icucuio commented 3 years ago

0.41.x 无法访问远程Nas， DDNS解析的域名网址可以ping通，加上端口号后访问nas却无法访问，之前可以，升级openclash后不可以了会不会是端口无法转发成功？应该怎么设置？求大神帮忙

vernesong commented 3 years ago

不用tun是否可以访问

icucuio commented 3 years ago

不用tun是否可以访问

一直没有用tun模式，一直用fake_ip

vernesong commented 3 years ago

端口转发怎么设置的

icucuio commented 3 years ago

端口转发怎么设置的

我用的软路由，在防火墙--端口转发下面设置的，截图里面的三个都无法远程访问了。

icucuio commented 3 years ago

端口转发怎么设置的

另外，我发下我现在也无法访问家里的服务器数据库了，都失效了，只要是端口转发的服务

vernesong commented 3 years ago

调试日志发一下，我看看防火墙

icucuio commented 3 years ago

调试日志发一下，我看看防火墙

我用的还是41.06

===================== 防火墙设置 =====================

NAT chain

Generated by iptables-save v1.8.4 on Sat Dec 19 10:13:26 2020

*nat :PREROUTING ACCEPT [5294:1403618] :INPUT ACCEPT [6154:1458310] :OUTPUT ACCEPT [3548:235064] :POSTROUTING ACCEPT [3650:243200] :MINIUPNPD - [0:0] :MINIUPNPD-POSTROUTING - [0:0] :openclash - [0:0] :openclash_output - [0:0] :postrouting_lan_rule - [0:0] :postrouting_rule - [0:0] :postrouting_wan_rule - [0:0] :prerouting_lan_rule - [0:0] :prerouting_rule - [0:0] :prerouting_wan_rule - [0:0] :zone_lan_postrouting - [0:0] :zone_lan_prerouting - [0:0] :zone_wan_postrouting - [0:0] :zone_wan_prerouting - [0:0] -A PREROUTING -d 8.8.4.4/32 -p tcp -j REDIRECT --to-ports 7892 -A PREROUTING -d 8.8.8.8/32 -p tcp -j REDIRECT --to-ports 7892 -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting -A PREROUTING -i eth3 -m comment --comment "!fw3" -j zone_wan_prerouting -A PREROUTING -p tcp -j openclash -A OUTPUT -j openclash_output -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting -A POSTROUTING -o eth3 -m comment --comment "!fw3" -j zone_wan_postrouting -A MINIUPNPD -p tcp -m tcp --dport 8096 -j DNAT --to-destination 192.168.2.19:8096 -A MINIUPNPD -p tcp -m tcp --dport 8920 -j DNAT --to-destination 192.168.2.19:8920 -A MINIUPNPD -p tcp -m tcp --dport 38888 -j DNAT --to-destination 192.168.2.110:38888 -A MINIUPNPD -p tcp -m tcp --dport 51413 -j DNAT --to-destination 192.168.2.19:51413 -A openclash -m set --match-set localnetwork dst -j RETURN -A openclash -p tcp -j REDIRECT --to-ports 7892 -A openclash_output -p tcp -m tcp --sport 2222 -j RETURN -A openclash_output -p tcp -m tcp --sport 4500 -j RETURN -A openclash_output -p tcp -m tcp --sport 1701 -j RETURN -A openclash_output -p tcp -m tcp --sport 500 -j RETURN -A openclash_output -p tcp -m tcp --sport 9091 -j RETURN -A openclash_output -p tcp -m tcp --sport 3306 -j RETURN -A openclash_output -p tcp -m tcp --sport 8444 -j RETURN -A openclash_output -p tcp -m tcp --sport 5000 -j RETURN -A openclash_output -p tcp -m tcp --sport 5010 -j RETURN -A openclash_output -p tcp -m tcp --sport 3307 -j RETURN -A openclash_output -m set --match-set localnetwork dst -j RETURN -A openclash_output -p tcp -m owner ! --uid-owner 65534 -m multiport --dports 80,443 -j REDIRECT --to-ports 7892 -A openclash_output -d 198.18.0.0/16 -p tcp -m owner ! --uid-owner 65534 -j REDIRECT --to-ports 7892 -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule -A zone_wan_postrouting -m comment --comment "!fw3" -j FULLCONENAT -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule -A zone_wan_prerouting -p tcp -m tcp --dport 3307 -m comment --comment "!fw3: ts_pro" -j DNAT --to-destination 192.168.2.16:3307 -A zone_wan_prerouting -p udp -m udp --dport 3307 -m comment --comment "!fw3: ts_pro" -j DNAT --to-destination 192.168.2.16:3307 -A zone_wan_prerouting -p tcp -m tcp --dport 5010 -m comment --comment "!fw3: 918+" -j DNAT --to-destination 192.168.2.19:5000 -A zone_wan_prerouting -p udp -m udp --dport 5010 -m comment --comment "!fw3: 918+" -j DNAT --to-destination 192.168.2.19:5000 -A zone_wan_prerouting -p tcp -m tcp --dport 5000 -m comment --comment "!fw3: 3617+" -j DNAT --to-destination 192.168.2.16:5000 -A zone_wan_prerouting -p udp -m udp --dport 5000 -m comment --comment "!fw3: 3617+" -j DNAT --to-destination 192.168.2.16:5000 -A zone_wan_prerouting -p tcp -m tcp --dport 8444 -m comment --comment "!fw3: LEDE" -j DNAT --to-destination 192.168.2.22:80 -A zone_wan_prerouting -p udp -m udp --dport 8444 -m comment --comment "!fw3: LEDE" -j DNAT --to-destination 192.168.2.22:80 -A zone_wan_prerouting -p tcp -m tcp --dport 3306 -m comment --comment "!fw3: mysql_Centos" -j DNAT --to-destination 192.168.2.61:3306 -A zone_wan_prerouting -p udp -m udp --dport 3306 -m comment --comment "!fw3: mysql_Centos" -j DNAT --to-destination 192.168.2.61:3306 -A zone_wan_prerouting -p tcp -m tcp --dport 9091 -m comment --comment "!fw3: Trans" -j DNAT --to-destination 192.168.2.19:9091 -A zone_wan_prerouting -p udp -m udp --dport 9091 -m comment --comment "!fw3: Trans" -j DNAT --to-destination 192.168.2.19:9091 -A zone_wan_prerouting -p udp -m udp --dport 500 -m comment --comment "!fw3: vpn" -j DNAT --to-destination 192.168.2.22:500 -A zone_wan_prerouting -p udp -m udp --dport 1701 -m comment --comment "!fw3: vpn2" -j DNAT --to-destination 192.168.2.22:1701 -A zone_wan_prerouting -p udp -m udp --dport 4500 -m comment --comment "!fw3: vpn3" -j DNAT --to-destination 192.168.2.22:4500 -A zone_wan_prerouting -p tcp -m tcp --dport 2222 -m comment --comment "!fw3: 3617ssh" -j DNAT --to-destination 192.168.2.16:22 -A zone_wan_prerouting -p udp -m udp --dport 2222 -m comment --comment "!fw3: 3617ssh" -j DNAT --to-destination 192.168.2.16:22 -A zone_wan_prerouting -m comment --comment "!fw3" -j FULLCONENAT COMMIT

Completed on Sat Dec 19 10:13:26 2020

Mangle chain

Generated by iptables-save v1.8.4 on Sat Dec 19 10:13:26 2020

*mangle :PREROUTING ACCEPT [9746183:2056605162] :INPUT ACCEPT [9733222:2055691212] :FORWARD ACCEPT [8674:629117] :OUTPUT ACCEPT [1471108:1725248276] :POSTROUTING ACCEPT [1479925:1725882268] :openclash - [0:0] -A PREROUTING -p udp -j openclash -A FORWARD -o eth3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu -A openclash -p udp -m udp --dport 500 -j RETURN -A openclash -p udp -m udp --dport 546 -j RETURN -A openclash -p udp -m udp --dport 68 -j RETURN -A openclash -p udp -m udp --dport 2222 -j RETURN -A openclash -p udp -m udp --dport 4500 -j RETURN -A openclash -p udp -m udp --dport 1701 -j RETURN -A openclash -p udp -m udp --dport 500 -j RETURN -A openclash -p udp -m udp --dport 9091 -j RETURN -A openclash -p udp -m udp --dport 3306 -j RETURN -A openclash -p udp -m udp --dport 8444 -j RETURN -A openclash -p udp -m udp --dport 5000 -j RETURN -A openclash -p udp -m udp --dport 5010 -j RETURN -A openclash -p udp -m udp --dport 3307 -j RETURN -A openclash -m set --match-set localnetwork dst -j RETURN -A openclash -p udp -m udp --dport 53 -j RETURN -A openclash -p udp -j TPROXY --on-port 7892 --on-ip 0.0.0.0 --tproxy-mark 0x162/0xffffffff COMMIT

Completed on Sat Dec 19 10:13:26 2020

===================== 路由表状态 =====================

route -n

Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 218.67.200.1 0.0.0.0 UG 0 0 0 pppoe-wan 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan 218.67.200.1 0.0.0.0 255.255.255.255 UH 0 0 0 pppoe-wan

ip route list

default via 218.67.200.1 dev pppoe-wan proto static 192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.22 218.67.200.1 dev pppoe-wan proto kernel scope link src 218.67.200.202

ip rule show

0: from all lookup local 32765: from all fwmark 0x162 lookup 354 32766: from all lookup main 32767: from all lookup default

===================== 端口占用状态 =====================

tcp 0 0 :::9090 ::: LISTEN 5311/clash tcp 0 0 :::7890 ::: LISTEN 5311/clash tcp 0 0 :::7891 ::: LISTEN 5311/clash tcp 0 0 :::7892 ::: LISTEN 5311/clash tcp 0 0 :::7893 ::: LISTEN 5311/clash udp 0 0 127.0.0.1:7874 0.0.0.0: 5311/clash udp 0 0 :::7891 ::: 5311/clash udp 0 0 :::7893 ::: 5311/clash

===================== 测试本机DNS查询 =====================

Name: www.baidu.com Address 1: 198.18.0.115

===================== resolv.conf.d =====================

Interface wan

nameserver 202.99.96.68 nameserver 202.99.104.68

Interface wan_6

nameserver 2408:8888::8 nameserver 2408:8899::8

===================== 测试本机网络连接 =====================

HTTP/1.1 200 OK Accept-Ranges: bytes Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Connection: keep-alive Content-Length: 277 Content-Type: text/html Date: Sat, 19 Dec 2020 02:13:26 GMT Etag: "575e1f59-115" Last-Modified: Mon, 13 Jun 2016 02:50:01 GMT Pragma: no-cache Server: bfe/1.0.8.18

===================== 测试本机网络下载 =====================

HTTP/1.1 200 OK Connection: keep-alive Content-Length: 80 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "33c36ed38bf2bbff48044ad63384b1a4691a9ecb40971ea14e276f4934e59138" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block Via: 1.1 varnish (Varnish/6.0), 1.1 varnish X-GitHub-Request-Id: 9706:3D38:534E91:5DE3DA:5FDCFC31 Accept-Ranges: bytes Date: Sat, 19 Dec 2020 02:13:26 GMT X-Served-By: cache-hkg17923-HKG X-Cache: HIT, HIT X-Cache-Hits: 2, 1 X-Timer: S1608344007.607678,VS0,VE0 Vary: Authorization,Accept-Encoding Access-Control-Allow-Origin: * X-Fastly-Request-ID: c1a71ad3db3a5504b51d0014b6f1c637b08c71d3 Expires: Sat, 19 Dec 2020 02:18:26 GMT Source-Age: 234

icucuio commented 3 years ago

端口转发怎么设置的

老大，你看了吗？

vernesong commented 3 years ago

设置没问题，只能推测走代理了或者DDNS解析到代理IP了

icucuio commented 3 years ago

设置没问题，只能推测走代理了或者DDNS解析到代理IP了

老大，那怎么设置才能让指定的ip地址的主机不走代理啊？麻烦你了，帮我指导下，确实困扰我两个礼拜了，先用不了，很着急啊

icucuio commented 3 years ago

设置没问题，只能推测走代理了或者DDNS解析到代理IP了

我看过ddns解析的地址是正确的wan ip 地址，是没有问题的，就应该是第一个可能

vernesong commented 3 years ago

icucuio commented 3 years ago

设置没问题，只能推测走代理了或者DDNS解析到代理IP了

老大，我用的黑群晖，我的域名是可以解析到正确的wan口ip的，应该是端口转发的问题下面哪个设置的位置在哪？能不能告诉下路径？

icucuio commented 3 years ago

你看下，以前都是可以的

vernesong commented 3 years ago

设置没问题，只能推测走代理了或者DDNS解析到代理IP了

老大，我用的黑群晖，我的域名是可以解析到正确的wan口ip的，

应该是端口转发的问题

下面哪个设置的位置在哪？能不能告诉下路径？

自定义规则，你要进控制面板看看是不是有群晖的链接走代理了

icucuio commented 3 years ago

设置没问题，只能推测走代理了或者DDNS解析到代理IP了

老大，我用的黑群晖，我的域名是可以解析到正确的wan口ip的，应该是端口转发的问题下面哪个设置的位置在哪？能不能告诉下路径？

自定义规则，你要进控制面板看看是不是有群晖的链接走代理了

老大，这个是不是就是走代理了，但是的漏网之鱼选择的是直连啊，那我应该再哪里改

vernesong commented 3 years ago

直接在redir的访问控制让nas直连，因为nat的关系，从clash出去的连接在外面看都是从路由地址发出去的，可能造成连接错误

icucuio commented 3 years ago

直接在redir的访问控制让nas直连，因为nat的关系，从clash出去的连接在外面看都是从路由地址发出去的，可能造成连接错误

老大，最后一个问题啊，怎么让实现“在redir的访问控制让nas直连”？解决了这个应该就可以了，我就关闭了

ksong008 commented 3 years ago

DOMAIN-SUFFIX,checkip.dyndns.org,DIRECT
DOMAIN-SUFFIX,checkip.synology.com,DIRECT 群晖ddns只需要这两个，在redir模式下，我远程访问没问题

vernesong / OpenClash

0.41.x 无法访问远程Nas， DDNS解析的域名网址可以ping通，加上端口号后无法访问，之前可以，升级openclash后不可以了 #1090

===================== 防火墙设置 =====================

NAT chain

Generated by iptables-save v1.8.4 on Sat Dec 19 10:13:26 2020

Completed on Sat Dec 19 10:13:26 2020

Mangle chain

Generated by iptables-save v1.8.4 on Sat Dec 19 10:13:26 2020

Completed on Sat Dec 19 10:13:26 2020

===================== 路由表状态 =====================

route -n

ip route list

ip rule show

===================== 端口占用状态 =====================

===================== 测试本机DNS查询 =====================

===================== resolv.conf.d =====================

Interface wan

Interface wan_6

===================== 测试本机网络连接 =====================

===================== 测试本机网络下载 =====================