ChrisKimZHT commented 2 years ago

Verify Steps

[X] Tracker 我已经在 Issue Tracker 中找过我要提出的问题
[X] Latest 我已经使用最新 Dev 版本测试过，问题依旧存在
[X] Core 这是 OpenClash 存在的问题，并非我所使用的 Clash 或 Meta 等内核的特定问题
[x] Meaningful 我提交的不是无意义的催促更新或修复请求

OpenClash Version

v0.45.59-beta

Bug on Environment

Official OpenWrt

Bug on Platform

Linux-mipsle-softfloat

To Reproduce

重启浏览器后首次打开一个国外网页，如 Google、GitHub 等。

Describe the Bug

第一次打开时，Initial connection 和 SSL 耗时常常能达到 10s+，表现就是网页一直卡白屏很久，非常影响网页浏览体验。

当浏览器没关闭的第二次打开网站时，响应非常迅速，一切正常。

F12 调试器截图在下方截图区内。

OpenClash Log

OpenClash 调试日志

生成时间: 2022-10-25 22:26:44 插件版本: 隐私提示: 上传此日志前请注意检查、屏蔽公网IP、节点、密码等相关敏感信息


#===================== 系统信息 =====================#

主机型号: Xiaomi Mi Router CR660x
固件版本: OpenWrt SNAPSHOT r4458-ad34521be
LuCI版本: git-22.103.65959-d9db1b0-1
内核版本: 5.4.188
处理器架构: mipsel_24kc

#此项有值时,如不使用IPv6,建议到网络-接口-lan的设置中禁用IPV6的DHCP
IPV6-DHCP: server

#此项结果应仅有配置文件的DNS监听地址
Dnsmasq转发设置: 127.0.0.1#7874

#===================== 依赖检查 =====================#

dnsmasq-full: 未安装
coreutils: 已安装
coreutils-nohup: 未安装
bash: 已安装
curl: 已安装
ca-certificates: 已安装
ipset: 已安装
ip-full: 已安装
libcap: 已安装
libcap-bin: 已安装
ruby: 已安装
ruby-yaml: 已安装
ruby-psych: 已安装
ruby-pstore: 已安装
kmod-tun(TUN模式): 已安装
luci-compat(Luci >= 19.07): 已安装
kmod-inet-diag(PROCESS-NAME): 已安装
unzip: 已安装
iptables-mod-tproxy: 已安装
kmod-ipt-tproxy: 已安装
iptables-mod-extra: 已安装
kmod-ipt-extra: 已安装
kmod-ipt-nat: 已安装

#===================== 内核检查 =====================#

运行状态: 运行中
进程pid: 1319
运行权限: 1319: cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_ptrace,cap_sys_resource=eip
运行用户: nobody
已选择的架构: linux-mipsle-softfloat

#下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限
Tun内核版本: 2022.08.26-3-ge16bdd2
Tun内核文件: 存在
Tun内核运行权限: 正常

Dev内核版本: v1.11.8-3-g4f291fa
Dev内核文件: 存在
Dev内核运行权限: 正常

Meta内核版本: alpha-g9b89ff9
Meta内核文件: 存在
Meta内核运行权限: 正常

#===================== 插件设置 =====================#

当前配置文件: /etc/openclash/config/MieLink-01.yaml
启动配置文件: /etc/openclash/MieLink-01.yaml
运行模式: redir-host
默认代理模式: rule
UDP流量转发(tproxy): 启用
DNS劫持: 启用
自定义DNS: 停用
IPV6代理: 停用
IPV6-DNS解析: 停用
禁用Dnsmasq缓存: 启用
自定义规则: 停用
仅允许内网: 启用
仅代理命中规则流量: 停用
仅允许常用端口流量: 停用
绕过中国大陆IP: 停用
DNS远程解析: 启用
路由本机代理: 启用

#启动异常时建议关闭此项后重试
混合节点: 停用
保留配置: 停用

#启动异常时建议关闭此项后重试
第三方规则: 停用

#===================== 配置文件 =====================#

mixed-port: 7893
redir-port: 7892
allow-lan: true
mode: rule
log-level: silent
external-controller: 0.0.0.0:9090
dns:
  enable: true
  ipv6: false
  listen: 0.0.0.0:7874
  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.1/16
  default-nameserver:
  - 119.29.29.29
  - 119.28.28.28
  - 1.0.0.1
  - 208.67.222.222
  - 1.2.4.8
  nameserver:
  - https://dns.alidns.com/dns-query
  - https://1.1.1.1/dns-query
  - tls://dns.adguard.com:853
  fallback:
  - tls://223.5.5.5:853
  - https://223.5.5.5/dns-query
  fallback-filter:
    geoip: true
    geoip-code: CN
    ipcidr:
    - 240.0.0.0/4
  fake-ip-filter:
  - "+.*"
proxy-groups:
(已删除)
rule-providers:
  IPfake:
    type: http
    behavior: classical
    url: https://raw.fastgit.org/lwd-temp/anti-ip-attribution/main/generated/rule-provider.yaml
    path: "./rule_provider/IPfake.yaml"
    interval: 259200
  BiliBili:
    type: http
    behavior: classical
    url: https://raw.fastgit.org/blackmatrix7/ios_rule_script/master/rule/Clash/BiliBili/BiliBili.yaml
    path: "./rule_provider/bilibili.yaml"
    interval: 259200
  Disney:
    type: http
    behavior: classical
    url: https://cdn.jsdelivr.net/gh/blackmatrix7/ios_rule_script/rule/Clash/Disney/Disney.yaml
    path: "./rule_provider/Disney.yaml"
    interval: 259200
  Netflix:
    type: http
    behavior: classical
    url: https://cdn.jsdelivr.net/gh/blackmatrix7/ios_rule_script/rule/Clash/Netflix/Netflix.yaml
    path: "./rule_provider/Netflix.yaml"
    interval: 259200
  TikTok:
    type: http
    behavior: classical
    url: https://cdn.jsdelivr.net/gh/blackmatrix7/ios_rule_script/rule/Clash/TikTok/TikTok.yaml
    path: "./rule_provider/TikTok.yaml"
    interval: 259200
  YouTube:
    type: http
    behavior: classical
    url: https://cdn.jsdelivr.net/gh/blackmatrix7/ios_rule_script@master/rule/Clash/YouTube/YouTube.yaml
    path: "./rule_provider/YouTube.yaml"
    interval: 259200
  Telegram:
    type: http
    behavior: classical
    url: https://cdn.jsdelivr.net/gh/blackmatrix7/ios_rule_script/rule/Clash/Telegram/Telegram.yaml
    path: "./rule_provider/Telegram.yaml"
    interval: 259200
  Emby:
    type: http
    behavior: classical
    url: https://raw.fastgit.org/justdoiting/emby-rules/main/Emby.yaml
    path: "./rule_provider/Emby.yaml"
    interval: 259200
  Game:
    type: http
    behavior: classical
    url: https://cdn.jsdelivr.net/gh/blackmatrix7/ios_rule_script/rule/Clash/Game/Game.yaml
    path: "./rule_provider/Game.yaml"
    interval: 259200
  BanEasyPrivacy:
    type: http
    behavior: classical
    url: https://cdn.jsdelivr.net/gh/blackmatrix7/ios_rule_script@master/rule/Clash/Privacy/Privacy_Classical.yaml
    path: "./rule_provider/BanEasyPrivacy.yaml"
    interval: 259200
  Advertising:
    type: http
    behavior: classical
    url: https://ghproxy.com/https://raw.githubusercontent.com/blackmatrix7/ios_rule_script/master/rule/Clash/AdvertisingLite/AdvertisingLite_Classical.yaml
    path: "./rule_provider/Advertising.yaml"
    interval: 259200
  Download:
    type: http
    behavior: classical
    url: https://cdn.jsdelivr.net/gh/blackmatrix7/ios_rule_script/rule/Clash/Download/Download.yaml
    path: "./rule_provider/Download.yaml"
    interval: 259200
  PrivateTracker:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/blackmatrix7/ios_rule_script@master/rule/Clash/PrivateTracker/PrivateTracker.yaml
    path: "./rule_provider/PrivateTracker.yaml"
    interval: 259200
  ChinaMax:
    type: http
    behavior: classical
    url: https://ghproxy.com/https://raw.githubusercontent.com/blackmatrix7/ios_rule_script/master/rule/Clash/ChinaMaxNoIP/ChinaMaxNoIP_Classical.yaml
    path: "./rule_provider/ChinaMax.yaml"
    interval: 259200
  Global:
    type: http
    behavior: classical
    url: https://ghproxy.com/https://raw.githubusercontent.com/blackmatrix7/ios_rule_script/master/rule/Clash/Global/Global_Classical.yaml
    path: "./rule_provider/Global.yaml"
    interval: 259200
  Lan:
    type: http
    behavior: classical
    url: https://cdn.jsdelivr.net/gh/blackmatrix7/ios_rule_script/rule/Clash/Lan/Lan.yaml
    path: "./rule_provider/Lan.yaml"
    interval: 259200
rules:
- DST-PORT,7895,REJECT
- DST-PORT,7892,REJECT
- IP-CIDR,198.18.0.1/16,REJECT,no-resolve
- DOMAIN-SUFFIX,gjfzpt.cn,REJECT
- SRC-IP-CIDR,219.143.187.136/32,REJECT
- "RULE-SET,BiliBili,\U0001F4FA BiliBili"
- "RULE-SET,YouTube,\U0001F3AC YouTube"
- "RULE-SET,Netflix,\U0001F3A5 Netflix"
- "RULE-SET,Disney,\U0001F4F9 Disney+"
- "RULE-SET,TikTok,\U0001F4F7 TikTok"
- "RULE-SET,Emby,\U0001F3BC Emby"
- RULE-SET,Telegram,☎️ 电报消息
- "RULE-SET,Game,\U0001F3AE 游戏平台"
- "RULE-SET,BanEasyPrivacy,\U0001F6E1️ 隐私防护"
- "RULE-SET,Advertising,\U0001F6AB 广告拦截"
- RULE-SET,Download,⏬ 下载平台
- "RULE-SET,PrivateTracker,\U0001F332 BT种子"
- "RULE-SET,IPfake,\U0001F6A9 社交平台IP归属地"
- "RULE-SET,Lan,\U0001F1E8\U0001F1F3 国内流量"
- "RULE-SET,ChinaMax,\U0001F1E8\U0001F1F3 国内流量"
- "RULE-SET,Global,\U0001F680 节点选择"
- "GEOIP,CN,\U0001F1E8\U0001F1F3 国内流量"
- "MATCH,\U0001F41F 漏网之鱼"
tproxy-port: 7895
port: 7890
socks-port: 7891
bind-address: "*"
external-ui: "/usr/share/openclash/ui"
ipv6: false
experimental:
  sniff-tls-sni: true
profile:
  store-selected: true
  store-fake-ip: true
authentication:
- Clash:VL757cvE

#===================== IPTABLES 防火墙设置 =====================#

#IPv4 NAT chain

# Generated by iptables-save v1.8.7 on Tue Oct 25 22:26:53 2022
*nat
:PREROUTING ACCEPT [1678:255840]
:INPUT ACCEPT [1149:91600]
:OUTPUT ACCEPT [2946:206887]
:POSTROUTING ACCEPT [857:54427]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:openclash - [0:0]
:openclash_output - [0:0]
:postrouting_VPN_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_VPN_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_VPN_postrouting - [0:0]
:zone_VPN_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -d 8.8.4.4/32 -p tcp -m comment --comment "OpenClash Google DNS Hijack" -m tcp --dport 53 -j REDIRECT --to-ports 7892
-A PREROUTING -d 8.8.8.8/32 -p tcp -m comment --comment "OpenClash Google DNS Hijack" -m tcp --dport 53 -j REDIRECT --to-ports 7892
-A PREROUTING -p tcp -m tcp --dport 53 -m comment --comment "OpenClash DNS Hijack" -j REDIRECT --to-ports 53
-A PREROUTING -p udp -m udp --dport 53 -m comment --comment "OpenClash DNS Hijack" -j REDIRECT --to-ports 53
-A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i ipsec0 -m comment --comment "!fw3" -j zone_VPN_prerouting
-A PREROUTING -p tcp -j openclash
-A OUTPUT -j openclash_output
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o ipsec0 -m comment --comment "!fw3" -j zone_VPN_postrouting
-A openclash -p tcp -m tcp --sport 1688 -j RETURN
-A openclash -p tcp -m tcp --sport 1723 -j RETURN
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -p tcp -j REDIRECT --to-ports 7892
-A openclash_output -p tcp -m tcp --sport 1688 -j RETURN
-A openclash_output -p tcp -m tcp --sport 1723 -j RETURN
-A openclash_output -m set --match-set localnetwork dst -j RETURN
-A openclash_output -p tcp -m owner ! --uid-owner 65534 -j REDIRECT --to-ports 7892
-A zone_VPN_postrouting -m comment --comment "!fw3: Custom VPN postrouting rule chain" -j postrouting_VPN_rule
-A zone_VPN_prerouting -m comment --comment "!fw3: Custom VPN prerouting rule chain" -j prerouting_VPN_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j FULLCONENAT
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -m comment --comment "!fw3" -j FULLCONENAT
COMMIT
# Completed on Tue Oct 25 22:26:53 2022

#IPv4 Mangle chain

# Generated by iptables-save v1.8.7 on Tue Oct 25 22:26:53 2022
*mangle
:PREROUTING ACCEPT [304439:294400094]
:INPUT ACCEPT [312781:294933031]
:FORWARD ACCEPT [386:31770]
:OUTPUT ACCEPT [97878:286417939]
:POSTROUTING ACCEPT [98190:286446713]
:mwan3_connected - [0:0]
:mwan3_hook - [0:0]
:mwan3_iface_in_wan - [0:0]
:mwan3_ifaces_in - [0:0]
:mwan3_policy_balanced - [0:0]
:mwan3_rule_https - [0:0]
:mwan3_rules - [0:0]
:openclash - [0:0]
-A PREROUTING -j mwan3_hook
-A PREROUTING -p udp -j openclash
-A FORWARD -o wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j mwan3_hook
-A mwan3_connected -m set --match-set mwan3_connected dst -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_hook -j CONNMARK --restore-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_in
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_connected
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_rules
-A mwan3_hook -j CONNMARK --save-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_connected
-A mwan3_iface_in_wan -i wan -m set --match-set mwan3_connected src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_iface_in_wan -i wan -m mark --mark 0x0/0x3f00 -m comment --comment wan -j MARK --set-xmark 0x100/0x3f00
-A mwan3_ifaces_in -m mark --mark 0x0/0x3f00 -j mwan3_iface_in_wan
-A mwan3_policy_balanced -m mark --mark 0x0/0x3f00 -m statistic --mode random --probability 0.25000000000 -m comment --comment "wan 1 4" -j MARK --set-xmark 0x100/0x3f00
-A mwan3_policy_balanced -m mark --mark 0x0/0x3f00 -m comment --comment "wan 3 3" -j MARK --set-xmark 0x100/0x3f00
-A mwan3_rule_https -m mark --mark 0x0/0x3f00 -j MARK --set-xmark 0x100/0x3f00
-A mwan3_rule_https -m mark --mark 0x100/0x3f00 -m set ! --match-set mwan3_sticky_https src,src -j MARK --set-xmark 0x0/0x3f00
-A mwan3_rule_https -m mark --mark 0x0/0x3f00 -j MARK --set-xmark 0x100/0x3f00
-A mwan3_rule_https -m mark --mark 0x100/0x3f00 -m set ! --match-set mwan3_sticky_https src,src -j MARK --set-xmark 0x0/0x3f00
-A mwan3_rule_https -m mark --mark 0x0/0x3f00 -j mwan3_policy_balanced
-A mwan3_rule_https -m mark ! --mark 0xfc00/0xfc00 -j SET --del-set mwan3_sticky_https src,src
-A mwan3_rule_https -m mark ! --mark 0xfc00/0xfc00 -j SET --add-set mwan3_sticky_https src,src
-A mwan3_rules -p tcp -m multiport --dports 443 -m mark --mark 0x0/0x3f00 -j mwan3_rule_https
-A mwan3_rules -m mark --mark 0x0/0x3f00 -j mwan3_policy_balanced
-A openclash -p udp -m udp --sport 4500 -j RETURN
-A openclash -p udp -m udp --sport 500 -j RETURN
-A openclash -p udp -m udp --sport 500 -j RETURN
-A openclash -p udp -m udp --sport 68 -j RETURN
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -p udp -m udp --dport 53 -j RETURN
-A openclash -p udp -j TPROXY --on-port 7895 --on-ip 0.0.0.0 --tproxy-mark 0x162/0xffffffff
COMMIT
# Completed on Tue Oct 25 22:26:53 2022

#IPv4 Filter chain

# Generated by iptables-save v1.8.7 on Tue Oct 25 22:26:54 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:SOCAT - [0:0]
:forwarding_VPN_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_VPN_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:openclash_wan_input - [0:0]
:output_VPN_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_VPN_dest_ACCEPT - [0:0]
:zone_VPN_forward - [0:0]
:zone_VPN_input - [0:0]
:zone_VPN_output - [0:0]
:zone_VPN_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -p udp -m udp --dport 443 -m comment --comment "OpenClash QUIC REJECT" -m set ! --match-set china_ip_route dst -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i wan -m set ! --match-set localnetwork src -j openclash_wan_input
-A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -j SOCAT
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i ipsec0 -m comment --comment "!fw3" -j zone_VPN_input
-A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOFFLOAD --hw
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i ipsec0 -m comment --comment "!fw3" -j zone_VPN_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o ipsec0 -m comment --comment "!fw3" -j zone_VPN_output
-A forwarding_rule -i pppoe+ -j RETURN
-A forwarding_rule -o pppoe+ -j RETURN
-A forwarding_rule -i ppp+ -m conntrack --ctstate NEW -j ACCEPT
-A forwarding_rule -o ppp+ -m conntrack --ctstate NEW -j ACCEPT
-A openclash_wan_input -p udp -m multiport --dports 7892,7895,9090,7890,7891,7893,7874 -j REJECT --reject-with icmp-port-unreachable
-A openclash_wan_input -p tcp -m multiport --dports 7892,7895,9090,7890,7891,7893,7874 -j REJECT --reject-with icmp-port-unreachable
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_VPN_dest_ACCEPT -o ipsec0 -m comment --comment "!fw3" -j ACCEPT
-A zone_VPN_forward -m comment --comment "!fw3: Custom VPN forwarding rule chain" -j forwarding_VPN_rule
-A zone_VPN_forward -m comment --comment "!fw3: Zone VPN to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_VPN_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_VPN_forward -m comment --comment "!fw3" -j zone_VPN_dest_ACCEPT
-A zone_VPN_input -m comment --comment "!fw3: Custom VPN input rule chain" -j input_VPN_rule
-A zone_VPN_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_VPN_input -m comment --comment "!fw3" -j zone_VPN_src_ACCEPT
-A zone_VPN_output -m comment --comment "!fw3: Custom VPN output rule chain" -j output_VPN_rule
-A zone_VPN_output -m comment --comment "!fw3" -j zone_VPN_dest_ACCEPT
-A zone_VPN_src_ACCEPT -i ipsec0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o wan -m comment --comment "!fw3" -j reject
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 8118 -m comment --comment "!fw3: adblock" -j DROP
-A zone_wan_input -p udp -m udp --dport 500 -m comment --comment "!fw3: ike" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 4500 -m comment --comment "!fw3: ipsec" -j ACCEPT
-A zone_wan_input -p ah -m comment --comment "!fw3: ah" -j ACCEPT
-A zone_wan_input -p esp -m comment --comment "!fw3: esp" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1723 -m comment --comment "!fw3: pptp" -j ACCEPT
-A zone_wan_input -p gre -m comment --comment "!fw3: gre" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1688 -m comment --comment "!fw3: kms" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i wan -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue Oct 25 22:26:54 2022

#IPv6 NAT chain

# Generated by ip6tables-save v1.8.7 on Tue Oct 25 22:26:54 2022
*nat
:PREROUTING ACCEPT [580928:70787218]
:INPUT ACCEPT [200759:19011124]
:OUTPUT ACCEPT [649591:51482112]
:POSTROUTING ACCEPT [649591:51482112]
-A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
COMMIT
# Completed on Tue Oct 25 22:26:54 2022

#IPv6 Mangle chain

# Generated by ip6tables-save v1.8.7 on Tue Oct 25 22:26:54 2022
*mangle
:PREROUTING ACCEPT [604055:77596816]
:INPUT ACCEPT [374120:52813261]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [704877:77605193]
:POSTROUTING ACCEPT [704877:77605193]
:mwan3_connected - [0:0]
:mwan3_hook - [0:0]
:mwan3_ifaces_in - [0:0]
:mwan3_policy_balanced - [0:0]
:mwan3_rule_https - [0:0]
:mwan3_rules - [0:0]
-A PREROUTING -j mwan3_hook
-A FORWARD -o wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j mwan3_hook
-A mwan3_connected -m set --match-set mwan3_connected dst -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_hook -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j RETURN
-A mwan3_hook -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j RETURN
-A mwan3_hook -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN
-A mwan3_hook -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN
-A mwan3_hook -p ipv6-icmp -m icmp6 --icmpv6-type 137 -j RETURN
-A mwan3_hook -p ipv6-icmp -m set --match-set mwan3_source_v6 src -m icmp6 --icmpv6-type 128 -j RETURN
-A mwan3_hook -j CONNMARK --restore-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_in
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_connected
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_rules
-A mwan3_hook -j CONNMARK --save-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_connected
-A mwan3_policy_balanced -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_rule_https -m mark --mark 0x0/0x3f00 -j mwan3_policy_balanced
-A mwan3_rule_https -m mark ! --mark 0xfc00/0xfc00 -j SET --del-set mwan3_sticky_https src,src
-A mwan3_rule_https -m mark ! --mark 0xfc00/0xfc00 -j SET --add-set mwan3_sticky_https src,src
-A mwan3_rules -p tcp -m multiport --dports 443 -m mark --mark 0x0/0x3f00 -j mwan3_rule_https
-A mwan3_rules -m mark --mark 0x0/0x3f00 -j mwan3_policy_balanced
COMMIT
# Completed on Tue Oct 25 22:26:54 2022

#IPv6 Filter chain

# Generated by ip6tables-save v1.8.7 on Tue Oct 25 22:26:54 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:SOCAT - [0:0]
:forwarding_VPN_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_VPN_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_VPN_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_VPN_dest_ACCEPT - [0:0]
:zone_VPN_forward - [0:0]
:zone_VPN_input - [0:0]
:zone_VPN_output - [0:0]
:zone_VPN_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -j SOCAT
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i ipsec0 -m comment --comment "!fw3" -j zone_VPN_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOFFLOAD --hw
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i ipsec0 -m comment --comment "!fw3" -j zone_VPN_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o ipsec0 -m comment --comment "!fw3" -j zone_VPN_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
-A syn_flood -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_VPN_dest_ACCEPT -o ipsec0 -m comment --comment "!fw3" -j ACCEPT
-A zone_VPN_forward -m comment --comment "!fw3: Custom VPN forwarding rule chain" -j forwarding_VPN_rule
-A zone_VPN_forward -m comment --comment "!fw3: Zone VPN to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_VPN_forward -m comment --comment "!fw3" -j zone_VPN_dest_ACCEPT
-A zone_VPN_input -m comment --comment "!fw3: Custom VPN input rule chain" -j input_VPN_rule
-A zone_VPN_input -m comment --comment "!fw3" -j zone_VPN_src_ACCEPT
-A zone_VPN_output -m comment --comment "!fw3: Custom VPN output rule chain" -j output_VPN_rule
-A zone_VPN_output -m comment --comment "!fw3" -j zone_VPN_dest_ACCEPT
-A zone_VPN_src_ACCEPT -i ipsec0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o wan -m comment --comment "!fw3" -j reject
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 8118 -m comment --comment "!fw3: adblock" -j DROP
-A zone_wan_input -p udp -m udp --dport 500 -m comment --comment "!fw3: ike" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 4500 -m comment --comment "!fw3: ipsec" -j ACCEPT
-A zone_wan_input -p ah -m comment --comment "!fw3: ah" -j ACCEPT
-A zone_wan_input -p esp -m comment --comment "!fw3: esp" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1723 -m comment --comment "!fw3: pptp" -j ACCEPT
-A zone_wan_input -p gre -m comment --comment "!fw3: gre" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1688 -m comment --comment "!fw3: kms" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i wan -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue Oct 25 22:26:54 2022

#===================== IPSET状态 =====================#

Name: cn
Name: ct
Name: cnc
Name: cmcc
Name: crtc
Name: cernet
Name: gwbn
Name: othernet
Name: music
Name: mwan3_connected_v4
Name: mwan3_connected_v6
Name: mwan3_source_v6
Name: mwan3_dynamic_v4
Name: mwan3_dynamic_v6
Name: mwan3_custom_v4
Name: mwan3_custom_v6
Name: mwan3_sticky_v4_https
Name: mwan3_sticky_v6_https
Name: china_ip_route
Name: china_ip_route_pass
Name: localnetwork
Name: mwan3_connected
Name: mwan3_sticky_https

#===================== 路由表状态 =====================#

#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.142.127.254  0.0.0.0         UG    0      0        0 wan
10.142.64.0     0.0.0.0         255.255.192.0   U     0      0        0 wan
192.168.6.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
#ip route list
default via 10.142.127.254 dev wan proto static src 10.142.89.9 
10.142.64.0/18 dev wan proto kernel scope link src 10.142.89.9 
192.168.6.0/24 dev br-lan proto kernel scope link src 192.168.6.1 
#ip rule show
0:  from all lookup local
1000:   from all fwmark 0x162 lookup 354
1001:   from all iif wan lookup 1
2001:   from all fwmark 0x100/0x3f00 lookup 1
2061:   from all fwmark 0x3d00/0x3f00 blackhole
2062:   from all fwmark 0x3e00/0x3f00 unreachable
32766:  from all lookup main
32767:  from all lookup default

#===================== 端口占用状态 =====================#

tcp        0      0 :::7890                 :::*                    LISTEN      1319/clash
tcp        0      0 :::7891                 :::*                    LISTEN      1319/clash
tcp        0      0 :::7892                 :::*                    LISTEN      1319/clash
tcp        0      0 :::7893                 :::*                    LISTEN      1319/clash
tcp        0      0 :::7895                 :::*                    LISTEN      1319/clash
tcp        0      0 :::9090                 :::*                    LISTEN      1319/clash
udp        0      0 :::33577                :::*                                1319/clash
udp        0      0 :::38976                :::*                                1319/clash
udp        0      0 :::59222                :::*                                1319/clash
udp        0      0 :::7874                 :::*                                1319/clash
udp        0      0 :::7891                 :::*                                1319/clash
udp        0      0 :::7892                 :::*                                1319/clash
udp        0      0 :::7893                 :::*                                1319/clash
udp        0      0 :::7895                 :::*                                1319/clash
udp        0      0 :::38664                :::*                                1319/clash

#===================== 测试本机DNS查询 =====================#

Server:     127.0.0.1
Address:    127.0.0.1:53

www.baidu.com   canonical name = www.a.shifen.com
Name:   www.a.shifen.com
Address: 110.242.68.3
Name:   www.a.shifen.com
Address: 110.242.68.4

#===================== resolv.conf.d =====================#

# Interface wan
nameserver 202.114.49.196
nameserver 202.114.49.206

#===================== 测试本机网络连接 =====================#

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 277
Content-Type: text/html
Date: Tue, 25 Oct 2022 14:26:56 GMT
Etag: "575e1f59-115"
Last-Modified: Mon, 13 Jun 2016 02:50:01 GMT
Pragma: no-cache
Server: bfe/1.0.8.18

#===================== 测试本机网络下载 =====================#

HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 80
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "2029903a78e28a153a9b66d7703becf3af8289a6d59c52df3ce372b71c91b840"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 0805:2DF7:E7F43:15D5F6:63576526
Accept-Ranges: bytes
Date: Tue, 25 Oct 2022 14:27:01 GMT
Via: 1.1 varnish
X-Served-By: cache-hkg17922-HKG
X-Cache: HIT
X-Cache-Hits: 44
X-Timer: S1666708021.393868,VS0,VE0
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
X-Fastly-Request-ID: 30f81e4b5337372fef6cc751a32277cf34c09348
Expires: Tue, 25 Oct 2022 14:32:01 GMT
Source-Age: 52

#===================== 最近运行日志 =====================#

(已删除)
14:09:48 INF [Config] initial rule provider name=IPfake
14:09:48 INF [Config] initial rule provider name=Netflix
14:09:48 INF [Config] initial rule provider name=YouTube
14:09:48 INF [Config] initial rule provider name=Global
2022-10-25 22:09:51 Step 6: Wait For The File Downloading...
14:09:51 INF [Config] initial rule provider name=BiliBili
14:09:51 INF [Config] initial rule provider name=Disney
14:09:52 INF [Config] initial rule provider name=Advertising
14:09:56 INF [Config] initial rule provider name=TikTok
14:09:56 INF [Config] initial rule provider name=Telegram
14:09:56 INF [Config] initial rule provider name=Emby
14:09:56 INF [Config] initial rule provider name=PrivateTracker
14:09:56 INF [Config] initial rule provider name=Lan
14:09:56 INF [Config] initial rule provider name=BanEasyPrivacy
14:09:59 INF [Config] initial rule provider name=Download
14:09:59 INF [Config] initial rule provider name=Game
14:09:59 INF [Config] initial rule provider name=ChinaMax
2022-10-25 22:10:43 Step 7: Set Firewall Rules...
2022-10-25 22:10:45 Step 8: Restart Dnsmasq...
2022-10-25 22:10:50 Step 9: Add Cron Rules, Start Daemons...
2022-10-25 22:10:50 Warning: OpenClash Start Successful, Please Note That Network May Abnormal With IPv6's DHCP Server

#===================== 活动连接信息 =====================#

(已删除)

OpenClash Config

运行模式: Redir-Host（兼容）模式
代理模式: Rule【策略代理】

Expected Behavior

首次连接响应迅速。

Screenshots

vernesong commented 2 years ago

资源下载的问题，第二次会有缓存，你看看那些长时间加载的资源地址，尝试加入代理

ChrisKimZHT commented 2 years ago

资源下载的问题，第二次会有缓存，你看看那些长时间加载的资源地址，尝试加入代理

但是这是向服务器的第一个请求卡住了，第一个请求完成之后，后面的资源基本上都是秒加载的，即使开启了浏览器的 Disable cache 调试，那些资源加载速度也非常快。

ChrisKimZHT commented 2 years ago

2722 感觉和这个的问题有点相似，有时候连接卡太久浏览器就直接显示无法访问了。

vernesong commented 2 years ago

测一下几个DNS的连通性，顺便多加几个

ChrisKimZHT commented 2 years ago

测一下几个DNS的连通性，顺便多加几个

改成 Fake-IP 模式了，似乎好了一点。但为啥 Redir-Host 能这么慢？有点离谱

rsgdn commented 2 years ago

和你一样，我还有推特一样。。换了passwall2用了几天正常了。。

ChrisKimZHT commented 2 years ago

和你一样，我还有推特一样。。换了passwall2用了几天正常了。。

好，我倒时候试试这个

vernesong commented 2 years ago

redir模式碰到IP规则要查询DNS

ChrisKimZHT commented 2 years ago

和你一样，我还有推特一样。。换了passwall2用了几天正常了。。

换了个代理程序真的是快多了... 我用的 ShadowSocksR Plus+，看来作者得定位一下问题，这估计确实是 bug.

rsgdn commented 2 years ago

clash很多系统的版本我都有用，基本上全平台(连ios都用上stash了)，就openclash这个问题比较明显，其他的日常使用都很稳。

caliban511 commented 2 years ago

dnsmasq-full 未下载是什么鬼？

madlordory commented 1 year ago

我也有这个问题，后面发现，禁用 meta 内核就能解决；如果已经用过 meta 内核再禁用的话，问题会依然存在，这个很诡异，但是把 openclash 删掉后重新安装，使用默认 dev 内核，千万别启用 meta 内核，就彻底解决了

iamydp commented 1 year ago

我也有这个问题，我同样也配置了adguard home作为唯一dns并且在openclash中设置正确没有漏dns的情况。查看adg日志发现dns响应时间都在正常范围以内，所以dns应该没有问题。但是访问国内网站也会出现ssl建立耗时10秒多，这个我也百思不得其解了。我目前用的是fakeip模式，清理fakeip显示flush failed。明天换成redir模式试试。

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

imvane commented 5 months ago

请问这个问题解决了吗？24年了还是这样！今天用了华硕merlin clash 超级丝滑

vernesong / OpenClash

[Bug] Initial connection 和 SSL 耗时经常长达 10s #2767

Verify Steps

OpenClash Version

Bug on Environment

Bug on Platform

To Reproduce

Describe the Bug

OpenClash Log

OpenClash Config

Expected Behavior

Screenshots

2722 感觉和这个的问题有点相似，有时候连接卡太久浏览器就直接显示无法访问了。