局域网下设备开启代理软件后路由器中产生大量连接, 导致负载过高, 网络响应慢

[ricky9w]

问题描述

[环境] Openwrt 路由器上运行 OpenClash, 使用 Meta 核心, 手机平板等设备使用 CFA, ClashX 等代理软件, Clash Premium 核心

[场景] 某些情况下, 回家之后手机/平板/笔记本上的代理软件没关, 此时如果在设备上正常进行浏览, 软路由中会产生大量连接, 系统负载从平时的 0.8 左右升高到 7~8 (四核处理器), 网络响应很慢, 甚至不可用, 此时查看 Clash 日志发现有大量来自局域网内设备的连接请求

日志情况

局域网内设备开启代理软件上网时, OpenClash 中会产生大量两种类型的连接:

• DNS 请求, 如果软件配置了多个 DNS, 按照 Clash 的逻辑对这些 DNS 服务器并发请求
• 对节点的连接请求, 这同样被 OpenClash 处理, 且由于自动测速等配置可能会不定期在短时间内产生大量请求

原先在 OpenClash 中使用 Clash Premium 内核时似乎没有发生过类似情况 (或者虽然发生了但是没有到影响使用体验的程度)

希望得到的帮助

1. 什么原因导致了此类情况的出现? 是否如上面猜想的一样, 局域网内代理软件产生的大量 DNS 请求和对节点的连接请求导致了此类问题? 如果不是该原因, 可能是什么原因?
2. 如何解决/改善此问题

运行配置

OpenClash 运行配置:

---
redir-port: 7892
tproxy-port: 7895
port: 7890
socks-port: 7891
mixed-port: 7893
mode: rule
allow-lan: true
bind-address: "*"
external-ui: "/usr/share/openclash/ui"
ipv6: true
interface-name: pppoe-wan
dns:
  enable: true
  ipv6: true
  enhanced-mode: redir-host
  listen: 0.0.0.0:7874
  nameserver:
  - 223.5.5.5
  - https://doh.pub/dns-query
  fallback:
  - https://dns.cloudflare.com/dns-query#Proxy
  - tls://dns.google:853#Proxy
  - tls://dot.tiar.app#Proxy
  fallback-filter:
    geoip: true
    geoip-code: CN
    geosite:
    - gfw
    ipcidr:
    - 0.0.0.0/8
    - 10.0.0.0/8
    - 100.64.0.0/10
    - 127.0.0.0/8
    - 169.254.0.0/16
    - 172.16.0.0/12
    - 192.0.0.0/24
    - 192.0.2.0/24
    - 192.88.99.0/24
    - 192.168.0.0/16
    - 198.18.0.0/15
    - 198.51.100.0/24
    - 203.0.113.0/24
    - 224.0.0.0/4
    - 240.0.0.0/4
    - 255.255.255.255/32
    domain:
    - "+.google.com"
    - "+.facebook.com"
    - "+.youtube.com"
    - "+.githubusercontent.com"
    - "+.googlevideo.com"
    - "+.msftconnecttest.com"
    - "+.msftncsi.com"

sniffer:
  enable: true
  force-dns-mapping: true
  parse-pure-ip: true
  force-domain:
  - "+"
  - "+.google.com"
  - "+.youtube.com"
  - twitter.com
  - "+.pornhub.com"
  - "+.netflix.com"
  - "+.nflxvideo.net"
  - "+.amazonaws.com"
  - "+.media.dssott.com"
  skip-domain:
  - "+.apple.com"
  - Mijia Cloud
  - dlg.io.mi.com
  sniff:
    TLS:
    HTTP:
      ports:
      - 80
      - 8080-8880
      override-destination: true

tun:
  enable: true
  stack: system
  device: utun
  auto-route: false
  auto-detect-interface: false
  dns-hijack:
  - tcp://any:53
profile:
  store-selected: true

rule-providers:
  # rule-providers from lhie1, generated by openclash
rules:
- DST-PORT,7895,REJECT
- DST-PORT,7892,REJECT
- IP-CIDR,198.18.0.1/16,REJECT,no-resolve
- RULE-SET,Reject,AdBlock
- RULE-SET,Special,DIRECT
- RULE-SET,Netflix,Netflix
- RULE-SET,Spotify,Spotify
- RULE-SET,YouTube,Youtube
- RULE-SET,Disney Plus,Disney
- RULE-SET,Bilibili,Bilibili
- RULE-SET,IQ,Asian TV
- RULE-SET,IQIYI,Asian TV
- RULE-SET,Letv,Asian TV
- RULE-SET,Netease Music,Asian TV
- RULE-SET,Tencent Video,Asian TV
- RULE-SET,Youku,Asian TV
- RULE-SET,WeTV,Asian TV
- RULE-SET,ABC,Global TV
- RULE-SET,Abema TV,Global TV
- RULE-SET,Amazon,Global TV
- RULE-SET,Bahamut,Bahamut
- RULE-SET,BBC iPlayer,Global TV
- RULE-SET,DAZN,DAZN
- RULE-SET,Discovery Plus,Discovery Plus
- RULE-SET,encoreTVB,Global TV
- RULE-SET,F1 TV,Global TV
- RULE-SET,Fox Now,Global TV
- RULE-SET,Fox+,Global TV
- RULE-SET,HBO Go,HBO Go
- RULE-SET,HBO Max,HBO Max
- RULE-SET,Hulu Japan,Global TV
- RULE-SET,Hulu,Global TV
- RULE-SET,Japonx,Global TV
- RULE-SET,JOOX,Global TV
- RULE-SET,KKBOX,Global TV
- RULE-SET,KKTV,Global TV
- RULE-SET,Line TV,Global TV
- RULE-SET,myTV SUPER,Global TV
- RULE-SET,Niconico,Global TV
- RULE-SET,Pandora,Global TV
- RULE-SET,PBS,Global TV
- RULE-SET,Pornhub,Pornhub
- RULE-SET,Soundcloud,Global TV
- RULE-SET,ViuTV,Global TV
- RULE-SET,Telegram,Telegram
- RULE-SET,Crypto,Crypto
- RULE-SET,Discord,Discord
- RULE-SET,Steam,Steam
- RULE-SET,Speedtest,Speedtest
- RULE-SET,PayPal,PayPal
- RULE-SET,Microsoft,Microsoft
- RULE-SET,ChatGPT,ChatGPT
- RULE-SET,Apple Music,Apple TV
- RULE-SET,Apple News,Apple TV
- RULE-SET,Apple TV,Apple TV
- RULE-SET,Apple,Apple
- RULE-SET,Google FCM,Google FCM
- RULE-SET,Scholar,Scholar
- RULE-SET,PROXY,Proxy
- RULE-SET,Domestic,Domestic
- RULE-SET,Domestic IPs,Domestic
- RULE-SET,LAN,DIRECT
- GEOIP,CN,Domestic
- MATCH,Others

proxy-providers:
  # providers
proxy-groups:
- name: Auto - UrlTest
  type: url-test
  use:
  - Proxy-provider-1
  - Proxy-provider-2
  - Proxy-provider-3
  url: http://cp.cloudflare.com/generate_204
  interval: '600'
  tolerance: '150'
- name: Proxy
  type: select
  proxies:
  - Auto - UrlTest
  - DIRECT
  use:
  - Proxy-provider-1
  - Proxy-provider-2
  - Proxy-provider-3
# other proxy groups

[CStyleIO]

我也出现过这个问题。我的操作是 ipv6:false，你可以试试。

[CStyleIO]

clash.meta的ipv6，在局域网代理的情况下，转发是有问题的。

[Skyxim]

尝试禁用进程匹配，对于网关，将无法匹配而产生大量无意义查询 配置文件： https://github.com/MetaCubeX/Clash.Meta/blob/2be486eaa572759791edeffef68459f859218240/docs/config.yaml#L16 将其设置为 off

OC 配置

[ricky9w]

尝试禁用进程匹配，对于网关，将无法匹配而产生大量无意义查询

将进程规则设置为 OFF, 不调整 IPv6 相关设置, 使用了一天时间, 系统负载最高达到 2 左右, 似乎比之前有所降低, 具体是不是因为这两个设置的影响我会继续测试

我也出现过这个问题。我的操作是 ipv6:false，你可以试试。

因为我目前还需要使用 IPv6, 因此暂时没有尝试设置 ipv6: false; 如果进程规则的调整无法解决问题的话我会再测试调整 IPv6 相关规则, thanks in advance