 10.10.10.111
Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-25 09:17 WIB
Nmap scan report for 10.10.10.111
Host is up (0.031s latency).

PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

gns3vm:

gns3@gns3vm:~$ netstat -tuln | grep 60000
tcp        0      0 0.0.0.0:60000           0.0.0.0:*               LISTEN     
tcp6       0      0 :::60000                :::*                    LISTEN     

gns3@gns3vm:~$ nmap -sT -p 1-65535 10.10.10.111
Starting Nmap 7.80 ( https://nmap.org ) at 2024-11-25 02:14 UTC
Nmap scan report for gns3vm (10.10.10.111)
Host is up (0.00022s latency).
Not shown: 65489 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
3080/tcp  open  stm_pproc
5300/tcp  open  hacl-hb
5302/tcp  open  hacl-cfg
5303/tcp  open  hacl-probe
5306/tcp  open  sun-mc-grp
5308/tcp  open  cfengine
5309/tcp  open  jprinter
5310/tcp  open  outlaws
5311/tcp  open  unknown
5312/tcp  open  permabit-cs
5313/tcp  open  rrdp
5314/tcp  open  opalis-rbt-ipc
5315/tcp  open  hacl-poll
5316/tcp  open  hpdevms
5317/tcp  open  hpdevms
5318/tcp  open  pkix-cmc
5319/tcp  open  unknown
5321/tcp  open  bsfsvr-zn-ssl
5322/tcp  open  unknown
5323/tcp  open  unknown
5324/tcp  open  unknown
5325/tcp  open  unknown
5326/tcp  open  unknown
5328/tcp  open  unknown
5329/tcp  open  unknown
5331/tcp  open  unknown
33857/tcp open  unknown
35127/tcp open  unknown
36443/tcp open  m2ap
36783/tcp open  unknown
38349/tcp open  unknown
39127/tcp open  unknown
39565/tcp open  unknown
40407/tcp open  unknown
40449/tcp open  unknown
41175/tcp open  unknown
42793/tcp open  unknown
43637/tcp open  unknown
43933/tcp open  unknown
44571/tcp open  unknown
44877/tcp open  unknown
45379/tcp open  unknown
45457/tcp open  unknown
46007/tcp open  unknown
60000/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 3.66 seconds

gns3@gns3vm:~$ curl -I http://192.168.122.156:80
HTTP/1.1 200 OK
Server: nginx/1.24.0 (Ubuntu)
Date: Mon, 25 Nov 2024 02:20:13 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Sat, 28 Sep 2024 14:22:47 GMT
Connection: keep-alive
ETag: "66f81137-267"
Accept-Ranges: bytes

[grossmj]

Has your GNS3 VM 2 network adapters, one host-only and one NAT?