search

morytyann / OpenWrt-mihomo

Transparent Proxy with Mihomo on OpenWrt.
MIT License
1.22k stars 141 forks source link

[BUG] 与 mwan3 的冲突使得路由器内部流量无法代理 #88

Closed swzs2018 closed 2 months ago

swzs2018 commented 2 months ago

自查步骤

确认

系统

OpenWrt

系统版本

OpenWrt 23.05.4 r24012-d8dd03c46f

插件版本

1.6.4

硬件架构

x86_64

BUG 描述

当安装 mwan3 时,路由器内部流量代理不可用。表现为 curl -v https://google.com 命令无输出直到超时。 此时核心正常工作,即 curl https://google.com -v --proxy socks5://127.0.0.1:7890 正常请求并输出。

当通过 opkg remove --force-removal-of-dependent-packages lua-app-mwan3 mwan3 命令卸载 mwan3 后,代理立刻恢复。

预期行为

mwan3 会使用防火墙并在 mangle 表上创建一些规则以处理多个 WAN 时的策略路由,代理不应该与它产生冲突。

复现步骤

  1. 构建 OpenWRT,不包含 mwan3 包。
  2. 配置 mihomo代理
  3. 使用 curl https://google.com -v 在路由器上测试,确认可用。
  4. 安装 mwan3,opkg update && opkg install luci-app-mwan3
  5. 再次使用 curl https://google.com -v 在路由器上测试,请求无响应直到超时。
  6. 使用 curl https://google.com -v --proxy socks5://127.0.0.1:7890 在路由器上测试,确认可用。
  7. 卸载 mwan3,opkg remove --force-removal-of-dependent-packages lua-app-mwan3 mwan3
  8. 再次测试,代理恢复

插件日志

 App is enabled.
 Starting...
 Use Subscription: default
 Mixin is enabled, mixin all config.
 Profile testing...
 Profile test passed!
 Start Core
 Transparent Proxy is enabled.
 Transparent Proxy: Start hijack.
 Transparent Proxy: Using TPROXY mode.
 Transparent Proxy: IPv4 DNS Hijack is enabled, IPv4 dns request will redirect to the core.
 Transparent Proxy: IPv4 Proxy is enabled, set proxy for IPv4 traffic.
 Transparent Proxy: Bypass china mainland ip is enabled.
 Transparent Proxy: Destination TCP Port to Proxy: 1-65535.
 Transparent Proxy: Destination UDP Port to Proxy: 1-65535.
 Transparent Proxy: Add exclusions.
 Transparent Proxy: Router Proxy is enabled, set proxy for router.
 Transparent Proxy: Lan Proxy is enabled, set proxy for lan.
 Transparent Proxy: Access Control is using all mode, set proxy for all client.
 Start Successful!

核心日志

 level=info msg="Start initial configuration in progress"
 level=info msg="Geodata Loader mode: standard"
 level=info msg="Geosite Matcher implementation: succinct"
 level=info msg="Initial configuration complete, total time: 0ms"
 level=info msg="Start initial configuration in progress"
 level=info msg="Geodata Loader mode: standard"
 level=info msg="Geosite Matcher implementation: succinct"
 level=info msg="Initial configuration complete, total time: 0ms"
 level=info msg="RESTful API listening at: [::]:9090"
 level=info msg="Sniffer is loaded and working"
 level=info msg="Use tcp concurrent"
 level=info msg="DNS server listening at: [::]:1053"
 level=info msg="HTTP proxy listening at: [::]:8080"
 level=info msg="SOCKS proxy listening at: [::]:1080"
 level=info msg="Redirect proxy listening at: [::]:7891"
 level=info msg="TProxy server listening at: [::]:7892"
 level=info msg="Mixed(http+socks) proxy listening at: [::]:7890"
 level=info msg="Start initial provider proxies"
 level=info msg="Start initial provider applications"
 level=info msg="Start initial provider telegramcidr"
 level=info msg="Start initial provider apple"
 level=info msg="Start initial provider direct"
 level=info msg="Start initial provider private"
 level=info msg="Start initial provider proxy"
 level=info msg="Start initial provider tld-not-cn"
 level=info msg="Start initial provider gfw"
 level=info msg="Start initial provider icloud"
 level=info msg="Start initial provider lancidr"
 level=info msg="Start initial provider cncidr"
 level=info msg="Start initial provider google"
 level=info msg="Start initial provider reject"
 level=info msg="Start initial Compatible provider default"
 level=info msg="[TCP] 127.0.0.1:47762 --> google.com:443 match RuleSet(gfw) using PROXY[x]"

配置文件

mihomo.status=status
mihomo.config=config
mihomo.config.enabled='1'
mihomo.config.scheduled_restart='0'
mihomo.config.cron_expression='0 3 * * *'
mihomo.config.profile='subscription:subscription'
mihomo.config.mixin='1'
mihomo.config.test_profile='1'
mihomo.proxy=proxy
mihomo.proxy.transparent_proxy='1'
mihomo.proxy.transparent_proxy_mode='tproxy'
mihomo.proxy.ipv4_dns_hijack='1'
mihomo.proxy.ipv6_dns_hijack='0'
mihomo.proxy.ipv4_proxy='1'
mihomo.proxy.ipv6_proxy='0'
mihomo.proxy.router_proxy='1'
mihomo.proxy.lan_proxy='1'
mihomo.proxy.access_control_mode='all'
mihomo.proxy.bypass_china_mainland_ip='1'
mihomo.proxy.acl_tcp_dport='1-65535'
mihomo.proxy.acl_udp_dport='1-65535'
mihomo.proxy.wan_interfaces='wan'
mihomo.subscription=subscription
mihomo.subscription.name='default'
mihomo.subscription.url='suburl'
mihomo.subscription.user_agent='clash.meta'
mihomo.subscription.convert='0'
mihomo.subscription.convert_advanced='0'
mihomo.subscription.convert_emoji='0'
mihomo.subscription.convert_insert_node_type='0'
mihomo.mixin=mixin
mihomo.mixin.mode='rule'
mihomo.mixin.match_process='off'
mihomo.mixin.unify_delay='1'
mihomo.mixin.tcp_concurrent='1'
mihomo.mixin.tcp_keep_alive_interval='600'
mihomo.mixin.log_level='info'
mihomo.mixin.ui_name='yacd'
mihomo.mixin.ui_url='https://mirror.ghproxy.com/https://github.com/MetaCubeX/Yacd-meta/archive/refs/heads/gh-pages.zip'
mihomo.mixin.api_port='9090'
mihomo.mixin.selection_cache='1'
mihomo.mixin.allow_lan='1'
mihomo.mixin.http_port='8080'
mihomo.mixin.socks_port='1080'
mihomo.mixin.mixed_port='7890'
mihomo.mixin.redir_port='7891'
mihomo.mixin.tproxy_port='7892'
mihomo.mixin.authentication='0'
mihomo.mixin.tun_stack='mixed'
mihomo.mixin.tun_mtu='9000'
mihomo.mixin.tun_gso='1'
mihomo.mixin.tun_gso_max_size='65536'
mihomo.mixin.tun_endpoint_independent_nat='0'
mihomo.mixin.dns_port='1053'
mihomo.mixin.dns_mode='redir-host'
mihomo.mixin.fake_ip_range='198.18.0.1/16'
mihomo.mixin.fake_ip_filter='0'
mihomo.mixin.fake_ip_filters='+.lan' '+.local'
mihomo.mixin.fake_ip_cache='1'
mihomo.mixin.dns_ipv6='0'
mihomo.mixin.dns_system_hosts='1'
mihomo.mixin.dns_hosts='1'
mihomo.mixin.hosts='0'
mihomo.mixin.dns_nameserver='0'
mihomo.mixin.dns_fallback_filter='0'
mihomo.mixin.dns_nameserver_policy='0'
mihomo.mixin.sniffer='1'
mihomo.mixin.sniff_dns_mapping='1'
mihomo.mixin.sniff_pure_ip='1'
mihomo.mixin.sniffer_overwrite_dest='1'
mihomo.mixin.geoip_format='dat'
mihomo.mixin.geodata_loader='standard'
mihomo.mixin.geosite_url='https://mirror.ghproxy.com/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geosite.dat'
mihomo.mixin.geoip_mmdb_url='https://mirror.ghproxy.com/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip-lite.metadb'
mihomo.mixin.geoip_dat_url='https://mirror.ghproxy.com/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip-lite.dat'
mihomo.mixin.geoip_asn_url='https://mirror.ghproxy.com/https://github.com/xishang0128/geoip/releases/download/latest/GeoLite2-ASN.mmdb'
mihomo.mixin.geox_auto_update='1'
mihomo.mixin.geox_update_interval='24'
mihomo.mixin.api_secret='123456'
mihomo.mixin.outbound_interface='wan'
mihomo.@authentication[0]=authentication
mihomo.@authentication[0].enabled='1'
mihomo.@authentication[0].username='mihomo'
mihomo.@authentication[0].password='123456'
mihomo.@host[0]=host
mihomo.@host[0].enabled='0'
mihomo.@host[0].domain_name='localhost'
mihomo.@host[0].ip='127.0.0.1' '::1'
mihomo.@nameserver[0]=nameserver
mihomo.@nameserver[0].enabled='1'
mihomo.@nameserver[0].type='default-nameserver'
mihomo.@nameserver[0].nameserver='223.5.5.5' '119.29.29.29'
mihomo.@nameserver[1]=nameserver
mihomo.@nameserver[1].enabled='1'
mihomo.@nameserver[1].type='proxy-server-nameserver'
mihomo.@nameserver[1].nameserver='https://dns.alidns.com/dns-query' 'https://doh.pub/dns-query'
mihomo.@nameserver[2]=nameserver
mihomo.@nameserver[2].enabled='1'
mihomo.@nameserver[2].type='nameserver'
mihomo.@nameserver[2].nameserver='https://dns.alidns.com/dns-query' 'https://doh.pub/dns-query'
mihomo.@nameserver[3]=nameserver
mihomo.@nameserver[3].enabled='1'
mihomo.@nameserver[3].type='fallback'
mihomo.@nameserver[3].nameserver='https://dns.cloudflare.com/dns-query' 'https://dns.google/dns-query'
mihomo.@fallback_filter[0]=fallback_filter
mihomo.@fallback_filter[0].enabled='1'
mihomo.@fallback_filter[0].type='geoip-code'
mihomo.@fallback_filter[0].value='CN'
mihomo.@fallback_filter[1]=fallback_filter
mihomo.@fallback_filter[1].enabled='1'
mihomo.@fallback_filter[1].type='geosite'
mihomo.@fallback_filter[1].value='GFW'
mihomo.@fallback_filter[2]=fallback_filter
mihomo.@fallback_filter[2].enabled='0'
mihomo.@fallback_filter[2].type='ipcidr'
mihomo.@fallback_filter[3]=fallback_filter
mihomo.@fallback_filter[3].enabled='0'
mihomo.@fallback_filter[3].type='domain_name'
mihomo.@nameserver_policy[0]=nameserver_policy
mihomo.@nameserver_policy[0].enabled='1'
mihomo.@nameserver_policy[0].matcher='geosite:cn,private'
mihomo.@nameserver_policy[0].nameserver='https://dns.alidns.com/dns-query' 'https://doh.pub/dns-query'
mihomo.@nameserver_policy[1]=nameserver_policy
mihomo.@nameserver_policy[1].enabled='1'
mihomo.@nameserver_policy[1].matcher='geosite:geolocation-!cn'
mihomo.@nameserver_policy[1].nameserver='https://dns.cloudflare.com/dns-query' 'https://dns.google/dns-query'
mihomo.@sniff[0]=sniff
mihomo.@sniff[0].enabled='1'
mihomo.@sniff[0].protocol='HTTP'
mihomo.@sniff[0].port='80' '8080-8880'
mihomo.@sniff[0].overwrite_dest='1'
mihomo.@sniff[1]=sniff
mihomo.@sniff[1].enabled='1'
mihomo.@sniff[1].protocol='TLS'
mihomo.@sniff[1].port='443' '8443'
mihomo.@sniff[1].overwrite_dest='1'
mihomo.@sniff[2]=sniff
mihomo.@sniff[2].enabled='1'
mihomo.@sniff[2].protocol='QUIC'
mihomo.@sniff[2].port='443' '8443'
mihomo.@sniff[2].overwrite_dest='1'
mihomo.editor=editor
mihomo.log=log

附加信息

root@OpenWrt:~# nft list tables
table inet fw4
table ip mangle
table ip6 mangle
table inet mihomo
root@OpenWrt:~# nft list table ip mangle
# Warning: table ip mangle is managed by iptables-nft, do not touch!
table ip mangle {
        chain PREROUTING {
                type filter hook prerouting priority mangle; policy accept;
                counter packets 7612 bytes 736961 jump mwan3_hook
        }

        chain OUTPUT {
                type route hook output priority mangle; policy accept;
                counter packets 10504 bytes 6461029 jump mwan3_hook
        }

        chain mwan3_ifaces_in {
                meta mark & 0x00003f00 == 0x00000000 counter packets 520 bytes 56771 jump mwan3_iface_in_wan
        }

        chain mwan3_custom_ipv4 {
                xt match "set" counter packets 0 bytes 0 xt target "MARK"
        }

        chain mwan3_connected_ipv4 {
                xt match "set" counter packets 1283 bytes 619868 xt target "MARK"
        }

        chain mwan3_dynamic_ipv4 {
                xt match "set" counter packets 0 bytes 0 xt target "MARK"
        }

        chain mwan3_rules {
                meta l4proto tcp xt match "multiport" meta mark & 0x00003f00 == 0x00000000 counter packets 23 bytes 1340 jump mwan3_rule_https
                meta mark & 0x00003f00 == 0x00000000 counter packets 203 bytes 15012 jump mwan3_policy_balanced
        }

        chain mwan3_hook {
                meta mark & 0x00003f00 == 0x00000000 counter packets 17388 bytes 7127597 xt target "CONNMARK"
                meta mark & 0x00003f00 == 0x00000000 counter packets 522 bytes 56851 jump mwan3_ifaces_in
                meta mark & 0x00003f00 == 0x00000000 counter packets 517 bytes 55686 jump mwan3_custom_ipv4
                meta mark & 0x00003f00 == 0x00000000 counter packets 517 bytes 55686 jump mwan3_connected_ipv4
                meta mark & 0x00003f00 == 0x00000000 counter packets 232 bytes 18465 jump mwan3_dynamic_ipv4
                meta mark & 0x00003f00 == 0x00000000 counter packets 232 bytes 18465 jump mwan3_rules
                counter packets 18116 bytes 7197990 xt target "CONNMARK"
                meta mark & 0x00003f00 != 0x00003f00 counter packets 1711 bytes 638549 jump mwan3_custom_ipv4
                meta mark & 0x00003f00 != 0x00003f00 counter packets 1711 bytes 638549 jump mwan3_connected_ipv4
                meta mark & 0x00003f00 != 0x00003f00 counter packets 713 bytes 55902 jump mwan3_dynamic_ipv4
        }

        chain mwan3_iface_in_wan {
                iifname "eth0" xt match "set" meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
                iifname "eth0" xt match "set" meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 5 bytes 1165 xt target "MARK"
                iifname "eth0" xt match "set" meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
                iifname "eth0" meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
        }

        chain mwan3_policy_wan_only {
                meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
        }

        chain mwan3_policy_wanb_only {
                meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
        }

        chain mwan3_policy_balanced {
                meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 204 bytes 15072 xt target "MARK"
        }

        chain mwan3_policy_wan_wanb {
                meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
        }

        chain mwan3_policy_wanb_wan {
                meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
        }

        chain mwan3_rule_https {
                meta mark & 0x00003f00 == 0x00000000 counter packets 23 bytes 1340 xt target "MARK"
                meta mark & 0x00003f00 == 0x00000100 xt match "set" counter packets 1 bytes 60 xt target "MARK"
                meta mark & 0x00003f00 == 0x00000000 counter packets 1 bytes 60 jump mwan3_policy_balanced
                meta mark & 0x0000fc00 != 0x0000fc00 counter packets 23 bytes 1340 xt target "SET"
                meta mark & 0x0000fc00 != 0x0000fc00 counter packets 23 bytes 1340 xt target "SET"
        }
}
morytyann commented 2 months ago

我需要学习相关的知识,尤其是mwan是如何实现的,没法很快的解决这个问题。

而且我有一个问题,这mwan和透明代理真的能完美共存吗?😢

morytyann commented 2 months ago

话说只有路由器流量没有被代理吗,局域网的流量可以?

swzs2018 commented 2 months ago

我需要学习相关的知识,尤其是mwan是如何实现的,没法很快的解决这个问题。

🙏

这mwan和透明代理真的能完美共存吗?

按照之前的经验,它们应该是不会有严重冲突的。较早之前使用 passwall 系也可以与 mwan3 共存,但那时候可能使用的还是基于 iptables 而不 nftables 的防火墙,不确定是否与此相关。

实际上,这里将透明代理和 mwan3 一起使用也不是出于策略路由/负载均衡的需求,只是路由器上有两条 wan 连接,之前不使用这个 mwan 时候,好像优先级更低的入站流量不能原路返回来着 🤔 为了正确处理两个 wan ip 上的入站链接,所以才用了 mwan3(大概是流量进入时候给连接打个标,从哪个接口进入的就从哪里返回,否则流量都从跃点更低的接口出去了

话说只有路由器流量没有被代理吗,局域网的流量可以?

测试过局域网应该也是不行的。在卸载 mwan3 后,透明代理确实正常工作。

morytyann commented 2 months ago

我看了MWAN3的代码,是通过iptables-nft/ip6tables-nft来实现在nftables的兼容的,因为没有多WAN口,我不知道它是否能在新版OpenWrt上工作。请问你那里在关闭了Mihomo之后,MWAN3可以正常工作吗?

再就是我搜索了PassWall/PassWall2/OpenClash这三个插件的仓库关于MWAN的Issue,结果很少,在nftables环境下的更是高达0条!在iptables环境下的,都是说关闭MWAN3或者清空它的规则来解决这个问题,我不确定这三个插件是在nftables下可以兼容MWAN3,还是没有人同时使用nftables和MWAN3?

swzs2018 commented 2 months ago

请问你那里在关闭了Mihomo之后,MWAN3可以正常工作吗?

无论开不开 mihomo 或者类似插件,mwan3 都正常工作(指正常处理多wan ip入站)。 但只要 mwan3 存在,路由器内部代理和局域网透明代理都不工作。

还是没有人同时使用nftables和MWAN3?

现在我很难把网关直接替换为旧的构建去测试,但我找了旧的镜像在虚拟机里面测试一下,使用三个虚拟网卡,两个模拟外部 wan,一个模拟 lan,安装且开启 mwan3,使用 passwall tproxy 进行代理。mwan3 和透明代理可以共存。以下是一些环境信息

测试

截图 ![image](https://github.com/user-attachments/assets/78723488-65a0-42ef-a322-b1296d4ca8aa) ![image](https://github.com/user-attachments/assets/a5023814-0faf-428a-b432-e93f3bd9ea80)
mwan3 status 多 wan 可用 ``` $ ping 192.168.31.206 Pinging 192.168.31.206 with 32 bytes of data: Reply from 192.168.31.206: bytes=32 time<1ms TTL=64 Reply from 192.168.31.206: bytes=32 time=1ms TTL=64 Reply from 192.168.31.206: bytes=32 time<1ms TTL=64 Reply from 192.168.31.206: bytes=32 time<1ms TTL=64 Ping statistics for 192.168.31.206: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms $ ping 192.168.31.205 Pinging 192.168.31.205 with 32 bytes of data: Reply from 192.168.31.205: bytes=32 time<1ms TTL=64 Reply from 192.168.31.205: bytes=32 time<1ms TTL=64 Reply from 192.168.31.205: bytes=32 time<1ms TTL=64 Reply from 192.168.31.205: bytes=32 time<1ms TTL=64 Ping statistics for 192.168.31.205: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms ``` ``` root@OpenWrt:~# mwan3 status Interface status: interface wan1 is online and tracking is active interface wan2 is error and tracking is active Current ipv4 policies: balance: wan1 (100%) a_only: wan2 (100%) b_only: wan1 (100%) Current ipv6 policies: balance: default a_only: default b_only: default Directly connected ipv4 networks: 127.0.0.1 127.0.0.0 192.0.0.0/8 192.168.31.205 192.168.31.0/24 192.0.0.0 127.0.0.0/8 192.168.31.206 224.0.0.0/3 192.168.31.0 192.255.255.255 192.168.31.255 127.255.255.255 192.168.29.100 Directly connected ipv6 networks: fe80::/64 Active ipv4 user rules: 9 760 - b_only all -- * * 0.0.0.0/0 0.0.0.0/0 Active ipv6 user rules: 0 0 - b_only all * * ::/0 ::/0 ```
iptables -L -t nat ``` root@OpenWrt:~# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination PSW_REDIRECT all -- anywhere anywhere REDIRECT udp -- anywhere anywhere udp dpt:domain redir ports 53 REDIRECT tcp -- anywhere anywhere tcp dpt:domain redir ports 53 prerouting_rule all -- anywhere anywhere /* !fw3: Custom prerouting rule chain */ zone_lan_prerouting all -- anywhere anywhere /* !fw3 */ zone_wan_prerouting all -- anywhere anywhere /* !fw3 */ zone_wan_prerouting all -- anywhere anywhere /* !fw3 */ Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination postrouting_rule all -- anywhere anywhere /* !fw3: Custom postrouting rule chain */ zone_lan_postrouting all -- anywhere anywhere /* !fw3 */ zone_wan_postrouting all -- anywhere anywhere /* !fw3 */ zone_wan_postrouting all -- anywhere anywhere /* !fw3 */ Chain MINIUPNPD (1 references) target prot opt source destination Chain MINIUPNPD-POSTROUTING (1 references) target prot opt source destination Chain PSW (0 references) target prot opt source destination RETURN all -- anywhere anywhere match-set laniplist dst RETURN all -- anywhere anywhere match-set vpsiplist dst RETURN all -- anywhere anywhere match-set whitelist dst RETURN all -- anywhere anywhere mark match 0xff RETURN tcp -- anywhere anywhere /* '默认' */ Chain PSW_OUTPUT (0 references) target prot opt source destination RETURN all -- anywhere anywhere match-set laniplist dst RETURN all -- anywhere anywhere match-set vpsiplist dst RETURN all -- anywhere anywhere match-set whitelist dst RETURN all -- anywhere anywhere mark match 0xff Chain PSW_REDIRECT (1 references) target prot opt source destination Chain postrouting_lan_rule (1 references) target prot opt source destination Chain postrouting_rule (1 references) target prot opt source destination Chain postrouting_wan_rule (1 references) target prot opt source destination Chain prerouting_lan_rule (1 references) target prot opt source destination Chain prerouting_rule (1 references) target prot opt source destination Chain prerouting_wan_rule (1 references) target prot opt source destination Chain zone_lan_postrouting (1 references) target prot opt source destination postrouting_lan_rule all -- anywhere anywhere /* !fw3: Custom lan postrouting rule chain */ Chain zone_lan_prerouting (1 references) target prot opt source destination prerouting_lan_rule all -- anywhere anywhere /* !fw3: Custom lan prerouting rule chain */ Chain zone_wan_postrouting (2 references) target prot opt source destination MINIUPNPD-POSTROUTING all -- anywhere anywhere postrouting_wan_rule all -- anywhere anywhere /* !fw3: Custom wan postrouting rule chain */ MASQUERADE all -- anywhere anywhere /* !fw3 */ Chain zone_wan_prerouting (2 references) target prot opt source destination MINIUPNPD all -- anywhere anywhere prerouting_wan_rule all -- anywhere anywhere /* !fw3: Custom wan prerouting rule chain */ ```
iptables -L -t filter ``` root@OpenWrt:~# iptables -L -t filter Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere /* !fw3 */ input_rule all -- anywhere anywhere /* !fw3: Custom input rule chain */ ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */ zone_lan_input all -- anywhere anywhere /* !fw3 */ zone_wan_input all -- anywhere anywhere /* !fw3 */ zone_wan_input all -- anywhere anywhere /* !fw3 */ reject all -- anywhere anywhere /* !fw3 */ Chain FORWARD (policy DROP) target prot opt source destination forwarding_rule all -- anywhere anywhere /* !fw3: Custom forwarding rule chain */ ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */ zone_lan_forward all -- anywhere anywhere /* !fw3 */ zone_wan_forward all -- anywhere anywhere /* !fw3 */ zone_wan_forward all -- anywhere anywhere /* !fw3 */ reject all -- anywhere anywhere /* !fw3 */ Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere /* !fw3 */ output_rule all -- anywhere anywhere /* !fw3: Custom output rule chain */ ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */ zone_lan_output all -- anywhere anywhere /* !fw3 */ zone_wan_output all -- anywhere anywhere /* !fw3 */ zone_wan_output all -- anywhere anywhere /* !fw3 */ Chain MINIUPNPD (1 references) target prot opt source destination Chain forwarding_lan_rule (1 references) target prot opt source destination Chain forwarding_rule (1 references) target prot opt source destination Chain forwarding_wan_rule (1 references) target prot opt source destination Chain input_lan_rule (1 references) target prot opt source destination Chain input_rule (1 references) target prot opt source destination Chain input_wan_rule (1 references) target prot opt source destination Chain output_lan_rule (1 references) target prot opt source destination Chain output_rule (1 references) target prot opt source destination Chain output_wan_rule (1 references) target prot opt source destination Chain reject (4 references) target prot opt source destination REJECT tcp -- anywhere anywhere /* !fw3 */ reject-with tcp-reset REJECT all -- anywhere anywhere /* !fw3 */ reject-with icmp-port-unreachable Chain zone_lan_dest_ACCEPT (4 references) target prot opt source destination ACCEPT all -- anywhere anywhere /* !fw3 */ Chain zone_lan_forward (1 references) target prot opt source destination forwarding_lan_rule all -- anywhere anywhere /* !fw3: Custom lan forwarding rule chain */ zone_wan_dest_ACCEPT all -- anywhere anywhere /* !fw3: Zone lan to wan forwarding policy */ ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port forwards */ zone_lan_dest_ACCEPT all -- anywhere anywhere /* !fw3 */ Chain zone_lan_input (1 references) target prot opt source destination input_lan_rule all -- anywhere anywhere /* !fw3: Custom lan input rule chain */ ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port redirections */ zone_lan_src_ACCEPT all -- anywhere anywhere /* !fw3 */ Chain zone_lan_output (1 references) target prot opt source destination output_lan_rule all -- anywhere anywhere /* !fw3: Custom lan output rule chain */ zone_lan_dest_ACCEPT all -- anywhere anywhere /* !fw3 */ Chain zone_lan_src_ACCEPT (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate NEW,UNTRACKED /* !fw3 */ Chain zone_wan_dest_ACCEPT (2 references) target prot opt source destination DROP all -- anywhere anywhere ctstate INVALID /* !fw3: Prevent NAT leakage */ ACCEPT all -- anywhere anywhere /* !fw3 */ DROP all -- anywhere anywhere ctstate INVALID /* !fw3: Prevent NAT leakage */ ACCEPT all -- anywhere anywhere /* !fw3 */ Chain zone_wan_dest_REJECT (1 references) target prot opt source destination reject all -- anywhere anywhere /* !fw3 */ reject all -- anywhere anywhere /* !fw3 */ Chain zone_wan_forward (2 references) target prot opt source destination MINIUPNPD all -- anywhere anywhere forwarding_wan_rule all -- anywhere anywhere /* !fw3: Custom wan forwarding rule chain */ zone_lan_dest_ACCEPT esp -- anywhere anywhere /* !fw3: Allow-IPSec-ESP */ zone_lan_dest_ACCEPT udp -- anywhere anywhere udp dpt:isakmp /* !fw3: Allow-ISAKMP */ ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port forwards */ zone_wan_dest_REJECT all -- anywhere anywhere /* !fw3 */ Chain zone_wan_input (2 references) target prot opt source destination input_wan_rule all -- anywhere anywhere /* !fw3: Custom wan input rule chain */ ACCEPT udp -- anywhere anywhere udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */ ACCEPT icmp -- anywhere anywhere icmp echo-request /* !fw3: Allow-Ping */ ACCEPT igmp -- anywhere anywhere /* !fw3: Allow-IGMP */ ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port redirections */ zone_wan_src_ACCEPT all -- anywhere anywhere /* !fw3 */ Chain zone_wan_output (2 references) target prot opt source destination output_wan_rule all -- anywhere anywhere /* !fw3: Custom wan output rule chain */ zone_wan_dest_ACCEPT all -- anywhere anywhere /* !fw3 */ Chain zone_wan_src_ACCEPT (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate NEW,UNTRACKED /* !fw3 */ ACCEPT all -- anywhere anywhere ctstate NEW,UNTRACKED /* !fw3 */ ```
morytyann commented 2 months ago

你是x86的硬件吗?我给你一个我修改过的你试试吧。mihomo.zip,不保证修复,但可以一试。

swzs2018 commented 2 months ago

更新这些新包仍旧是不能工作,具体表现为面板连接页面看不到任何连接。模式使用 tproxy。还测试了 redir-host,和 fakeip 模式,对不能工作的结果无影响。

使用 nft list table inet mihomo 检查防火墙表,mihomo 表不存在。应用日志全正常,无错误。

root@OpenWrt:~# nft list tables
table inet fw4
table ip mangle
table ip6 mangle
root@OpenWrt:~# nft list table inet mihomo
Error: No such file or directory
list table inet mihomo
                ^^^^^^
配置 ``` mihomo.status=status mihomo.config=config mihomo.config.enabled='1' mihomo.config.scheduled_restart='0' mihomo.config.cron_expression='0 3 * * *' mihomo.config.profile='subscription:subscription' mihomo.config.mixin='1' mihomo.config.test_profile='1' mihomo.proxy=proxy mihomo.proxy.transparent_proxy='1' mihomo.proxy.transparent_proxy_mode='tproxy' mihomo.proxy.ipv4_dns_hijack='1' mihomo.proxy.ipv6_dns_hijack='0' mihomo.proxy.ipv4_proxy='1' mihomo.proxy.ipv6_proxy='0' mihomo.proxy.router_proxy='1' mihomo.proxy.lan_proxy='1' mihomo.proxy.access_control_mode='all' mihomo.proxy.bypass_china_mainland_ip='1' mihomo.proxy.acl_tcp_dport='1-65535' mihomo.proxy.acl_udp_dport='1-65535' mihomo.proxy.wan_interfaces='wan1' mihomo.subscription=subscription mihomo.subscription.name='default' mihomo.subscription.url='suburl' mihomo.subscription.user_agent='mihomo' mihomo.subscription.convert='0' mihomo.subscription.convert_advanced='0' mihomo.subscription.convert_emoji='0' mihomo.subscription.convert_insert_node_type='0' mihomo.mixin=mixin mihomo.mixin.mode='rule' mihomo.mixin.match_process='off' mihomo.mixin.unify_delay='1' mihomo.mixin.tcp_concurrent='1' mihomo.mixin.tcp_keep_alive_interval='300' mihomo.mixin.log_level='warning' mihomo.mixin.ui_name='metacubexd' mihomo.mixin.ui_url='https://mirror.ghproxy.com/https://github.com/MetaCubeX/metacubexd/archive/refs/heads/gh-pages.zip' mihomo.mixin.api_port='9090' mihomo.mixin.selection_cache='1' mihomo.mixin.allow_lan='1' mihomo.mixin.http_port='8080' mihomo.mixin.socks_port='1080' mihomo.mixin.mixed_port='7890' mihomo.mixin.redir_port='7891' mihomo.mixin.tproxy_port='7892' mihomo.mixin.authentication='0' mihomo.mixin.tun_stack='system' mihomo.mixin.tun_mtu='9000' mihomo.mixin.tun_gso='1' mihomo.mixin.tun_gso_max_size='65536' mihomo.mixin.tun_endpoint_independent_nat='0' mihomo.mixin.dns_port='1053' mihomo.mixin.dns_mode='redir-host' mihomo.mixin.fake_ip_range='198.18.0.1/16' mihomo.mixin.fake_ip_filter='0' mihomo.mixin.fake_ip_filters='+.lan' '+.local' mihomo.mixin.fake_ip_cache='1' mihomo.mixin.dns_ipv6='0' mihomo.mixin.dns_system_hosts='1' mihomo.mixin.dns_hosts='1' mihomo.mixin.hosts='0' mihomo.mixin.dns_nameserver='0' mihomo.mixin.dns_fallback_filter='0' mihomo.mixin.dns_nameserver_policy='0' mihomo.mixin.sniffer='1' mihomo.mixin.sniff_dns_mapping='1' mihomo.mixin.sniff_pure_ip='1' mihomo.mixin.sniffer_overwrite_dest='1' mihomo.mixin.geoip_format='dat' mihomo.mixin.geodata_loader='standard' mihomo.mixin.geosite_url='https://mirror.ghproxy.com/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geosite.dat' mihomo.mixin.geoip_mmdb_url='https://mirror.ghproxy.com/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip-lite.metadb' mihomo.mixin.geoip_dat_url='https://mirror.ghproxy.com/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip-lite.dat' mihomo.mixin.geoip_asn_url='https://mirror.ghproxy.com/https://github.com/xishang0128/geoip/releases/download/latest/GeoLite2-ASN.mmdb' mihomo.mixin.geox_auto_update='1' mihomo.mixin.geox_update_interval='24' mihomo.mixin.api_secret='33610' mihomo.mixin.outbound_interface='wan1' mihomo.@authentication[0]=authentication mihomo.@authentication[0].enabled='1' mihomo.@authentication[0].username='mihomo' mihomo.@authentication[0].password='33610' mihomo.@host[0]=host mihomo.@host[0].enabled='0' mihomo.@host[0].domain_name='localhost' mihomo.@host[0].ip='127.0.0.1' '::1' mihomo.@nameserver[0]=nameserver mihomo.@nameserver[0].enabled='1' mihomo.@nameserver[0].type='default-nameserver' mihomo.@nameserver[0].nameserver='223.5.5.5' '119.29.29.29' mihomo.@nameserver[1]=nameserver mihomo.@nameserver[1].enabled='1' mihomo.@nameserver[1].type='proxy-server-nameserver' mihomo.@nameserver[1].nameserver='https://dns.alidns.com/dns-query' 'https://doh.pub/dns-query' mihomo.@nameserver[2]=nameserver mihomo.@nameserver[2].enabled='1' mihomo.@nameserver[2].type='nameserver' mihomo.@nameserver[2].nameserver='https://dns.alidns.com/dns-query' 'https://doh.pub/dns-query' mihomo.@nameserver[3]=nameserver mihomo.@nameserver[3].enabled='1' mihomo.@nameserver[3].type='fallback' mihomo.@nameserver[3].nameserver='https://dns.cloudflare.com/dns-query' 'https://dns.google/dns-query' mihomo.@fallback_filter[0]=fallback_filter mihomo.@fallback_filter[0].enabled='1' mihomo.@fallback_filter[0].type='geoip-code' mihomo.@fallback_filter[0].value='CN' mihomo.@fallback_filter[1]=fallback_filter mihomo.@fallback_filter[1].enabled='1' mihomo.@fallback_filter[1].type='geosite' mihomo.@fallback_filter[1].value='GFW' mihomo.@fallback_filter[2]=fallback_filter mihomo.@fallback_filter[2].enabled='0' mihomo.@fallback_filter[2].type='ipcidr' mihomo.@fallback_filter[3]=fallback_filter mihomo.@fallback_filter[3].enabled='0' mihomo.@fallback_filter[3].type='domain_name' mihomo.@nameserver_policy[0]=nameserver_policy mihomo.@nameserver_policy[0].enabled='1' mihomo.@nameserver_policy[0].matcher='geosite:cn,private' mihomo.@nameserver_policy[0].nameserver='https://dns.alidns.com/dns-query' 'https://doh.pub/dns-query' mihomo.@nameserver_policy[1]=nameserver_policy mihomo.@nameserver_policy[1].enabled='1' mihomo.@nameserver_policy[1].matcher='geosite:geolocation-!cn' mihomo.@nameserver_policy[1].nameserver='https://dns.cloudflare.com/dns-query' 'https://dns.google/dns-query' mihomo.@sniff[0]=sniff mihomo.@sniff[0].enabled='1' mihomo.@sniff[0].protocol='HTTP' mihomo.@sniff[0].port='80' '8080-8880' mihomo.@sniff[0].overwrite_dest='1' mihomo.@sniff[1]=sniff mihomo.@sniff[1].enabled='1' mihomo.@sniff[1].protocol='TLS' mihomo.@sniff[1].port='443' '8443' mihomo.@sniff[1].overwrite_dest='1' mihomo.@sniff[2]=sniff mihomo.@sniff[2].enabled='1' mihomo.@sniff[2].protocol='QUIC' mihomo.@sniff[2].port='443' '8443' mihomo.@sniff[2].overwrite_dest='1' mihomo.editor=editor mihomo.log=log ```
morytyann commented 2 months ago

运行下service mihomo restart看看报错?我测试的时候是正常的,可能打包给你的不是最新的……

swzs2018 commented 2 months ago
service mihomo restart 报错日志

``` root@OpenWrt:~# service mihomo restart Error: syntax error, options must be specified before commands nft -f /etc/mihomo/nftables/hijack.nft -D FW_MARK=0x80 FW_MARK_MASK=0xFF -D TUN_DEVICE=tun -D MIHOMO_USER=mihomo -D TPROXY_PORT=7892 -D DNS_PORT=1053 ^ ~~ Error: No such file or directory add element inet mihomo dns_hijack_nfproto { ipv4 } ^^^^^^ Error: No such file or directory add element inet mihomo proxy_nfproto { ipv4 } ^^^^^^ Error: No such file or directory add element inet mihomo fake_ip { 198.18.0.1/16 } ^^^^^^ Error: No such file or directory add element inet mihomo acl_dport { tcp . 1-65535 } ^^^^^^ Error: No such file or directory add element inet mihomo acl_dport { udp . 1-65535 } ^^^^^^ Error: No such file or directory add element inet mihomo wan_ip { } ^^^^^^ Error: No such file or directory; did you mean table ‘fw4’ in family inet? add rule inet mihomo nat_output jump router_dns_hijack ^^^^^^ Error: No such file or directory; did you mean table ‘fw4’ in family inet? add rule inet mihomo mangle_output jump router_reroute ^^^^^^ Error: No such file or directory; did you mean table ‘fw4’ in family inet? add rule inet mihomo dstnat jump all_dns_hijack ^^^^^^ Error: No such file or directory; did you mean table ‘fw4’ in family inet? add rule inet mihomo mangle_prerouting jump all_tproxy ^^^^^^ ```

morytyann commented 2 months ago

嗯,给你打包的不是最新,一会我重新打一个。

morytyann commented 2 months ago

mihomo.zip,试试

swzs2018 commented 2 months ago

🆒🆒 这次好像是好了

现在,面板连接页面可以正常看到流量,域名嗅探也可以正常工作。

在路由器内部 curl 可以正常请求,局域网透明代理也可正常工作,绕过中国 IP 看起来也没问题。

morytyann commented 2 months ago

mwan3正不正常呢?

swzs2018 commented 2 months ago

目前来看也是正常工作的,多 wan 入站没有问题。

swzs2018 commented 2 months ago

又进行了一些额外的测试,现在在启动 mihomo 之后,如果不更改 mwan3 的配置,代理可以正常工作。 但如果修改了 mwan3 配置并应用(大概等同于 service mwan3 restart?),代理就会失效,在手动重启 mihomo 之后,代理又恢复。

morytyann commented 2 months ago

这应该是ip rule的顺序导致问题,虽然可以直接手动指定一个较高的优先级,但这并不优雅……等我再想想如何处理

morytyann commented 2 months ago

目前手动指定优先级为1024,应该不会有太大问题,Build好了你试试吧。

morytyann commented 2 months ago

已经合并到main并发布了1.7.0,这个Issue就先关闭了,还有问题请Reopen。