morytyann
commented
3 months ago 配置一下代理配置 -> 绕过 -> Wan6 接口,应该可以解决这个问题
Closed Mikihta closed 3 months ago
morytyann
commented
3 months ago 配置一下代理配置 -> 绕过 -> Wan6 接口,应该可以解决这个问题
Mikihta
commented
3 months ago 在配置保存后后关闭并重新打开插件,问题依然存在
打开 iOS 端哔哩哔哩依然有大量警告(其他APP暂未测试)
morytyann
commented
3 months ago 运行nft list set inet mihomo wan_ip6看下结果,可能是没有获取到IPv6前缀导致的
Mikihta
commented
3 months ago 运行后结果如下
table inet mihomo {
set wan_ip6 {
type ipv6_addr
flags interval
auto-merge
elements = { 2***:****:****:****::/64 }
}
}那就奇怪了,可能是后遗症?iPhone开关一下飞行模式然后再试试看还有没有Warning日志。
morytyann
commented
3 months ago 话说其他设备正常吗?
Mikihta
commented
3 months ago 我尝试将iPhone重启,路由器重启,现象依然存在 同时我试着在Windows(Edge浏览器)打开哔哩哔哩,依然存在同样的问题 并且网页加载缓慢(DIRECT)情况下,在切换为代理模式下网页正常加载且迅速
Mikihta
commented
3 months ago 总结:在使用 IPV6 UDP DIRECT TPROXY 的情况下, tproxy 端口引起回环访问导致网络异常
morytyann
commented
3 months ago 我在添加IPv6代理功能后一直在使用,没有遇到过这个情况,贴一下你的插件配置吧,uci show mihomo
Mikihta
commented
3 months ago mihomo.config=config
mihomo.config.enabled='1'
mihomo.config.scheduled_restart='1'
mihomo.config.cron_expression='0 3 * * *'
mihomo.config.profile='file:/etc/mihomo/profiles/路由器⁺.yaml'
mihomo.config.mixin='1'
mihomo.config.test_profile='1'
mihomo.proxy=proxy
mihomo.proxy.transparent_proxy='1'
mihomo.proxy.transparent_proxy_mode='tproxy'
mihomo.proxy.ipv4_dns_hijack='1'
mihomo.proxy.ipv6_dns_hijack='1'
mihomo.proxy.ipv4_proxy='1'
mihomo.proxy.ipv6_proxy='1'
mihomo.proxy.router_proxy='1'
mihomo.proxy.lan_proxy='1'
mihomo.proxy.access_control_mode='block'
mihomo.proxy.bypass_china_mainland_ip='0'
mihomo.proxy.acl_tcp_dport='1-65535'
mihomo.proxy.acl_udp_dport='1-65535'
mihomo.proxy.wan_interfaces='wan'
mihomo.proxy.acl_mac='78:DF:72:98:9B:A0'
mihomo.proxy.wan6_interfaces='wan6'
mihomo.@subscription[0]=subscription
mihomo.@subscription[0].name='default'
mihomo.@subscription[0].url='http://example.com/default.yaml'
mihomo.mixin=mixin
mihomo.mixin.mode='rule'
mihomo.mixin.match_process='off'
mihomo.mixin.unify_delay='1'
mihomo.mixin.tcp_concurrent='1'
mihomo.mixin.tcp_keep_alive_interval='600'
mihomo.mixin.log_level='info'
mihomo.mixin.ui_razord='1'
mihomo.mixin.ui_razord_url='https://mirror.ghproxy.com/https://github.com/MetaCubeX/Razord-meta/archive/refs/heads/gh-pages.tar.gz'
mihomo.mixin.ui_yacd='1'
mihomo.mixin.ui_yacd_url='https://mirror.ghproxy.com/https://github.com/MetaCubeX/Yacd-meta/archive/refs/heads/gh-pages.tar.gz'
mihomo.mixin.ui_metacubexd='1'
mihomo.mixin.ui_metacubexd_url='https://mirror.ghproxy.com/https://github.com/MetaCubeX/metacubexd/archive/refs/heads/gh-pages.tar.gz'
mihomo.mixin.api_port='9090'
mihomo.mixin.selection_cache='1'
mihomo.mixin.allow_lan='1'
mihomo.mixin.http_port='8080'
mihomo.mixin.socks_port='1080'
mihomo.mixin.mixed_port='7890'
mihomo.mixin.redir_port='7891'
mihomo.mixin.tproxy_port='7892'
mihomo.mixin.authentication='1'
mihomo.mixin.tun_stack='mixed'
mihomo.mixin.tun_mtu='9000'
mihomo.mixin.tun_gso='1'
mihomo.mixin.tun_gso_max_size='65536'
mihomo.mixin.tun_endpoint_independent_nat='0'
mihomo.mixin.dns_port='1053'
mihomo.mixin.dns_mode='redir-host'
mihomo.mixin.fake_ip_range='198.18.0.1/16'
mihomo.mixin.fake_ip_filter='0'
mihomo.mixin.fake_ip_filters='+.lan' '+.local'
mihomo.mixin.fake_ip_cache='1'
mihomo.mixin.dns_ipv6='1'
mihomo.mixin.dns_system_hosts='1'
mihomo.mixin.dns_hosts='1'
mihomo.mixin.hosts='0'
mihomo.mixin.dns_nameserver='0'
mihomo.mixin.dns_fallback_filter='0'
mihomo.mixin.dns_nameserver_policy='0'
mihomo.mixin.sniffer='0'
mihomo.mixin.sniff_dns_mapping='1'
mihomo.mixin.sniff_pure_ip='1'
mihomo.mixin.sniffer_overwrite_dest='1'
mihomo.mixin.geoip_format='dat'
mihomo.mixin.geodata_loader='standard'
mihomo.mixin.geosite_url='https://mirror.ghproxy.com/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geosite.dat'
mihomo.mixin.geoip_mmdb_url='https://mirror.ghproxy.com/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip-lite.metadb'
mihomo.mixin.geoip_dat_url='https://mirror.ghproxy.com/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip-lite.dat'
mihomo.mixin.geoip_asn_url='https://mirror.ghproxy.com/https://github.com/xishang0128/geoip/releases/download/latest/GeoLite2-ASN.mmdb'
mihomo.mixin.geox_auto_update='1'
mihomo.mixin.geox_update_interval='24'
mihomo.mixin.api_secret='851463'
mihomo.@authentication[0]=authentication
mihomo.@authentication[0].enabled='1'
mihomo.@authentication[0].username='mihomo'
mihomo.@authentication[0].password='851463'
mihomo.@host[0]=host
mihomo.@host[0].enabled='0'
mihomo.@host[0].domain_name='localhost'
mihomo.@host[0].ip='127.0.0.1' '::1'
mihomo.@nameserver[0]=nameserver
mihomo.@nameserver[0].enabled='1'
mihomo.@nameserver[0].type='default-nameserver'
mihomo.@nameserver[0].nameserver='223.5.5.5' '119.29.29.29'
mihomo.@nameserver[1]=nameserver
mihomo.@nameserver[1].enabled='1'
mihomo.@nameserver[1].type='proxy-server-nameserver'
mihomo.@nameserver[1].nameserver='https://dns.alidns.com/dns-query' 'https://doh.pub/dns-query'
mihomo.@nameserver[2]=nameserver
mihomo.@nameserver[2].enabled='1'
mihomo.@nameserver[2].type='nameserver'
mihomo.@nameserver[2].nameserver='https://dns.alidns.com/dns-query' 'https://doh.pub/dns-query'
mihomo.@nameserver[3]=nameserver
mihomo.@nameserver[3].enabled='1'
mihomo.@nameserver[3].type='fallback'
mihomo.@nameserver[3].nameserver='https://dns.cloudflare.com/dns-query' 'https://dns.google/dns-query'
mihomo.@fallback_filter[0]=fallback_filter
mihomo.@fallback_filter[0].enabled='1'
mihomo.@fallback_filter[0].type='geoip-code'
mihomo.@fallback_filter[0].value='CN'
mihomo.@fallback_filter[1]=fallback_filter
mihomo.@fallback_filter[1].enabled='1'
mihomo.@fallback_filter[1].type='geosite'
mihomo.@fallback_filter[1].value='GFW'
mihomo.@fallback_filter[2]=fallback_filter
mihomo.@fallback_filter[2].enabled='0'
mihomo.@fallback_filter[2].type='ipcidr'
mihomo.@fallback_filter[3]=fallback_filter
mihomo.@fallback_filter[3].enabled='0'
mihomo.@fallback_filter[3].type='domain_name'
mihomo.@nameserver_policy[0]=nameserver_policy
mihomo.@nameserver_policy[0].enabled='1'
mihomo.@nameserver_policy[0].matcher='geosite:cn,private'
mihomo.@nameserver_policy[0].nameserver='https://dns.alidns.com/dns-query' 'https://doh.pub/dns-query'
mihomo.@nameserver_policy[1]=nameserver_policy
mihomo.@nameserver_policy[1].enabled='1'
mihomo.@nameserver_policy[1].matcher='geosite:geolocation-!cn'
mihomo.@nameserver_policy[1].nameserver='https://dns.cloudflare.com/dns-query' 'https://dns.google/dns-query'
mihomo.@sniff[0]=sniff
mihomo.@sniff[0].enabled='1'
mihomo.@sniff[0].protocol='HTTP'
mihomo.@sniff[0].port='80' '8080-8880'
mihomo.@sniff[0].overwrite_dest='1'
mihomo.@sniff[1]=sniff
mihomo.@sniff[1].enabled='1'
mihomo.@sniff[1].protocol='TLS'
mihomo.@sniff[1].port='443' '8443'
mihomo.@sniff[1].overwrite_dest='1'
mihomo.@sniff[2]=sniff
mihomo.@sniff[2].enabled='1'
mihomo.@sniff[2].protocol='QUIC'
mihomo.@sniff[2].port='443' '8443'
mihomo.@sniff[2].overwrite_dest='1'
mihomo.editor=editor
mihomo.log=log看看有没有装procd-ujail?没有的话装一下再试试?
Mikihta
commented
3 months ago 这个也安装了的,我刚将dnsmasq替换为dnsmasq-full,重启路由器问题依然存在 稍后我试一下openclash看看有没有同样的问题
morytyann
commented
3 months ago 好的,不过插件不依赖dnsmasq/dnsmasq-full,是不是和其他插件冲突了呢?
Mikihta
commented
3 months ago 为避免和其他插件冲突,我将路由器重置了一遍,依然存在同样的情况,同时使用openclash测试了一次,使用同样的配置文件,Redir-Host模式,设置通过防火墙抓发,没有出现这个问题,所有IPv6流量正常直连,没有出现回环情况。
Mikihta
commented
3 months ago 在openclash中,采用兼容模式,ipv6流量使用tproxy转发
morytyann
commented
3 months ago 其他的可能性暂时想不到了,你用的哪个固件呢,我自己测试下找找问题吧。
morytyann
commented
3 months ago nft list ruleset,运行一下贴出来看看
Mikihta
commented
3 months ago 有点多 我使用的是ow官网下载的23.05.4版本 我刚注意到,打码的三个地址都是我wan6的地址
Mikihta
commented
3 months ago table inet fw4 {
chain input {
type filter hook input priority filter; policy drop;
iifname "lo" accept comment "!fw4: Accept traffic from loopback"
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
iifname "eth0" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
jump handle_reject
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname "eth0" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
jump handle_reject
}
chain output {
type filter hook output priority filter; policy accept;
oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
ct state established,related accept comment "!fw4: Allow outbound established and related flows"
oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
oifname "eth0" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
}
chain prerouting {
type filter hook prerouting priority filter; policy accept;
iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
}
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject comment "!fw4: Reject any other traffic"
}
chain syn_flood {
limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
drop comment "!fw4: Drop excess packets"
}
chain input_lan {
jump accept_from_lan
}
chain output_lan {
jump accept_to_lan
}
chain forward_lan {
jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
jump accept_to_lan
}
chain helper_lan {
}
chain accept_from_lan {
iifname "br-lan" counter packets 10303 bytes 1674228 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain accept_to_lan {
oifname "br-lan" counter packets 255 bytes 19985 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain input_wan {
meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
meta nfproto ipv4 meta l4proto igmp counter packets 21 bytes 588 accept comment "!fw4: Allow-IGMP"
meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 134 bytes 9648 accept comment "!fw4: Allow-MLD"
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 4 bytes 416 accept comment "!fw4: Allow-ICMPv6-Input"
icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 151 bytes 10648 accept comment "!fw4: Allow-ICMPv6-Input"
jump reject_from_wan
}
chain output_wan {
jump accept_to_wan
}
chain forward_wan {
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
jump reject_to_wan
}
chain accept_to_wan {
meta nfproto ipv4 oifname "eth0" ct state invalid counter packets 49415 bytes 2002715 drop comment "!fw4: Prevent NAT leakage"
oifname "eth0" counter packets 22834 bytes 2010090 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
}
chain reject_from_wan {
iifname "eth0" counter packets 51618 bytes 5766897 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain reject_to_wan {
oifname "eth0" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
oifname "eth0" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
}
chain srcnat_wan {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
}
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
}
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
}
chain mangle_input {
type filter hook input priority mangle; policy accept;
}
chain mangle_output {
type route hook output priority mangle; policy accept;
}
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
iifname "eth0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
oifname "eth0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
}
chain nat_output {
type nat hook output priority filter - 1; policy accept;
}
}
table inet mihomo {
set dns_hijack_nfproto {
type nf_proto
flags interval
elements = { ipv4, ipv6 }
}
set proxy_nfproto {
type nf_proto
flags interval
elements = { ipv4, ipv6 }
}
set china_ip {
type ipv4_addr
flags interval
}
set china_ip6 {
type ipv6_addr
flags interval
}
set reserved_ip {
type ipv4_addr
flags interval
auto-merge
elements = { 0.0.0.0/8, 10.0.0.0/8,
100.64.0.0/10, 127.0.0.0/8,
169.254.0.0/16, 172.16.0.0/12,
192.168.0.0/16, 224.0.0.0/3 }
}
set reserved_ip6 {
type ipv6_addr
flags interval
auto-merge
elements = { ::/127,
::ffff:0.0.0.0/96,
64:ff9b::/96,
100::/64,
2001::/32,
2001:10::-2001:2f:ffff:ffff:ffff:ffff:ffff:ffff,
2001:db8::/32,
2002::/16,
fc00::/7,
fe80::/10,
ff00::/8 }
}
set wan_ip {
type ipv4_addr
flags interval
auto-merge
elements = { 192.168.1.2 }
}
set wan_ip6 {
type ipv6_addr
flags interval
auto-merge
elements = { 240e:35b:74a:f801::/64 }
}
set fake_ip {
type ipv4_addr
flags interval
elements = { 198.18.0.0/16 }
}
set acl_dport {
type inet_proto . inet_service
flags interval
auto-merge
elements = { tcp . 1-65535,
udp . 1-65535 }
}
set acl_ip {
type ipv4_addr
flags interval
auto-merge
}
set acl_ip6 {
type ipv6_addr
flags interval
auto-merge
}
set acl_mac {
type ether_addr
flags interval
auto-merge
}
set redirect_exclusion {
type inet_proto . ipv4_addr . inet_service
flags interval
auto-merge
}
set upnp_exclusion {
type inet_proto . ipv4_addr . inet_service
flags interval,timeout
auto-merge
}
set router_exclusion {
type nf_proto . inet_proto . inet_service
flags interval
auto-merge
elements = { ipv4 . udp . 68,
ipv6 . udp . 546 }
}
chain router_dns_hijack {
meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 oifname "lo" meta skuid != 7890 counter packets 6 bytes 420 redirect to :1053
}
chain all_dns_hijack {
meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 counter packets 589 bytes 58070 redirect to :1053
}
chain allow_dns_hijack {
meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 ip saddr @acl_ip counter packets 0 bytes 0 redirect to :1053
meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 ip6 saddr @acl_ip6 counter packets 0 bytes 0 redirect to :1053
meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 ether saddr @acl_mac counter packets 0 bytes 0 redirect to :1053
}
chain block_dns_hijack {
meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 ip saddr @acl_ip counter packets 0 bytes 0 return
meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 ip6 saddr @acl_ip6 counter packets 0 bytes 0 return
meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 ether saddr @acl_mac counter packets 0 bytes 0 return
meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 counter packets 0 bytes 0 redirect to :1053
}
chain all_tproxy {
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } meta mark set 0x00000050 tproxy to :7892 counter packets 6046 bytes 2227824 accept
}
chain allow_tproxy {
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ip saddr @acl_ip meta mark set 0x00000050 tproxy ip to :7892 counter packets 0 bytes 0 accept
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ip6 saddr @acl_ip6 meta mark set 0x00000050 tproxy ip6 to :7892 counter packets 0 bytes 0 accept
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ether saddr @acl_mac meta mark set 0x00000050 tproxy to :7892 counter packets 0 bytes 0 accept
}
chain block_tproxy {
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ip saddr @acl_ip counter packets 0 bytes 0 return
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ip6 saddr @acl_ip6 counter packets 0 bytes 0 return
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ether saddr @acl_mac counter packets 0 bytes 0 return
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } meta mark set 0x00000050 tproxy to :7892 counter packets 0 bytes 0 accept
}
chain all_tun {
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } meta mark set 0x00000050 counter packets 0 bytes 0
}
chain allow_tun {
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ip saddr @acl_ip meta mark set 0x00000050 counter packets 0 bytes 0
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ip6 saddr @acl_ip6 meta mark set 0x00000050 counter packets 0 bytes 0
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ether saddr @acl_mac meta mark set 0x00000050 counter packets 0 bytes 0
}
chain block_tun {
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ip saddr @acl_ip counter packets 0 bytes 0 return
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ip6 saddr @acl_ip6 counter packets 0 bytes 0 return
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ether saddr @acl_mac counter packets 0 bytes 0 return
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } meta mark set 0x00000050 counter packets 0 bytes 0
}
chain router_reroute {
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } meta mark set 0x00000050 counter packets 10834 bytes 457466 accept
}
chain dstnat {
type nat hook prerouting priority dstnat + 1; policy accept;
jump all_dns_hijack
}
chain nat_output {
type nat hook output priority filter; policy accept;
jump router_dns_hijack
}
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } iifname "lo" meta mark 0x00000050 tproxy to :7892 counter packets 518 bytes 31208 accept comment "For Router TPROXY"
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } iifname "tun" meta mark 0x00000050 counter packets 0 bytes 0 return comment "For Router TUN"
ip daddr @reserved_ip counter packets 23747 bytes 7313461 return
ip6 daddr @reserved_ip6 counter packets 588 bytes 61318 return
ip daddr @wan_ip counter packets 0 bytes 0 return
ip6 daddr @wan_ip6 counter packets 19 bytes 9864 return
ip daddr @china_ip counter packets 0 bytes 0 return
ip6 daddr @china_ip6 counter packets 0 bytes 0 return
meta l4proto . th dport != @acl_dport ip daddr != @fake_ip counter packets 11 bytes 644 return
meta nfproto ipv6 meta l4proto . th dport != @acl_dport counter packets 20 bytes 19560 return
meta l4proto { tcp, udp } th dport 53 counter packets 0 bytes 0 return
meta l4proto . ip saddr . th sport @redirect_exclusion counter packets 0 bytes 0 return
meta l4proto . ip saddr . th sport @upnp_exclusion counter packets 0 bytes 0 return
jump all_tproxy
}
chain mangle_output {
type route hook output priority mangle; policy accept;
meta skuid 7890 counter packets 25782 bytes 8615614 return
ip daddr @reserved_ip counter packets 1040 bytes 381963 return
ip6 daddr @reserved_ip6 counter packets 35 bytes 2563 return
ip daddr @wan_ip counter packets 0 bytes 0 return
ip6 daddr @wan_ip6 counter packets 122 bytes 8640 return
ip daddr @china_ip counter packets 0 bytes 0 return
ip6 daddr @china_ip6 counter packets 0 bytes 0 return
meta l4proto . th dport != @acl_dport ip daddr != @fake_ip counter packets 7 bytes 280 return
meta nfproto ipv6 meta l4proto . th dport != @acl_dport counter packets 0 bytes 0 return
meta l4proto { tcp, udp } th dport 53 counter packets 12 bytes 1106 return
meta nfproto . meta l4proto . th sport @router_exclusion counter packets 0 bytes 0 return
jump router_reroute
}
}请问你是没有公网IPv4地址,还是有公网IPv4地址同时还有用于访问光猫的接口,如果是后者,手动配置下代理配置 -> 绕过 -> Wan 接口,不过按说应该和这个无关才对
Mikihta
commented
3 months ago 我试了一下,并没有生效
morytyann
commented
3 months ago 可以关掉IPv6代理用,我这边使用你贴的插件配置运行测试了一段时间,试了大部分国内的软件,不能复现这个情况。 要不你试试用插件默认的设置,看能不能正常吧,还不行就换回OpenClash吧。🥲
morytyann
commented
3 months ago 抱歉,能力有限,我先关掉Issue了,有新进展继续在这里讨论就行。
morytyann
commented
3 months ago 请问可以了吗?我也很好奇到底是什么问题导致TUN正常但TPROXY异常,因为它俩nftables脚本的差别并不大。
morytyann
commented
3 months ago 搜索到这么一篇文章,里面有提到回环问题,我又去看了OpenClash,虽然不一样,但至少IPv4和IPv6是分开写的,有可能是这里问题
试试安装最新版的,修改/etc/mihomo/nftables/hijack.nft第148行,如下
chain all_tproxy {
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } meta mark set $FW_MARK tproxy ip to 127.0.0.1:$TPROXY_PORT counter accept
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } meta mark set $FW_MARK tproxy ip6 to [::1]:$TPROXY_PORT counter accept
}
记得关闭访问控制,不然不会走这个链
Mikihta
commented
3 months ago 抱歉,修改后问题依然存在
Mikihta
commented
3 months ago 补充一下:打开绕过中国大陆 IP后问题完美解决(尽管会影响部分代理功能)
Mikihta
commented
3 months ago 我使用了一个投机取巧的方法,将由于问题是
[UDP] dial 境内网络 (match RuleSet/Rule_ChinaMax) [WAN6口获取到的公网IPv6地址]:56894 --> [WAN6口获取到的公网IPv6地址]:50863 error: reject loopback connection to: [WAN6口获取到的公网IPv6地址]:50863我配置hijack.nft文件将我wan口的公网IPv6地址设置为“在原链中继续” 至此没有再出现错误该警告信息,网络速度也恢复正常
我的猜想:也许可以检查一下绕过wan6口的相关代码,或许在那一块有相关问题
Mikihta
commented
3 months ago 绕过wan6接口配置不全导致的网络回环异常。具体情况如下:
/56 的IPv6地址。wan6接口获取到的IPv6地址前缀为 /56。在绕过wan6接口的设置中,目前只在wan_ip6中添加了路由器的IPv6-PD地址。wan6接口下发的IPv6-PD前缀为 /64,并且IPv6-PD分配的IP地址是基于wan6接口获取到的IPv6地址的第60位加1。因此,路由器wan6接口获取到的IPv6地址未被包含在wan_ip6中,导致了网络回流异常。在现有配置中,除了添加路由器的IPv6-PD地址外,请在wan_ip6处额外添加路由器wan6接口获取到的IPv6地址。这样可以确保所有相关的IPv6地址都被正确记录,避免网络回流问题。
如果不出意料的话 #71 也可以通过这个解决
morytyann
commented
3 months ago OK,原来如此,试下v1.6.2分支的最新构建吧。
morytyann
commented
3 months ago 应该是没有问题的,我先关闭了,你有空测试一下吧,不行的话请Reopon。
Mikihta
commented
3 months ago 我测试后并不行,插件获取到了wan口的地址但不全,wan口除了IPv6-PD以外还有多个(我这边是两个地址),通过执行nft list set inet mihomo wan_ip6发现仅获取到第一个地址(而且不包含前缀),但在我路由器上网络回环发生在第二个地址上
如果没有意外的话第二个地址是用于访问公网的临时IPv6地址,建议还是将wan口的地址前缀加上,避免可能出现IPv6租赁到期,地址变动导致的网络回环异常
morytyann
commented
3 months ago 我测试了,wan_ip6是有两个地址的,一个是WAN口的IPv6地址,一个是WAN口的IPv6-PD地址,要不你再试下1.6.3的构建?
Mikihta
commented
3 months ago 理想情况下应该获得三个地址(两个IPv6地址(可能会更多)和一个IPv6-PD地址),这三个地址都是wan6口的获取到的,也许可以通过循环迭代获取的地址列表,并将wan6口获取的所有地址都添加上去 同时观察到获取的IPv6地址(非IPv6-PD)地址没有前缀,感觉还是要添加上 当前情况
table inet mihomo {
set wan_ip6 {
type ipv6_addr
flags interval
auto-merge
elements = { ****:****:****:***0::1,
****:****:****:***1::/64 }
}
}预期情况
table inet mihomo {
set wan_ip6 {
type ipv6_addr
flags interval
auto-merge
elements = { ****:****:****:***0::1/128,
****:****:****:***0:****:****:****:****/64
****:****:****:***1::/64 }
}
}/128的地址已经包含在里面了呀,你手动添加试试,看看是不是没变化……
morytyann
commented
3 months ago 这是我的结果
root@OpenWrt:~# nft list set inet mihomo wan_ip6
table inet mihomo {
set wan_ip6 {
type ipv6_addr
flags interval
auto-merge
elements = { xxxx:xxxx:201:1cf2::/64,
xxxx:xxxx:212:46e0::/60 }
}
}所以说你的wan_ip6还是只有一个IPv6地址吗?
至于你说的租期到期,不用担心,会自动触发插件重载的。
Mikihta
commented
3 months ago 抱歉可能我的表述让开发者误解了
table inet mihomo {
set wan_ip6 {
type ipv6_addr
flags interval
auto-merge
elements = { ****:****:****:***0::1,
****:****:****:***1::/64 }
}
}其中第一个IPv6地址没有获取到前缀,所以也没有包括/128地址
table inet mihomo {
set wan_ip6 {
type ipv6_addr
flags interval
auto-merge
elements = { ****:****:****:***0::1/128,
****:****:****:***0:****:****:****:****/64,
****:****:****:***1::/64 }
}
}这三个都是WAN口获取到的地址,并且***:****:****:***0::1/128属于地址****:****:****:***0:****:****:****:****/64的一个子集
更准确的说****:****:****:***0:****:****:****:****/64包含***:****:****:***0::1/128
但是****:****:****:***1::/64不包含****:****:****:***0:****:****:****:****/64
可能的解决方案:
通过循环查找到所有的wan6口获取到的所有IPv6地址(包括前缀),避免漏掉wan6口的IPv6地址导致回环问题
morytyann
commented
3 months ago 你在你那里修改一下吧,验证了可以的话我再更新。
找到/etc/init.d/mihomo这个文件,编辑,将最下方add_wan6_inbound_exclusion方法替换成如下的代码,然后重启插件再看看wan_ip6的情况。
add_wan6_inbound_exclusion() {
local wan6_ip wan6_subnet wan6_prefix
network_get_ipaddr6 wan6_ip $1
if [ -n "$wan6_ip" ]; then
nft add element inet $FW_TABLE wan_ip6 \{ "$wan6_ip" \}
fi
network_get_subnet6 wan6_subnet $1
if [ -n "$wan6_subnet" ]; then
nft add element inet $FW_TABLE wan_ip6 \{ "$wan6_subnet" \}
fi
network_get_prefixes6 wan6_prefix $1
if [ -n "$wan6_prefix" ]; then
nft add element inet $FW_TABLE wan_ip6 \{ "$wan6_prefix" \}
fi
}我在/etc/init.d/mihomo文件中add_wan6_inbound_exclusion方法修改成以下代码,问题解决。
add_wan6_inbound_exclusion() {
local wan6_prefix wan6_subnets
# 获取 IPv6 前缀
network_get_prefixes6 wan6_prefix $1
if [ -n "$wan6_prefix" ]; then
nft add element inet $FW_TABLE wan_ip6 \{ "$wan6_prefix" \}
fi
# 获取 IPv6 子网
network_get_subnets6 wan6_subnets $1
# 遍历所有子网并添加到防火墙表中
for subnet in $wan6_subnets; do
if [ -n "$subnet" ]; then
nft add element inet $FW_TABLE wan_ip6 \{ "$subnet" \}
fi
done
}虽然不像预想中那样获取三个IPv6地址,但实际上wan_ip6获得了一个更小的前缀(恰好包含那三个ip,且包含光猫为其他设备分配的IPv6地址),使得问题解决。
特别鸣谢:ChatGPT
morytyann
commented
3 months ago OK,一会更新一下。这次应该能彻底解决了,很感谢你帮忙排查这个问题。❤️
Mikihta
commented
3 months ago 大学生的无聊日常😂
morytyann
commented
3 months ago 试试看v1.6.4的Release,没问题就关了吧。可算解决了🥲
Mikihta
commented
3 months ago 我得晚上才回去😭,回去测试
Mikihta
commented
3 months ago 经过测试,已经解决了,谢谢开发者🥳 我就先关闭issue了
在配置文件过程中遇到直连 IPV6 的 UDP 流量时,tproxy 端口引起的回环访问
(技术小白,不太理解这代表了什么,但引起了本该直连的网络加载缓慢甚至断联)
在使用TUN模式下没有这个问题,但由于 TUN 模式下网速减少约30%(可能是因为路由器性能不足,路由器为GL iNet MT3000)