[Bug] IPv6流量会走不支持IPv6的proxy，即使proxy已配置了ip-version: ipv4

leeaash commented 5 months ago

Verify steps

[X] I have read the documentation and understand the meaning of all configuration items I have written, avoiding a large number of seemingly useful options or default values.
[X] I have not reviewed the documentation and resolve this issue.
[X] I have not searched the Issue Tracker for the problem I am going to raise.
[X] I have tested with the latest Alpha branch version, and the issue still persists.
[X] I have provided server and client configuration files and processes that can reproduce the issue locally, rather than a desensitized complex client configuration file.
[X] I have provided the simplest configuration that can reproduce the error I reported, rather than relying on remote servers, TUN, graphical client interfaces, or other closed-source software.
[X] I have provided complete configuration files and logs, rather than providing only parts that I believe are useful due to confidence in my own intelligence.

Operating System

Linux

System Version

Linux OpenWrt 5.15.137

Mihomo Version

Mihomo Meta alpha-d96d765 linux amd64 with go1.22.4 Thu Jun 13 01:07:28 UTC 2024 Use tags: with_gvisor

Configuration File

p: &p
  type: http
  interval: 86400
  health-check:
    enable: true
    url: http://www.gstatic.com/generate_204
    interval: 300

pr: &pr
  type: select
  proxies: [US, WARP, EDVLESS, DIRECT]

mixed-port: 4088
redir-port: 4018
#tproxy-port: 4488
allow-lan: true
find-process-mode: off
mode: rule
log-level: silent
external-controller: '0.0.0.0:6170'
secret: ''
geodata-mode: true
ipv6: true
profile:
  store-selected: true
  store-fake-ip: true

sniffer:
  enable: true
  override-destination: false
  sniff:
    TLS:
      ports: [443, 8443]
    HTTP:
      ports: [80, 8080-8880]
      #override-destination: true
    QUIC:
      ports: [443, 8443]
  skip-domain:
    - 'Mijia Cloud'
dns:
  enable: true
  ipv6: false
  listen: '0.0.0.0:3553'
  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.1/16
  fake-ip-filter:
     - '*.lan'
     - localhost.ptlogin2.qq.com
     - test
     - '+.plex.direct'
     - '+.io.mi.com'
  default-nameserver:
    - 114.114.114.114 
  nameserver:
    - https://dns.alidns.com/dns-query#h3=true
  nameserver-policy:
   "geosite:geolocation-!cn":
     - "https://dns.cloudflare.com/dns-query#PROXY"
     - "https://dns.google/dns-query#PROXY"

tun:
  enable: true
  stack: mixed
  dns-hijack:
    #- any:53
    - 114.114.114.114:53
    - 8.8.8.8:53
    - 8.8.4.4:53
    - 52.80.53.83:53
    - 202.101.172.37:53
    - 202.101.173.157:53
  auto-route: true
  auto-detect-interface: true
  device: utun

proxy-providers:
  warp:
    type: file
    path: ./proxy-providers/warp.yaml
    <<: *p

  myus:
    type: file
    path: ./proxy-providers/us.yaml
    <<: *p

  vless:
    type: http
    path: ./proxy-providers/vless
    url: "https:///"
    interval: 3600
    <<: *p
    header:
      User-Agent:
      - "Chrome/125.0.0.0"

proxy-groups:
  -
    name: HOME
    type: select
    interface-name: br-lan
    proxies:
      - DIRECT
  -
    name: WARP
    type: select
    use:
      - warp

  -
    name: US
    type: fallback
    use:
      - myus
    url: https://www.gstatic.com/generate_204
    interval: 60
    lazy: true

  -
    name: EDVLESS
    type: load-balance
    strategy: round-robin
    use:
      - vless
    url: https://www.gstatic.com/generate_204
    interval: 300
    lazy: true
    filter: "CT"

  -
    name: NZBD
    type: select
    use:
      - myus

  -
    name: PROXY
    <<: *pr

  -
    name: SABNZBD
    type: select
    proxies: [NZBD, PROXY, DIRECT]

  -
    name: Stream Services
    <<: *pr

  -
    name: GO2US
    <<: *pr

  -
    name: GO2WARP
    <<: *pr
  -
    name: QUIC
    type: select
    proxies: [US, PROXY, REJECT, DIRECT]

  -
    name: 'Special Custom'
    <<: *pr

  -
    name: Domestic
    type: select
    proxies: [DIRECT, PROXY]

  -
    name: 'Apple Services'
    type: select
    proxies: [DIRECT, Domestic, PROXY]

  -
    name: ADGUARD
    type: fallback
    <<: *pr
  -
    name: 'AD Block'
    type: select
    proxies: [REJECT, DIRECT, PROXY]

rule-providers:
  Apple Services Domains:
    type: file
    behavior: domain
    path: ./Ruleset/clash_apple_services_domains
  Reject IPs:
    type: file
    behavior: ipcidr
    path: ./Ruleset/clash_reject_ips
  Special Custom:
    type: file
    behavior: domain
    path: './Ruleset/clash_special_custom'
  Go2US:
    type: file
    behavior: domain
    path: './Ruleset/clash_go2us_domains'
  Go2WARP:
    type: file
    behavior: domain
    path: './Ruleset/clash_go2warp_domains'
  Wechat:
    type: file
    behavior: ipcidr
    path: './Ruleset/clash_wechat_ips'
  SABnzbd:
    type: file
    behavior: domain
    path: './Ruleset/clash_sabnzbd_domains'

rules:
  - 'RULE-SET,Go2US,GO2US'
  - 'GEOSITE,openai,GO2WARP'
  - 'RULE-SET,Special Custom,Special Custom'
  - 'GEOSITE,category-ads-all,AD Block'
  - 'GEOSITE,adguard,ADGUARD'
  - 'GEOSITE,apple@cn,Apple Services'
  - 'GEOSITE,apple-cn,Apple Services'
  - 'RULE-SET,Apple Services Domains,Apple Services'
  - 'GEOSITE,microsoft@cn,Domestic'
  - 'GEOSITE,steam@cn,Domestic'
  - 'GEOSITE,youtube,Stream Services'
  - 'GEOSITE,geolocation-!cn,PROXY'
  - 'GEOSITE,cn,Domestic'
  - 'RULE-SET,Reject IPs,AD Block,no-resolve'
  - 'GEOIP,telegram,PROXY,no-resolve'
  - 'GEOIP,netflix,PROXY,no-resolve'
  - 'GEOIP,private,HOME'
  - 'GEOIP,CN,Domestic'
  - 'IP-ASN,132203,Domestic'
  - 'IP-ASN,45090,Domestic'
  - 'MATCH,PROXY

Description

全局配置ipv6时，IPv6流量会走不支持IPv6的proxy，即使proxy已配置了ip-version: ipv4. 感觉跟手机app也会有关系，访问facebook和instagram可以看到此类问题

Reproduction Steps

目前观察使用facebook系的app比较容易复现

Logs

[TCP] [fd7a:115c:a1e0::2]:37068 --> [2a03:2880:f11c:8183:face:b00c:0:25de]:443 match GeoSite(geolocation-!cn) using PROXY[usca6]

leeaash commented 5 months ago

proxy配置的ip-version: ipv4貌似只影响mihomo与节点服务器的连接，而不影响节点与目标网站的连接。

如果ip-version不适用，还有何种配置方式或方法可选？苦恼啊

leeaash commented 5 months ago

我也在思考这个问题，不过我只有访问纯ipv6网站才需要选择支持v6的节点。访问双栈网站时没有感受到明显的影响。

但你在访问fb时，似乎在本地发起了DNS解析，这说明你规则配置可能有问题。fake ip模式下，由节点服务器发起解析，节点不支持v6，也就不会试图访问v6。

你需要检查 RULE-SET,Apple Services RULE-SET,Special Custom RULE-SET,Go2US 之中，是否存在未加no-resolve的ip规则，这会导致你访问的fb在本地被解析，从而获取到节点无法访问的v6地址。

谢谢解答，再检查了一下，可以上都没有no-resolve的配置，所有payload都是域名

xishang0128 commented 5 months ago

ip-version只能控制内核本身产生的流量出站,发给节点的流量是没法控制的如果你需要分流ipv6,请使用规则匹配全部ipv6,例如ip-cidr,::/0,proxy

leeaash commented 5 months ago

我才注意到：

dns: enable: true ipv6: false

按照我的理解，这样fb等网站是不会在本地被解析出ipv6的。

还有一种可能，就是设备没有设置好ipv6的DNS。

比如，假如你用旁路由，底下设备的ipv4 DNS正确指向了旁路由，但ipv6 DNS指向了主路由。如果没法手动修改，就需要看教程，用DHCP指定设备的ipv6 DNS。

总之，感觉问题还是与DNS解析有关。

没有旁路由，mihomo跑在主路由上，主路由设置也不解析AAAA记录。我怀疑是终端通过外网的ipv6地址请求到了AAAA的记录，只是还没找到直接证据

leeaash commented 5 months ago

ip-version只能控制内核本身产生的流量出站,发给节点的流量是没法控制的如果你需要分流ipv6,请使用规则匹配全部ipv6,例如ip-cidr,::/0,proxy

我不想分流啊，没有ipv6代理出口也没法分流啊

xishang0128 commented 5 months ago

@leeaash 那你就先把有v4的分了,剩下的direct

leeaash commented 5 months ago

@leeaash 那你就先把有v4的分了,剩下的direct

fb的ipv6也是被墙的吧？

xishang0128 commented 5 months ago

@leeaash 双栈域名匹配到之后就分走了啊,不会匹配到后面的v6

leeaash commented 5 months ago

@leeaash 双栈域名匹配到之后就分走了啊,不会匹配到后面的v6

开了sniffer，ipv6地址会匹配域名优先走域名规则，貌似不是通过fake ip发起的访问。

xishang0128 commented 5 months ago

@leeaash 用sub rule,把有ipv4的分到sub rule,再分要么干脆别分,不能访问就不能访问,这不是一个bug

MetaCubeX / mihomo