NGINX Reverse Proxy on GNS3 VM Not Accessible Externally on Custom Port 60000

[211232637]

I’m encountering an issue with my NGINX reverse proxy setup on a GNS3 VM. The proxy works correctly when tested internally within the VM, but attempts to access it externally from my laptop result in a connection failure. I’ve verified that no additional firewalls are active in my topology. Below are the details of my configuration and the troubleshooting steps I’ve performed so far.

Setup Details:

Environment: • Host Machine: MacBook (macOS) • Virtualization: GNS3 VM

GNS3 GUI Details:

gns3@gns3vm:~$ apt show gns3-gui
Package: gns3-gui
Version: 2.2.50~focal1
Priority: extra
Section: net
Maintainer: GNS3 team <developers@gns3.net>
Bugs: https://github.com/GNS3/gns3-gui/issues
Installed-Size: 25.0 MB
Depends: python3, python3-pyqt5, python3-pyqt5.qtsvg, python3-pyqt5.qtwebsockets, wireshark, vinagre, libc6 (>= 2.14), libgcc-s1 (>= 4.2)
Recommends: gns3-server
Replaces: gns3 (<< 1.4.0-1)
Download-Size: 5997 kB
APT-Sources: http://ppa.launchpad.net/gns3/ppa/ubuntu focal/main amd64 Packages
Description: GNS3 GUI

NGINX Configuration:

server {
    listen 60000 default_server;
    listen [::]:60000 default_server;

    server_name 10.10.10.111;

    location / {
        proxy_pass http://192.168.122.156:80;
    }
}

Ubuntu Server (Inside GNS3 via NAT 192.168.122.1) : • IP Address: 192.168.122.156 • Service: NGINX serving on port 80

Issue Description:

• Internal Testing (Within GNS3 VM): • Executing the following curl command successfully returns a 200 OK response:

curl -I http://192.168.122.156:80

Response:

HTTP/1.1 200 OK
Server: nginx/1.24.0 (Ubuntu)
Date: Wed, 30 Oct 2024 03:35:39 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Sat, 28 Sep 2024 14:22:47 GMT
Connection: keep-alive
ETag: "66f81137-267"
Accept-Ranges: bytes

• External Testing (From Laptop): • Attempting to access the proxy using the following curl command fails:

curl -I http://10.10.10.111:60000

Error:

curl: (7) Failed to connect to 10.10.10.111 port 60000 after 23 ms: Couldn't connect to server

Diagnostics Performed:

1. NGINX Service Status:

sudo service nginx status

Output:

● nginx.service - A high performance web server and a reverse proxy server
     Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2024-10-01 01:50:58 UTC; 4 weeks 1 days ago
       Docs: man:nginx(8)
     Main PID: 70138 (nginx)
        Tasks: 9 (limit: 38401)
       Memory: 7.4M
       CGroup: /system.slice/nginx.service
               ├─70138 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
               ├─70139 nginx: worker process
               ├─70140 nginx: worker process
               ├─70141 nginx: worker process
               ├─70142 nginx: worker process
               ├─70143 nginx: worker process
               ├─70144 nginx: worker process
               ├─70145 nginx: worker process
               └─70146 nginx: worker process

Warning: journal has been rotated since unit was started, output may be incomplete.

2. Port Listening:

sudo netstat -nlp | grep :60000

Output:

tcp        0      0 0.0.0.0:60000           0.0.0.0:*               LISTEN      70138/nginx: master 
tcp6       0      0 :::60000                :::*                    LISTEN      70138/nginx: master

3. Port Scanning with Nmap (From VM):

nmap localhost

Output:

Starting Nmap 7.80 ( https://nmap.org ) at 2024-10-30 03:31 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00019s latency).
Not shown: 996 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
5000/tcp filtered upnp
5002/tcp filtered rfe
5003/tcp filtered filemaker

Nmap done: 1 IP address (1 host up) scanned in 1.26 seconds

Note: Port 60000 is not listed as open.

4. Firewall Status: • UFW:

sudo ufw status

Output:

Status: inactive

• iptables:

sudo iptables -L

Output:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
LIBVIRT_INP  all  --  anywhere             anywhere             

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
LIBVIRT_FWX  all  --  anywhere             anywhere            
LIBVIRT_FWI  all  --  anywhere             anywhere            
LIBVIRT_FWO  all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             gns3vm               tcp dpt:http state NEW,RELATED,ESTABLISHED
ufw-before-logging-forward  all  --  anywhere             anywhere            
ufw-before-forward  all  --  anywhere             anywhere            
ufw-after-forward  all  --  anywhere             anywhere            
ufw-after-logging-forward  all  --  anywhere             anywhere            
ufw-reject-forward  all  --  anywhere             anywhere            
ufw-track-forward  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
LIBVIRT_OUT  all  --  anywhere             anywhere            
ufw-before-logging-output  all  --  anywhere             anywhere            
ufw-before-output  all  --  anywhere             anywhere            
ufw-after-output  all  --  anywhere             anywhere            
ufw-after-logging-output  all  --  anywhere             anywhere            
ufw-reject-output  all  --  anywhere             anywhere            
ufw-track-output  all  --  anywhere             anywhere            

Chain DOCKER (1 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain LIBVIRT_FWI (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain LIBVIRT_FWO (1 references)
target     prot opt source               destination         
ACCEPT     all  --  192.168.122.0/24     anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain LIBVIRT_FWX (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain LIBVIRT_INP (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:67

Chain LIBVIRT_OUT (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:68

Chain ufw-after-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-after-output (1 references)
target     prot opt source               destination         

Chain ufw-before-forward (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-before-output (1 references)
target     prot opt source               destination         

Chain ufw-reject-forward (1 references)
target     prot opt source               destination         

Chain ufw-reject-output (1 references)
target     prot opt source               destination         

Chain ufw-track-forward (1 references)
target     prot opt source               destination         

Chain ufw-track-output (1 references)
target     prot opt source               destination         

• Note: There are no active firewall rules blocking port 60000, and ufw is inactive.

Additional Information:

• According to netstat, NGINX is listening on port 60000 for both IPv4 (0.0.0.0:60000) and IPv6 (:::60000). • However, nmap does not list port 60000 as open when scanned from within the VM. • There are no other firewalls or security groups active in the current network topology that could be blocking access to port 60000. • The GNS3 VM network settings are correctly configured to allow external access to the specified port.

Questions:

1. Why is port 60000 not appearing as open in the nmap scan despite NGINX indicating it’s listening?
2. What could be preventing external access to the NGINX reverse proxy on port 60000?
3. Are there any specific GNS3 VM network configurations or host-level settings on macOS that might interfere with accessing custom ports like 60000?
4. How can I further troubleshoot to identify the root cause of this connectivity issue?

What I’ve Tried:

• Verified that NGINX is running and configured correctly to listen on port 60000. • Confirmed that ufw is inactive and iptables does not block port 60000. • Successfully accessed the internal server via curl within the VM. • Confirmed that the port is listening using netstat. • Attempted to scan ports with nmap, which did not show port 60000 as open. • Reviewed the gns3-gui package details to ensure there are no related conflicts or dependencies affecting network configurations.

Looking For:

Advice on potential misconfigurations or overlooked settings that could prevent external access to the NGINX reverse proxy on a custom port within a GNS3 VM environment. Guidance on additional troubleshooting steps or configurations to resolve this connectivity issue would be highly appreciated.

Thank you in advance for your assistance!

[211232637]

gns3@gns3vm:~$ apt show gns3-server
Package: gns3-server
Version: 2.2.50~focal3
Priority: extra
Section: net
Maintainer: GNS3 team <developers@gns3.net>
Bugs: https://github.com/GNS3/gns3-server/issues
Installed-Size: 50.0 MB
Depends: python3, vpcs, ubridge (>= 0.9.14), qemu-system-x86, qemu-kvm, qemu-utils, mtools, cpulimit, libvirt-daemon-system, debconf (>= 0.5) | debconf-2.0, libc6 (>= 2.14), libgcc-s1 (>= 4.2)
Recommends: dynamips, x11vnc, xvfb
Enhances: gns3-iou
Download-Size: 8780 kB
APT-Sources: http://ppa.launchpad.net/gns3/ppa/ubuntu focal/main amd64 Packages
Description: GNS3 server

[211232637]

[grossmj]

GNS3 uses websockets to get events/notifications from the server. Please try the following NGINX Configuration.

server {
    listen 60000 default_server;
    listen [::]:60000 default_server;

    server_name 10.10.10.111;

    location / {
        proxy_pass http://192.168.122.156:80;
        include proxy_params;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}