vernesong / OpenClash

A Clash Client For OpenWrt
MIT License
17.83k stars 3.21k forks source link

[Bug] FakeIP增强模式无法上外网 #3923

Closed Kation closed 5 months ago

Kation commented 5 months ago

Verify Steps

OpenClash Version

v0.46.011-beta

Bug on Environment

Official OpenWrt

OpenWrt Version

OpenWrt 22.03.3 r20028-43d71ad93e

Bug on Platform

Linux-amd64(x86-64)

Describe the Bug

使用FakeIP增强模式时,客户端通过FakeIP无法访问网站,非FakeIP可以正常访问。 但是客户端通过代理端口7890,可以正常访问外网。 使用FakeIP TUN模式时,客户端通过FakeIP可以正常访问网站。

To Reproduce

开启FakeIP增强模式

OpenClash Log

OpenClash 调试日志

生成时间: 2024-06-15 13:10:47
插件版本: v0.46.011-beta
隐私提示: 上传此日志前请注意检查、屏蔽公网IP、节点、密码等相关敏感信息

#===================== 系统信息 =====================#

主机型号: Default string Default string
固件版本: OpenWrt 22.03.3 r20028-43d71ad93e
LuCI版本: git-20.074.84698-ead5e81
内核版本: 5.10.161
处理器架构: x86_64

#此项有值时,如不使用IPv6,建议到网络-接口-lan的设置中禁用IPV6的DHCP
IPV6-DHCP: server

DNS劫持: 停用
#DNS劫持为Dnsmasq时,此项结果应仅有配置文件的DNS监听地址
Dnsmasq转发设置: 

#===================== 依赖检查 =====================#

dnsmasq-full: 已安装
coreutils: 已安装
coreutils-nohup: 已安装
bash: 已安装
curl: 已安装
ca-certificates: 已安装
ipset: 已安装
ip-full: 已安装
libcap: 已安装
libcap-bin: 已安装
ruby: 已安装
ruby-yaml: 已安装
ruby-psych: 已安装
ruby-pstore: 已安装
kmod-tun(TUN模式): 已安装
luci-compat(Luci >= 19.07): 已安装
kmod-inet-diag(PROCESS-NAME): 未安装
unzip: 已安装
kmod-nft-tproxy: 未安装

#===================== 内核检查 =====================#

运行状态: 运行中
运行内核:Meta
进程pid: 1507
运行权限: 1507: cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_ptrace,cap_sys_resource=eip
运行用户: nobody
已选择的架构: linux-amd64

#下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限
Tun内核版本: 2023.08.17-13-gdcc8d87
Tun内核文件: 存在
Tun内核运行权限: 正常

Dev内核版本: v1.18.0-13-gd034a40
Dev内核文件: 存在
Dev内核运行权限: 正常

Meta内核版本: alpha-g0d4e57c
Meta内核文件: 存在
Meta内核运行权限: 正常

#===================== 插件设置 =====================#

当前配置文件: /etc/openclash/config/shadowsocks.au.yaml
启动配置文件: /etc/openclash/shadowsocks.au.yaml
运行模式: fake-ip
默认代理模式: rule
UDP流量转发(tproxy): 启用
自定义DNS: 停用
IPV6代理: 启用
IPV6-DNS解析: 停用
禁用Dnsmasq缓存: 启用
自定义规则: 启用
仅允许内网: 停用
仅代理命中规则流量: 启用
仅允许常用端口流量: 停用
绕过中国大陆IP: 停用
路由本机代理: 启用

#启动异常时建议关闭此项后重试
混合节点: 停用
保留配置: 停用

#启动异常时建议关闭此项后重试
第三方规则: 停用

#===================== 自定义规则 一 =====================#
- DOMAIN-SUFFIX,steamcontent.com,DIRECT
- DOMAIN-SUFFIX,downloadmirror.intel.com,DIRECT

##在线IP段转CIDR地址:http://ip2cidr.com
#===================== 自定义规则 二 =====================#

#===================== 配置文件 =====================#

port: 7890
socks-port: 7891
allow-lan: true
mode: rule
log-level: silent
external-controller: 0.0.0.0:9090
dns:
  enable: true
  ipv6: false
  nameserver:
  - 223.5.5.5
  - 180.76.76.76
  - 119.29.29.29
  - 117.50.11.11
  - 117.50.10.10
  - 114.114.114.114
  - https://dns.alidns.com/dns-query
  - https://doh.360.cn/dns-query
  - dhcp://"pppoe-wan"
  - 100.73.0.1
  - 202.103.225.68
  - 202.103.224.68
  fallback:
  - 8.8.8.8
  - tls://dns.rubyfish.cn:853
  - tls://1.0.0.1:853
  - tls://dns.google:853
  - https://dns.rubyfish.cn/dns-query
  - https://cloudflare-dns.com/dns-query
  - https://dns.google/dns-query
  fallback-filter:
    geoip: true
    ipcidr:
    - 240.0.0.0/4
    - 0.0.0.0/32
    - 127.0.0.1/32
    domain:
    - "+.google.com"
    - "+.facebook.com"
    - "+.youtube.com"
    - "+.xn--ngstr-lra8j.com"
    - "+.google.cn"
    - "+.googleapis.cn"
    - "+.gvt1.com"
  enhanced-mode: fake-ip
  fake-ip-range: 10.0.0.1/8
  listen: 0.0.0.0:7874
  default-nameserver:
  - 223.5.5.5
  - 180.76.76.76
  - 119.29.29.29
  - 117.50.11.11
  - 117.50.10.10
  - 114.114.114.114
  - 100.73.0.1
  - 202.103.225.68
  - 202.103.224.68
  - 8.8.8.8
  - tls://1.0.0.1:853
redir-port: 7892
tproxy-port: 7895
mixed-port: 7893
bind-address: "*"
external-ui: "/usr/share/openclash/ui"
ipv6: true
sniffer:
  enable: true
  parse-pure-ip: true
profile:
  store-selected: true
  store-fake-ip: true
authentication:
- mofa:123456

#===================== 自定义覆写设置 =====================#

#!/bin/sh
. /usr/share/openclash/ruby.sh
. /usr/share/openclash/log.sh
. /lib/functions.sh

# This script is called by /etc/init.d/openclash
# Add your custom overwrite scripts here, they will be take effict after the OpenClash own srcipts

LOG_OUT "Tip: Start Running Custom Overwrite Scripts..."
LOGTIME=$(echo $(date "+%Y-%m-%d %H:%M:%S"))
LOG_FILE="/tmp/openclash.log"
CONFIG_FILE="$1" #config path

exit 0
#===================== 自定义防火墙设置 =====================#

#!/bin/sh
. /usr/share/openclash/log.sh
. /lib/functions.sh

# This script is called by /etc/init.d/openclash
# Add your custom firewall rules here, they will be added after the end of the OpenClash iptables rules

LOG_OUT "Tip: Start Add Custom Firewall Rules..."

exit 0
#===================== IPTABLES 防火墙设置 =====================#

#IPv4 NAT chain

# Generated by iptables-save v1.8.7 on Sat Jun 15 13:10:48 2024
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Sat Jun 15 13:10:48 2024

#IPv4 Mangle chain

# Generated by iptables-save v1.8.7 on Sat Jun 15 13:10:48 2024
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sat Jun 15 13:10:48 2024

#IPv4 Filter chain

# Generated by iptables-save v1.8.7 on Sat Jun 15 13:10:48 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -i eth3 -o docker0 -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Sat Jun 15 13:10:48 2024

#IPv6 NAT chain

# Generated by ip6tables-save v1.8.7 on Sat Jun 15 13:10:48 2024
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sat Jun 15 13:10:48 2024

#IPv6 Mangle chain

# Generated by ip6tables-save v1.8.7 on Sat Jun 15 13:10:48 2024
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sat Jun 15 13:10:48 2024

#IPv6 Filter chain

# Generated by ip6tables-save v1.8.7 on Sat Jun 15 13:10:48 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sat Jun 15 13:10:48 2024

#===================== NFTABLES 防火墙设置 =====================#

table inet fw4 {
    chain input {
        type filter hook input priority filter; policy drop;
        iifname "lo" accept comment "!fw4: Accept traffic from loopback"
        ct state established,related accept comment "!fw4: Allow inbound established and related flows"
        tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
        iifname { "br-lan.7", "br-lan.1007", "br-lan.1008" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
        iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
        iifname { "br-lan.90", "br-lan.88", "macvlan_app" } jump input_dmz comment "!fw4: Handle dmz IPv4/IPv6 input traffic"
        iifname "zt2lrqfsvn" jump input_vpn comment "!fw4: Handle vpn IPv4/IPv6 input traffic"
        jump handle_reject
    }
}
table inet fw4 {
    chain forward {
        type filter hook forward priority filter; policy drop;
        meta l4proto { tcp, udp } flow add @ft
        ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
        iifname { "br-lan.7", "br-lan.1007", "br-lan.1008" } jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
        iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
        iifname { "br-lan.90", "br-lan.88", "macvlan_app" } jump forward_dmz comment "!fw4: Handle dmz IPv4/IPv6 forward traffic"
        iifname "zt2lrqfsvn" jump forward_vpn comment "!fw4: Handle vpn IPv4/IPv6 forward traffic"
        jump upnp_forward comment "Hook into miniupnpd forwarding chain"
        jump handle_reject
    }
}
table inet fw4 {
    chain dstnat {
        type nat hook prerouting priority dstnat; policy accept;
        ip6 daddr { 2001:4860:4860::8844, 2001:4860:4860::8888 } tcp dport 53 counter packets 0 bytes 0 accept comment "OpenClash Google DNS Hijack"
        ip daddr { 8.8.4.4, 8.8.8.8 } tcp dport 53 counter packets 0 bytes 0 redirect to :7892 comment "OpenClash Google DNS Hijack"
        iifname "pppoe-wan" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
        iifname { "br-lan.90", "br-lan.88", "macvlan_app" } jump dstnat_dmz comment "!fw4: Handle dmz IPv4/IPv6 dstnat traffic"
        jump upnp_prerouting comment "Hook into miniupnpd prerouting chain"
        ip protocol tcp counter packets 2507 bytes 132663 jump openclash
    }
}
table inet fw4 {
    chain srcnat {
        type nat hook postrouting priority srcnat; policy accept;
        oifname "pppoe-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
        jump upnp_postrouting comment "Hook into miniupnpd postrouting chain"
    }
}
table inet fw4 {
    chain nat_output {
        type nat hook output priority filter - 1; policy accept;
        ip protocol tcp counter packets 602 bytes 36120 jump openclash_output
    }
}
table inet fw4 {
    chain mangle_prerouting {
        type filter hook prerouting priority mangle; policy accept;
        ip protocol udp counter packets 16505 bytes 2477328 jump openclash_mangle
        meta nfproto ipv6 counter packets 7224 bytes 2073268 jump openclash_mangle_v6
    }
}
table inet fw4 {
    chain mangle_output {
        type route hook output priority mangle; policy accept;
        meta nfproto ipv6 counter packets 9791 bytes 1226231 jump openclash_mangle_output_v6
    }
}
table inet fw4 {
    chain openclash {
        meta nfproto ipv4 tcp sport 7893 counter packets 0 bytes 0 return
        ip daddr @localnetwork counter packets 821 bytes 43736 return
        ip protocol tcp ip daddr 10.0.0.0/8 counter packets 0 bytes 0 redirect to :7892
        ip protocol tcp counter packets 1686 bytes 88927 redirect to :7892
    }
}
table inet fw4 {
    chain openclash_mangle {
        meta nfproto ipv4 udp sport 7893 counter packets 0 bytes 0 return
        meta nfproto ipv4 udp sport 500 counter packets 0 bytes 0 return
        meta nfproto ipv4 udp sport 68 counter packets 426 bytes 139758 return
        meta l4proto udp iifname "lo" counter packets 6486 bytes 616597 return
        ip daddr @localnetwork counter packets 6785 bytes 1275003 return
        udp dport 53 counter packets 149 bytes 8910 return
        ip protocol udp counter packets 2659 bytes 437060 jump openclash_upnp
    }
}
table inet fw4 {
    chain openclash_output {
        meta nfproto ipv4 tcp sport 7893 counter packets 0 bytes 0 return
        ip saddr 192.168.240.253 tcp sport 8443 counter packets 0 bytes 0 return
        ip daddr @localnetwork counter packets 91 bytes 5460 return
        ip protocol tcp ip daddr 10.0.0.0/8 meta skuid != 65534 counter packets 0 bytes 0 redirect to :7892
        ip protocol tcp meta skuid != 65534 counter packets 1 bytes 60 redirect to :7892
    }
}
table inet fw4 {
    chain openclash_mangle_v6 {
        meta nfproto ipv6 udp sport 7893 counter packets 0 bytes 0 return
        meta nfproto ipv6 tcp sport 7893 counter packets 0 bytes 0 return
        meta nfproto ipv6 udp sport 500 counter packets 0 bytes 0 return
        meta nfproto ipv6 udp sport 546 counter packets 27 bytes 3921 return
        meta nfproto ipv6 udp sport 8443 counter packets 0 bytes 0 return
        meta nfproto ipv6 tcp sport 8443 counter packets 0 bytes 0 return
        ip6 daddr @localnetwork6 counter packets 4877 bytes 1709421 return
        meta nfproto ipv6 udp dport 53 counter packets 0 bytes 0 return
    }
}
table inet fw4 {
    chain openclash_mangle_output_v6 {
        meta nfproto ipv6 udp sport 7893 counter packets 0 bytes 0 return
        meta nfproto ipv6 tcp sport 7893 counter packets 0 bytes 0 return
        meta nfproto ipv6 udp sport 500 counter packets 0 bytes 0 return
        meta nfproto ipv6 udp sport 546 counter packets 1 bytes 171 return
        meta nfproto ipv6 udp sport 8443 counter packets 0 bytes 0 return
        meta nfproto ipv6 tcp sport 8443 counter packets 0 bytes 0 return
        ip6 daddr @localnetwork6 counter packets 1976 bytes 249755 return
    }
}

#===================== IPSET状态 =====================#

#===================== 路由表状态 =====================#

#IPv4

#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         100.73.0.1      0.0.0.0         UG    0      0        0 pppoe-wan
100.73.0.1      0.0.0.0         255.255.255.255 UH    0      0        0 pppoe-wan
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.33.0    0.0.0.0         255.255.255.0   U     0      0        0 br-lan.90
192.168.64.0    0.0.0.0         255.255.255.0   U     0      0        0 zt2lrqfsvn
192.168.128.0   192.168.64.252  255.255.255.0   UG    5000   0        0 zt2lrqfsvn
192.168.239.0   0.0.0.0         255.255.255.0   U     0      0        0 macvlan_app
192.168.240.0   0.0.0.0         255.255.255.0   U     0      0        0 br-lan.7
192.168.241.0   0.0.0.0         255.255.255.0   U     0      0        0 br-lan.1007
192.168.242.0   0.0.0.0         255.255.255.0   U     0      0        0 br-lan.1008

#ip route list
default via 100.73.0.1 dev pppoe-wan proto static 
100.73.0.1 dev pppoe-wan proto kernel scope link src *WAN IP*.7 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
192.168.33.0/24 dev br-lan.90 proto kernel scope link src 192.168.33.254 
192.168.64.0/24 dev zt2lrqfsvn proto kernel scope link src 192.168.64.254 
192.168.128.0/24 via 192.168.64.252 dev zt2lrqfsvn proto static metric 5000 
192.168.239.0/24 dev macvlan_app proto kernel scope link src 192.168.239.254 
192.168.240.0/24 dev br-lan.7 proto kernel scope link src 192.168.240.254 
192.168.241.0/24 dev br-lan.1007 proto kernel scope link src 192.168.241.254 
192.168.242.0/24 dev br-lan.1008 proto kernel scope link src 192.168.242.254 

#ip rule show
0:  from all lookup local
32765:  from all fwmark 0x162 lookup 354
32766:  from all lookup main
32767:  from all lookup default

#IPv6

#route -A inet6
Kernel IPv6 routing table
Destination                                 Next Hop                                Flags Metric Ref    Use Iface
::/0                                        ::                                      U     1024   1        0 lo      
::/0                                        ::                                      !n    -1     2        0 lo      
::/0                                        fe80::ce1a:faff:fee9:6520               UG    512    5        0 pppoe-wan
::/0                                        fe80::ce1a:faff:fee9:6520               UG    512    6        0 pppoe-wan
240e:350:1804:3e6b::/64                     ::                                      !n    2147483647 2        0 lo      
240e:352:1902:2e10::/64                     ::                                      U     1024   6        0 br-lan.90
240e:352:1902:2e20::/64                     ::                                      U     1024   2        0 br-lan.1007
240e:352:1902:2e30::/64                     ::                                      U     1024   5        0 br-lan.7
240e:352:1902:2e00::/56                     ::                                      !n    2147483647 5        0 lo      
fdbf:6008:a32f:239::1/128                   ::                                      U     256    1        0 macvlan_app
fdbf:6008:a32f:239::/64                     ::                                      U     1024   5        0 macvlan_app
fdbf:6008:a32f::/48                         ::                                      !n    2147483647 2        0 lo      
fe80::2d0:4ca0:8810:537/128                 ::                                      U     256    1        0 pppoe-wan
fe80::ce1a:faff:fee9:6520/128               ::                                      U     256    1        0 pppoe-wan
fe80::/64                                   ::                                      U     256    5        0 br-lan  
fe80::/64                                   ::                                      U     256    5        0 br-lan.7
fe80::/64                                   ::                                      U     256    5        0 br-lan.90
fe80::/64                                   ::                                      U     256    5        0 br-lan.1007
fe80::/64                                   ::                                      U     256    1        0 br-lan.1008
fe80::/64                                   ::                                      U     256    1        0 macvlan_app
fe80::/64                                   ::                                      U     256    1        0 zt2lrqfsvn
fe80::/64                                   ::                                      U     256    1        0 eth3    
::/0                                        ::                                      !n    -1     2        0 lo      
::1/128                                     ::                                      Un    0      7        0 lo      
240e:350:1804:3e6b::/128                    ::                                      Un    0      3        0 pppoe-wan
*WAN IP*:537/128    ::                                      Un    0      8        0 pppoe-wan
240e:352:1902:2e10::/128                    ::                                      Un    0      3        0 br-lan.90
240e:352:1902:2e10::1/128                   ::                                      Un    0      7        0 br-lan.90
240e:352:1902:2e20::/128                    ::                                      Un    0      3        0 br-lan.1007
240e:352:1902:2e20::1/128                   ::                                      Un    0      9        0 br-lan.1007
240e:352:1902:2e30::/128                    ::                                      Un    0      3        0 br-lan.7
240e:352:1902:2e30::1/128                   ::                                      Un    0      7        0 br-lan.7
fdbf:6008:a32f:239::1/128                   ::                                      Un    0      7        0 macvlan_app
fe80::/128                                  ::                                      Un    0      6        0 br-lan.1008
fe80::/128                                  ::                                      Un    0      3        0 br-lan.90
fe80::/128                                  ::                                      Un    0      3        0 br-lan.7
fe80::/128                                  ::                                      Un    0      3        0 br-lan  
fe80::/128                                  ::                                      Un    0      3        0 br-lan.1007
fe80::/128                                  ::                                      Un    0      3        0 macvlan_app
fe80::/128                                  ::                                      Un    0      3        0 zt2lrqfsvn
fe80::/128                                  ::                                      Un    0      3        0 eth3    
fe80::2d0:4ca0:8810:537/128                 ::                                      Un    0      4        0 pppoe-wan
fe80::2d0:4cff:fe10:534/128                 ::                                      Un    0      8        0 br-lan.1008
fe80::2d0:4cff:fe10:534/128                 ::                                      Un    0      6        0 br-lan.90
fe80::2d0:4cff:fe10:534/128                 ::                                      Un    0      6        0 br-lan.7
fe80::2d0:4cff:fe10:534/128                 ::                                      Un    0      6        0 br-lan  
fe80::2d0:4cff:fe10:534/128                 ::                                      Un    0      6        0 br-lan.1007
fe80::2d0:4cff:fe10:537/128                 ::                                      Un    0      2        0 eth3    
fe80::2442:62ff:fea1:e91a/128               ::                                      Un    0      2        0 zt2lrqfsvn
fe80::8cee:28ff:fef9:be69/128               ::                                      Un    0      6        0 macvlan_app
ff00::/8                                    ::                                      U     256    6        0 macvlan_app
ff00::/8                                    ::                                      U     256    5        0 br-lan  
ff00::/8                                    ::                                      U     256    5        0 br-lan.7
ff00::/8                                    ::                                      U     256    5        0 br-lan.90
ff00::/8                                    ::                                      U     256    5        0 br-lan.1007
ff00::/8                                    ::                                      U     256    5        0 br-lan.1008
ff00::/8                                    ::                                      U     256    5        0 zt2lrqfsvn
ff00::/8                                    ::                                      U     256    2        0 eth3    
ff00::/8                                    ::                                      U     256    5        0 pppoe-wan
::/0                                        ::                                      !n    -1     2        0 lo      

#ip -6 route list
default from 240e:350:1804:3e6b::/64 via fe80::ce1a:faff:fee9:6520 dev pppoe-wan proto static metric 512 pref medium
default from 240e:352:1902:2e00::/56 via fe80::ce1a:faff:fee9:6520 dev pppoe-wan proto static metric 512 pref medium
unreachable 240e:350:1804:3e6b::/64 dev lo proto static metric 2147483647 pref medium
240e:352:1902:2e10::/64 dev br-lan.90 proto static metric 1024 pref medium
240e:352:1902:2e20::/64 dev br-lan.1007 proto static metric 1024 pref medium
240e:352:1902:2e30::/64 dev br-lan.7 proto static metric 1024 pref medium
unreachable 240e:352:1902:2e00::/56 dev lo proto static metric 2147483647 pref medium
fdbf:6008:a32f:239::1 dev macvlan_app proto kernel metric 256 pref medium
fdbf:6008:a32f:239::/64 dev macvlan_app proto static metric 1024 pref medium
unreachable fdbf:6008:a32f::/48 dev lo proto static metric 2147483647 pref medium
fe80::2d0:4ca0:8810:537 dev pppoe-wan proto kernel metric 256 pref medium
fe80::ce1a:faff:fee9:6520 dev pppoe-wan proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev br-lan.7 proto kernel metric 256 pref medium
fe80::/64 dev br-lan.90 proto kernel metric 256 pref medium
fe80::/64 dev br-lan.1007 proto kernel metric 256 pref medium
fe80::/64 dev br-lan.1008 proto kernel metric 256 pref medium
fe80::/64 dev macvlan_app proto kernel metric 256 pref medium
fe80::/64 dev zt2lrqfsvn proto kernel metric 256 pref medium
fe80::/64 dev eth3 proto kernel metric 256 pref medium

#ip -6 rule show
0:  from all lookup local
32764:  from all fwmark 0x162 lookup 354
32765:  from all oif utun [detached] lookup 2022
32766:  from all lookup main
4200000000: from 240e:352:1902:2e10::1/60 iif br-lan.90 unreachable
4200000000: from 240e:352:1902:2e20::1/60 iif br-lan.1007 unreachable
4200000000: from 240e:352:1902:2e30::1/60 iif br-lan.7 unreachable

#===================== 端口占用状态 =====================#

tcp        0      0 :::9090                 :::*                    LISTEN      1507/clash
tcp        0      0 :::7890                 :::*                    LISTEN      1507/clash
tcp        0      0 :::7891                 :::*                    LISTEN      1507/clash
tcp        0      0 :::7892                 :::*                    LISTEN      1507/clash
tcp        0      0 :::7893                 :::*                    LISTEN      1507/clash
tcp        0      0 :::7895                 :::*                    LISTEN      1507/clash
udp        0      0 :::7874                 :::*                                1507/clash
udp        0      0 :::7891                 :::*                                1507/clash
udp        0      0 :::7892                 :::*                                1507/clash
udp        0      0 :::7893                 :::*                                1507/clash
udp        0      0 :::7895                 :::*                                1507/clash

#===================== 测试本机DNS查询(www.baidu.com) =====================#

Server:     127.0.0.1
Address:    127.0.0.1:53

Non-authoritative answer:
www.baidu.com   canonical name = www.a.shifen.com
Name:   www.a.shifen.com
Address: 183.2.172.185
Name:   www.a.shifen.com
Address: 183.2.172.42

Non-authoritative answer:
www.baidu.com   canonical name = www.a.shifen.com
Name:   www.a.shifen.com
Address: 240e:ff:e020:966:0:ff:b042:f296
Name:   www.a.shifen.com
Address: 240e:ff:e020:9ae:0:ff:b014:8e8b

#===================== 测试内核DNS查询(www.instagram.com) =====================#

Status: 0
TC: false
RD: false
RA: true
AD: false
CD: false

Question: 
  Name: www.instagram.com.
  Qtype: 1
  Qclass: 1

Answer: 
  TTL: 54
  data: 157.240.20.18
  name: www.instagram.com.
  type: 1

Status: 0
TC: false
RD: true
RA: true
AD: false
CD: false

Question: 
  Name: www.instagram.com.
  Qtype: 28
  Qclass: 1

Answer: 
  TTL: 87
  data: 2a03:2880:f10d:83:face:b00c:0:25de
  name: www.instagram.com.
  type: 28

Dnsmasq 当前默认 resolv 文件:

#===================== /tmp/resolv.conf.d/resolv.conf.auto =====================#

# Interface wan
nameserver 202.103.225.68
nameserver 202.103.224.68
# Interface wan_6
nameserver 240e:9:2000:100:202:103:225:68
nameserver 240e:9:0:100:202:103:224:68
search private-ds
search PRIVATE-DS

#===================== 测试本机网络连接(www.baidu.com) =====================#

HTTP/1.1 200 OK
Bdpagetype: 1
Bdqid: 0xc50121e2001d8945
Connection: keep-alive
Content-Length: 403601
Content-Type: text/html; charset=utf-8
Date: Sat, 15 Jun 2024 13:10:49 GMT
Server: BWS/1.1
Set-Cookie: BIDUPSID=D1D2D7C6A509D51056961DFE1235B38A; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: PSTM=1718457049; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BDSVRTM=3; path=/
Set-Cookie: BD_HOME=1; path=/
Set-Cookie: BAIDUID=D1D2D7C6A509D51056961DFE1235B38A:FG=1; Path=/; Domain=baidu.com; Max-Age=31536000
Set-Cookie: BAIDUID_BFESS=D1D2D7C6A509D51056961DFE1235B38A:FG=1; Path=/; Domain=baidu.com; Max-Age=31536000; Secure; SameSite=None
Traceid: 1718457049183270298614195664754996775237
Vary: Accept-Encoding
X-Ua-Compatible: IE=Edge,chrome=1
X-Xss-Protection: 1;mode=block

#===================== 测试本机网络下载(raw.githubusercontent.com) =====================#

#===================== 最近运行日志(自动切换为Debug模式) =====================#

2024-06-15 12:49:42 Tip: Because of the file【 /etc/config/openclash 】modificated, Pause quick start...
2024-06-15 12:49:42 Step 3: Modify The Config File...
2024-06-15 12:49:42 Tip: You have seted the authentication of SOCKS5/HTTP(S) proxy with【mofa:123456】
2024-06-15 12:49:42 Tip: Start Running Custom Overwrite Scripts...
2024-06-15 12:49:42 Step 4: Start Running The Clash Core...
2024-06-15 12:49:42 Tip: Detected The Exclusive Function of The Meta Core, Use Meta Core to Start...
2024-06-15 12:49:42 Test The Config File First...
time="2024-06-15T12:49:43.275779066Z" level=info msg="Start initial configuration in progress"
time="2024-06-15T12:49:43.276595141Z" level=info msg="Geodata Loader mode: memconservative"
time="2024-06-15T12:49:43.276628271Z" level=info msg="Geosite Matcher implementation: succinct"
time="2024-06-15T12:49:44.233880761Z" level=warning msg="[CacheFile] can't open cache file: timeout"
time="2024-06-15T12:49:44.23549243Z" level=warning msg="Deprecated: Use Sniff instead"
time="2024-06-15T12:49:44.235561695Z" level=info msg="Initial configuration complete, total time: 959ms"
2024-06-15 12:49:44 configuration file【/etc/openclash/shadowsocks.au.yaml】test is successful
2024-06-15 12:49:45 Step 5: Check The Core Status...
time="2024-06-15T12:49:45.839864607Z" level=info msg="Start initial configuration in progress"
time="2024-06-15T12:49:45.840692459Z" level=info msg="Geodata Loader mode: memconservative"
time="2024-06-15T12:49:45.840711687Z" level=info msg="Geosite Matcher implementation: succinct"
time="2024-06-15T12:49:45.853595654Z" level=warning msg="Deprecated: Use Sniff instead"
time="2024-06-15T12:49:45.853619952Z" level=info msg="Initial configuration complete, total time: 13ms"
time="2024-06-15T12:49:45.853909662Z" level=info msg="RESTful API listening at: [::]:9090"
time="2024-06-15T12:49:45.861520439Z" level=info msg="Authentication of local server updated"
time="2024-06-15T12:49:45.861545538Z" level=info msg="Sniffer is loaded and working"
time="2024-06-15T12:49:45.861647814Z" level=info msg="DNS server listening at: [::]:7874"
time="2024-06-15T12:49:45.861700323Z" level=info msg="HTTP proxy listening at: [::]:7890"
time="2024-06-15T12:49:45.861755563Z" level=info msg="SOCKS proxy listening at: [::]:7891"
time="2024-06-15T12:49:45.861823328Z" level=info msg="Redirect proxy listening at: [::]:7892"
time="2024-06-15T12:49:45.861857619Z" level=info msg="TProxy server listening at: [::]:7895"
time="2024-06-15T12:49:45.861882014Z" level=info msg="Mixed(http+socks) proxy listening at: [::]:7893"
time="2024-06-15T12:49:45.863323111Z" level=info msg="Start initial Compatible provider Auto"
time="2024-06-15T12:49:45.863497832Z" level=info msg="Start initial Compatible provider Proxy"
time="2024-06-15T12:49:45.863525873Z" level=info msg="Start initial Compatible provider default"
2024-06-15 12:49:48 Step 6: Wait For The File Downloading...
2024-06-15 12:49:48 Step 7: Set Firewall Rules...
2024-06-15 12:49:48 Warning: Dnsmasq not Support nftset, Use ipset...
2024-06-15 12:49:48 Tip: DNS Hijacking is Disabled...
2024-06-15 12:49:48 Tip: IPv6 Proxy Mode is TProxy...
2024-06-15 12:49:48 Tip: Firewall4 was Detected, Use NFTABLE Rules...
2024-06-15 12:49:49 Tip: Start Add Port Bypassing Rules For Firewall Redirect and Firewall Rules...
2024-06-15 12:49:49 Tip: Start Add Custom Firewall Rules...
2024-06-15 12:49:49 Step 8: Restart Dnsmasq...
2024-06-15 12:50:02 Step 9: Add Cron Rules, Start Daemons...
2024-06-15 12:50:02 OpenClash Start Successful!
2024-06-15 13:02:09【/tmp/clash_last_version】Download Failed:【curl: (28) Connection timed out after 60001 milliseconds】
2024-06-15 13:01:54【/tmp/openclash_last_version】Download Failed:【curl: (28) Connection timeout after 30001 ms curl: (28) Connection timeout after 30001 ms curl: (28) Connection timeout after 30001 ms】
2024-06-15 13:02:06【/tmp/openclash_last_version】Download Failed:【curl: (28) Connection timeout after 30000 ms curl: (28) Connection timeout after 30000 ms curl: (28) Connection timeout after 30000 ms】
2024-06-15 13:03:09【/tmp/clash_last_version】Download Failed:【curl: (28) Connection timed out after 60001 milliseconds】
2024-06-15 13:04:09【/tmp/openclash_last_version】Download Failed:【curl: (28) Connection timeout after 30001 ms curl: (28) Connection timeout after 30001 ms curl: (28) Connection timeout after 30001 ms】
2024-06-15 13:05:57【/tmp/clash_last_version】Download Failed:【curl: (28) Connection timed out after 60001 milliseconds】
2024-06-15 13:06:57【/tmp/openclash_last_version】Download Failed:【curl: (28) Connection timeout after 30001 ms curl: (28) Connection timeout after 30001 ms curl: (28) Connection timeout after 30001 ms】
2024-06-15 13:08:34【/tmp/clash_last_version】Download Failed:【curl: (28) Connection timed out after 60000 milliseconds】
time="2024-06-15T13:11:01.297911601Z" level=debug msg="[Rule] use default rules"
time="2024-06-15T13:11:01.336574004Z" level=debug msg="[Rule] use default rules"
time="2024-06-15T13:11:01.338571207Z" level=info msg="[TCP] 192.168.242.71:40160 --> 101.227.131.167:80 match GeoIP(cn) using DIRECT"
time="2024-06-15T13:11:01.370176068Z" level=info msg="[TCP] 192.168.242.71:40162 --> 101.227.131.167:80 match GeoIP(cn) using DIRECT"
time="2024-06-15T13:11:01.424401449Z" level=debug msg="[Rule] use default rules"
time="2024-06-15T13:11:01.462562703Z" level=info msg="[TCP] 192.168.242.71:40164 --> 101.227.131.167:80 match GeoIP(cn) using DIRECT"
time="2024-06-15T13:11:01.717587853Z" level=debug msg="[Rule] use default rules"
time="2024-06-15T13:11:01.751419747Z" level=info msg="[TCP] 192.168.242.71:40166 --> 101.227.131.167:80 match GeoIP(cn) using DIRECT"
time="2024-06-15T13:11:01.85480662Z" level=debug msg="[Rule] use default rules"
time="2024-06-15T13:11:01.887560002Z" level=info msg="[TCP] 192.168.242.71:40168 --> 101.227.131.167:80 match GeoIP(cn) using DIRECT"
time="2024-06-15T13:11:02.718393349Z" level=debug msg="[Rule] use default rules"
time="2024-06-15T13:11:02.751813428Z" level=info msg="[TCP] 192.168.242.71:40170 --> 101.227.131.167:80 match GeoIP(cn) using DIRECT"
time="2024-06-15T13:11:03.315769072Z" level=debug msg="[Rule] use default rules"
time="2024-06-15T13:11:03.35199989Z" level=info msg="[TCP] 192.168.242.71:40172 --> 101.227.131.167:80 match GeoIP(cn) using DIRECT"
time="2024-06-15T13:11:04.786217231Z" level=debug msg="[Rule] use default rules"
time="2024-06-15T13:11:04.824970283Z" level=info msg="[TCP] 192.168.242.71:40174 --> 101.227.131.167:80 match GeoIP(cn) using DIRECT"
time="2024-06-15T13:11:04.964899661Z" level=debug msg="[Rule] use default rules"
time="2024-06-15T13:11:05.00276807Z" level=info msg="[TCP] 192.168.242.71:40176 --> 101.227.131.167:80 match GeoIP(cn) using DIRECT"
time="2024-06-15T13:11:05.579356182Z" level=debug msg="[Rule] use default rules"
time="2024-06-15T13:11:05.60123814Z" level=info msg="[TCP] 192.168.242.71:49586 --> 124.225.199.136:80 match GeoIP(cn) using DIRECT"
time="2024-06-15T13:11:06.951021907Z" level=debug msg="[Rule] use default rules"
time="2024-06-15T13:11:06.961447119Z" level=debug msg="[Process] find process 52.113.194.132 error: socket: protocol not supported"
time="2024-06-15T13:11:06.961552028Z" level=debug msg="[DNS] cache hit for ty-1.rise-fuji.com., expire at 2024-06-15 13:17:51"
time="2024-06-15T13:11:06.961593294Z" level=debug msg="[DNS] cache hit for ty-1.rise-fuji.com., expire at 2024-06-15 13:11:01"
time="2024-06-15T13:11:06.961707028Z" level=debug msg="[DNS] resolve ty-1.rise-fuji.com from udp://202.103.224.68:53"
time="2024-06-15T13:11:06.961748353Z" level=debug msg="[DNS] resolve ty-1.rise-fuji.com from udp://202.103.225.68:53"
time="2024-06-15T13:11:06.96179581Z" level=debug msg="[DNS] resolve ty-1.rise-fuji.com from udp://117.50.11.11:53"
time="2024-06-15T13:11:06.961825666Z" level=debug msg="[DNS] resolve ty-1.rise-fuji.com from udp://180.76.76.76:53"
time="2024-06-15T13:11:06.961808083Z" level=debug msg="[DNS] resolve ty-1.rise-fuji.com from "
time="2024-06-15T13:11:06.961854347Z" level=debug msg="[DNS] resolve ty-1.rise-fuji.com from https://dns.alidns.com:443/dns-query"
time="2024-06-15T13:11:06.96181302Z" level=debug msg="[DNS] resolve ty-1.rise-fuji.com from https://doh.360.cn:443/dns-query"
time="2024-06-15T13:11:06.962099597Z" level=debug msg="[DNS] cache hit for doh.360.cn., expire at 2024-06-15 13:12:10"
time="2024-06-15T13:11:06.962008906Z" level=debug msg="[DNS] cache hit for dns.alidns.com., expire at 2024-06-15 13:12:10"
time="2024-06-15T13:11:06.961813658Z" level=debug msg="[DNS] resolve ty-1.rise-fuji.com from udp://114.114.114.114:53"
time="2024-06-15T13:11:06.96214649Z" level=debug msg="[DNS] cache hit for doh.360.cn., expire at 2024-06-15 13:13:12"
time="2024-06-15T13:11:06.961857089Z" level=debug msg="[DNS] resolve ty-1.rise-fuji.com from udp://119.29.29.29:53"
time="2024-06-15T13:11:06.961811774Z" level=debug msg="[DNS] resolve ty-1.rise-fuji.com from udp://117.50.10.10:53"
time="2024-06-15T13:11:06.962020846Z" level=debug msg="[DNS] cache hit for dns.alidns.com., expire at 2024-06-15 14:05:58"
time="2024-06-15T13:11:06.961816127Z" level=debug msg="[DNS] resolve ty-1.rise-fuji.com from udp://100.73.0.1:53"
time="2024-06-15T13:11:06.961824078Z" level=debug msg="[DNS] resolve ty-1.rise-fuji.com from udp://223.5.5.5:53"
time="2024-06-15T13:11:06.964415426Z" level=debug msg="[DNS] ty-1.rise-fuji.com --> [149.50.72.80] A from udp://202.103.225.68:53"
time="2024-06-15T13:11:07.103664943Z" level=info msg="[TCP] 192.168.241.10:52172 --> 52.113.194.132:443 match DstPort(443) using Proxy[日本-TY-1-流量倍率:1.0]"
2024-06-15 13:09:34【/tmp/openclash_last_version】Download Failed:【curl: (28) Connection timeout after 30000 ms curl: (28) Connection timeout after 30001 ms curl: (28) Connection timeout after 30001 ms】
time="2024-06-15T13:11:09.809959818Z" level=debug msg="[Rule] use default rules"
time="2024-06-15T13:11:09.81016017Z" level=debug msg="[DNS] cache hit for ty-1.rise-fuji.com., expire at 2024-06-15 13:12:33"
time="2024-06-15T13:11:09.810304674Z" level=debug msg="[DNS] cache hit for ty-1.rise-fuji.com., expire at 2024-06-15 13:17:51"
time="2024-06-15T13:11:09.857193788Z" level=debug msg="[Rule] use default rules"
time="2024-06-15T13:11:09.874670329Z" level=info msg="[TCP] 192.168.242.26:45612 --> 183.2.172.185:443 match GeoIP(cn) using DIRECT"
time="2024-06-15T13:11:09.961489387Z" level=info msg="[TCP] 192.168.240.96:49633 --> cn.bing.com:443 match DomainSuffix(bing.com) using Proxy[日本-TY-1-流量倍率:1.0]"

#===================== 最近运行日志获取完成(自动切换为silent模式) =====================#

OpenClash Config

No response

Expected Behavior

正常访问外网

Additional Context

No response

Kation commented 5 months ago

在客户端使用curl请求FakeIP网站的时候,openclash内核日志没有记录到请求

Kation commented 5 months ago

@jelly21fish 用了mosdns,客户端是可以获取到外网域名的FakeIP

Aethersailor commented 5 months ago

用mosdns前置的话,default-nameserver要取消勾选,mosdns的远程服务器设置为openclash的127.0.0.1:7874. 另外先把ipv6关了,确定你的节点支持ipv6出站再开

Kation commented 5 months ago

用mosdns前置的话,default-nameserver要取消勾选,mosdns的远程服务器设置为openclash的127.0.0.1:7874. 另外先把ipv6关了,确定你的节点支持ipv6出站再开

mosdns远程服务器是设置为7874的,客户端用nslookup google.com是能获取到FakeIP的

ipv6是能用的,tun模式都正常,外网ipv6能访问。
ipv6关了,增强模式也上不了外网。

Kation commented 5 months ago

@jelly21fish 让openclash劫持dns,增强模式连国内都上不了
肯定不是dns问题造成的

OpenClash 调试日志

生成时间: 2024-06-17 13:42:20
插件版本: v0.46.011-beta
隐私提示: 上传此日志前请注意检查、屏蔽公网IP、节点、密码等相关敏感信息

#===================== 系统信息 =====================#

主机型号: Default string Default string
固件版本: OpenWrt 22.03.3 r20028-43d71ad93e
LuCI版本: git-20.074.84698-ead5e81
内核版本: 5.10.161
处理器架构: x86_64

#此项有值时,如不使用IPv6,建议到网络-接口-lan的设置中禁用IPV6的DHCP
IPV6-DHCP: server

DNS劫持: Dnsmasq 转发
#DNS劫持为Dnsmasq时,此项结果应仅有配置文件的DNS监听地址
Dnsmasq转发设置: 127.0.0.1#7874

#===================== 依赖检查 =====================#

dnsmasq-full: 已安装
coreutils: 已安装
coreutils-nohup: 已安装
bash: 已安装
curl: 已安装
ca-certificates: 已安装
ipset: 已安装
ip-full: 已安装
libcap: 已安装
libcap-bin: 已安装
ruby: 已安装
ruby-yaml: 已安装
ruby-psych: 已安装
ruby-pstore: 已安装
kmod-tun(TUN模式): 已安装
luci-compat(Luci >= 19.07): 已安装
kmod-inet-diag(PROCESS-NAME): 未安装
unzip: 已安装
kmod-nft-tproxy: 未安装

#===================== 内核检查 =====================#

运行状态: 运行中
运行内核:Meta
进程pid: 4330
运行权限: 4330: cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_ptrace,cap_sys_resource=eip
运行用户: nobody
已选择的架构: linux-amd64

#下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限
Tun内核版本: 2023.08.17-13-gdcc8d87
Tun内核文件: 存在
Tun内核运行权限: 正常

Dev内核版本: v1.18.0-13-gd034a40
Dev内核文件: 存在
Dev内核运行权限: 正常

Meta内核版本: alpha-g0d4e57c
Meta内核文件: 存在
Meta内核运行权限: 正常

#===================== 插件设置 =====================#

当前配置文件: /etc/openclash/config/shadowsocks.au.yaml
启动配置文件: /etc/openclash/shadowsocks.au.yaml
运行模式: fake-ip
默认代理模式: rule
UDP流量转发(tproxy): 启用
自定义DNS: 停用
IPV6代理: 启用
IPV6-DNS解析: 停用
禁用Dnsmasq缓存: 启用
自定义规则: 启用
仅允许内网: 停用
仅代理命中规则流量: 启用
仅允许常用端口流量: 停用
绕过中国大陆IP: 停用
路由本机代理: 启用

#启动异常时建议关闭此项后重试
混合节点: 停用
保留配置: 停用

#启动异常时建议关闭此项后重试
第三方规则: 停用

#===================== 自定义规则 一 =====================#
script:

rules:

##DDNS
- DOMAIN-SUFFIX,steamcontent.com,DIRECT
- DOMAIN-SUFFIX,downloadmirror.intel.com,DIRECT

##在线IP段转CIDR地址:http://ip2cidr.com
#===================== 自定义规则 二 =====================#
script:
rules:

#===================== 配置文件 =====================#

port: 7890
socks-port: 7891
allow-lan: true
mode: rule
log-level: silent
external-controller: 0.0.0.0:9090
dns:
  enable: true
  ipv6: false
  nameserver:
  - 223.5.5.5
  - 180.76.76.76
  - 119.29.29.29
  - 117.50.11.11
  - 117.50.10.10
  - 114.114.114.114
  - https://dns.alidns.com/dns-query
  - https://doh.360.cn/dns-query
  fallback:
  - 8.8.8.8
  - tls://dns.rubyfish.cn:853
  - tls://1.0.0.1:853
  - tls://dns.google:853
  - https://dns.rubyfish.cn/dns-query
  - https://cloudflare-dns.com/dns-query
  - https://dns.google/dns-query
  fallback-filter:
    geoip: true
    ipcidr:
    - 240.0.0.0/4
    - 0.0.0.0/32
    - 127.0.0.1/32
    domain:
    - "+.google.com"
    - "+.facebook.com"
    - "+.youtube.com"
    - "+.xn--ngstr-lra8j.com"
    - "+.google.cn"
    - "+.googleapis.cn"
    - "+.gvt1.com"
  enhanced-mode: fake-ip
  fake-ip-range: 10.0.0.1/8
  listen: 0.0.0.0:7874
  default-nameserver:
  - 223.5.5.5
  - 180.76.76.76
  - 119.29.29.29
  - 117.50.11.11
  - 117.50.10.10
  - 114.114.114.114
  - 8.8.8.8
  - tls://1.0.0.1:853
redir-port: 7892
tproxy-port: 7895
mixed-port: 7893
bind-address: "*"
external-ui: "/usr/share/openclash/ui"
ipv6: true
sniffer:
  enable: true
  parse-pure-ip: true
profile:
  store-selected: true
  store-fake-ip: true
authentication:
- mofa:123456

#===================== 自定义覆写设置 =====================#

#!/bin/sh
. /usr/share/openclash/ruby.sh
. /usr/share/openclash/log.sh
. /lib/functions.sh

# This script is called by /etc/init.d/openclash
# Add your custom overwrite scripts here, they will be take effict after the OpenClash own srcipts

LOG_OUT "Tip: Start Running Custom Overwrite Scripts..."
LOGTIME=$(echo $(date "+%Y-%m-%d %H:%M:%S"))
LOG_FILE="/tmp/openclash.log"
CONFIG_FILE="$1" #config path

exit 0
#===================== 自定义防火墙设置 =====================#

#!/bin/sh
. /usr/share/openclash/log.sh
. /lib/functions.sh

LOG_OUT "Tip: Start Add Custom Firewall Rules..."

exit 0
#===================== IPTABLES 防火墙设置 =====================#

#IPv4 NAT chain

# Generated by iptables-save v1.8.7 on Mon Jun 17 13:42:21 2024
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Mon Jun 17 13:42:21 2024

#IPv4 Mangle chain

# Generated by iptables-save v1.8.7 on Mon Jun 17 13:42:21 2024
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Mon Jun 17 13:42:21 2024

#IPv4 Filter chain

# Generated by iptables-save v1.8.7 on Mon Jun 17 13:42:21 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -i eth3 -o docker0 -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Mon Jun 17 13:42:21 2024

#IPv6 NAT chain

# Generated by ip6tables-save v1.8.7 on Mon Jun 17 13:42:21 2024
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Mon Jun 17 13:42:21 2024

#IPv6 Mangle chain

# Generated by ip6tables-save v1.8.7 on Mon Jun 17 13:42:21 2024
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Mon Jun 17 13:42:21 2024

#IPv6 Filter chain

# Generated by ip6tables-save v1.8.7 on Mon Jun 17 13:42:21 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Mon Jun 17 13:42:21 2024

#===================== NFTABLES 防火墙设置 =====================#

table inet fw4 {
    chain input {
        type filter hook input priority filter; policy drop;
        iifname "lo" accept comment "!fw4: Accept traffic from loopback"
        ct state established,related accept comment "!fw4: Allow inbound established and related flows"
        tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
        iifname { "br-lan.7", "br-lan.1007", "br-lan.1008" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
        iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
        iifname { "br-lan.90", "br-lan.88", "macvlan_app" } jump input_dmz comment "!fw4: Handle dmz IPv4/IPv6 input traffic"
        iifname "zt2lrqfsvn" jump input_vpn comment "!fw4: Handle vpn IPv4/IPv6 input traffic"
        jump handle_reject
    }
}
table inet fw4 {
    chain forward {
        type filter hook forward priority filter; policy drop;
        meta l4proto { tcp, udp } flow add @ft
        ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
        iifname { "br-lan.7", "br-lan.1007", "br-lan.1008" } jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
        iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
        iifname { "br-lan.90", "br-lan.88", "macvlan_app" } jump forward_dmz comment "!fw4: Handle dmz IPv4/IPv6 forward traffic"
        iifname "zt2lrqfsvn" jump forward_vpn comment "!fw4: Handle vpn IPv4/IPv6 forward traffic"
        jump upnp_forward comment "Hook into miniupnpd forwarding chain"
        jump handle_reject
    }
}
table inet fw4 {
    chain dstnat {
        type nat hook prerouting priority dstnat; policy accept;
        ip6 daddr { 2001:4860:4860::8844, 2001:4860:4860::8888 } tcp dport 53 counter packets 0 bytes 0 accept comment "OpenClash Google DNS Hijack"
        ip daddr { 8.8.4.4, 8.8.8.8 } tcp dport 53 counter packets 0 bytes 0 redirect to :7892 comment "OpenClash Google DNS Hijack"
        udp dport 53 counter packets 351 bytes 23081 redirect to :53 comment "OpenClash DNS Hijack"
        tcp dport 53 counter packets 0 bytes 0 redirect to :53 comment "OpenClash DNS Hijack"
        iifname "pppoe-wan" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
        iifname { "br-lan.90", "br-lan.88", "macvlan_app" } jump dstnat_dmz comment "!fw4: Handle dmz IPv4/IPv6 dstnat traffic"
        jump upnp_prerouting comment "Hook into miniupnpd prerouting chain"
        ip protocol tcp counter packets 219 bytes 11468 jump openclash
    }
}
table inet fw4 {
    chain srcnat {
        type nat hook postrouting priority srcnat; policy accept;
        oifname "pppoe-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
        jump upnp_postrouting comment "Hook into miniupnpd postrouting chain"
    }
}
table inet fw4 {
    chain nat_output {
        type nat hook output priority filter - 1; policy accept;
        ip protocol tcp counter packets 269 bytes 16140 jump openclash_output
    }
}
table inet fw4 {
    chain mangle_prerouting {
        type filter hook prerouting priority mangle; policy accept;
        ip protocol udp counter packets 1858 bytes 245660 jump openclash_mangle
        meta nfproto ipv6 counter packets 3771 bytes 4136132 jump openclash_mangle_v6
    }
}
table inet fw4 {
    chain mangle_output {
        type route hook output priority mangle; policy accept;
        meta nfproto ipv6 counter packets 3036 bytes 479036 jump openclash_mangle_output_v6
    }
}
table inet fw4 {
    chain openclash {
        meta nfproto ipv4 tcp sport 7893 counter packets 0 bytes 0 return
        ip daddr @localnetwork counter packets 152 bytes 7984 return
        ip protocol tcp ip daddr 10.0.0.0/8 counter packets 0 bytes 0 redirect to :7892
        ip protocol tcp counter packets 67 bytes 3484 redirect to :7892
    }
}
table inet fw4 {
    chain openclash_mangle {
        meta nfproto ipv4 udp sport 7893 counter packets 0 bytes 0 return
        meta nfproto ipv4 udp sport 500 counter packets 0 bytes 0 return
        meta nfproto ipv4 udp sport 68 counter packets 49 bytes 16072 return
        meta l4proto udp iifname "lo" counter packets 152 bytes 10051 return
        ip daddr @localnetwork counter packets 1365 bytes 183802 return
        udp dport 53 counter packets 76 bytes 4462 return
        ip protocol udp counter packets 216 bytes 31273 jump openclash_upnp
    }
}
table inet fw4 {
    chain openclash_output {
        meta nfproto ipv4 tcp sport 7893 counter packets 0 bytes 0 return
        ip saddr 192.168.240.253 tcp sport 8443 counter packets 0 bytes 0 return
        ip daddr @localnetwork counter packets 48 bytes 2880 return
        ip protocol tcp ip daddr 10.0.0.0/8 meta skuid != 65534 counter packets 0 bytes 0 redirect to :7892
        ip protocol tcp meta skuid != 65534 counter packets 0 bytes 0 redirect to :7892
    }
}
table inet fw4 {
    chain openclash_mangle_v6 {
        meta nfproto ipv6 udp sport 7893 counter packets 0 bytes 0 return
        meta nfproto ipv6 tcp sport 7893 counter packets 0 bytes 0 return
        meta nfproto ipv6 udp sport 500 counter packets 0 bytes 0 return
        meta nfproto ipv6 udp sport 546 counter packets 2 bytes 265 return
        meta nfproto ipv6 udp sport 8443 counter packets 0 bytes 0 return
        meta nfproto ipv6 tcp sport 8443 counter packets 0 bytes 0 return
        ip6 daddr @localnetwork6 counter packets 3294 bytes 4050792 return
        meta nfproto ipv6 udp dport 53 counter packets 0 bytes 0 return
    }
}
table inet fw4 {
    chain openclash_mangle_output_v6 {
        meta nfproto ipv6 udp sport 7893 counter packets 0 bytes 0 return
        meta nfproto ipv6 tcp sport 7893 counter packets 0 bytes 0 return
        meta nfproto ipv6 udp sport 500 counter packets 0 bytes 0 return
        meta nfproto ipv6 udp sport 546 counter packets 0 bytes 0 return
        meta nfproto ipv6 udp sport 8443 counter packets 0 bytes 0 return
        meta nfproto ipv6 tcp sport 8443 counter packets 0 bytes 0 return
        ip6 daddr @localnetwork6 counter packets 195 bytes 37791 return
    }
}

#===================== IPSET状态 =====================#

#===================== 路由表状态 =====================#

#IPv4

#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         100.73.0.1      0.0.0.0         UG    0      0        0 pppoe-wan
100.73.0.1      0.0.0.0         255.255.255.255 UH    0      0        0 pppoe-wan
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.33.0    0.0.0.0         255.255.255.0   U     0      0        0 br-lan.90
192.168.64.0    0.0.0.0         255.255.255.0   U     0      0        0 zt2lrqfsvn
192.168.128.0   192.168.64.252  255.255.255.0   UG    5000   0        0 zt2lrqfsvn
192.168.239.0   0.0.0.0         255.255.255.0   U     0      0        0 macvlan_app
192.168.240.0   0.0.0.0         255.255.255.0   U     0      0        0 br-lan.7
192.168.241.0   0.0.0.0         255.255.255.0   U     0      0        0 br-lan.1007
192.168.242.0   0.0.0.0         255.255.255.0   U     0      0        0 br-lan.1008

#ip route list
default via 100.73.0.1 dev pppoe-wan proto static 
100.73.0.1 dev pppoe-wan proto kernel scope link src *WAN IP*.7 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
192.168.33.0/24 dev br-lan.90 proto kernel scope link src 192.168.33.254 
192.168.64.0/24 dev zt2lrqfsvn proto kernel scope link src 192.168.64.254 
192.168.128.0/24 via 192.168.64.252 dev zt2lrqfsvn proto static metric 5000 
192.168.239.0/24 dev macvlan_app proto kernel scope link src 192.168.239.254 
192.168.240.0/24 dev br-lan.7 proto kernel scope link src 192.168.240.254 
192.168.241.0/24 dev br-lan.1007 proto kernel scope link src 192.168.241.254 
192.168.242.0/24 dev br-lan.1008 proto kernel scope link src 192.168.242.254 

#ip rule show
0:  from all lookup local
32765:  from all fwmark 0x162 lookup 354
32766:  from all lookup main
32767:  from all lookup default

#IPv6

#route -A inet6
Kernel IPv6 routing table
Destination                                 Next Hop                                Flags Metric Ref    Use Iface
::/0                                        ::                                      U     1024   1        0 lo      
::/0                                        ::                                      !n    -1     2        0 lo      
::/0                                        fe80::ce1a:faff:fee9:6520               UG    512    5        0 pppoe-wan
::/0                                        fe80::ce1a:faff:fee9:6520               UG    512    6        0 pppoe-wan
240e:350:1804:3e6b::/64                     ::                                      !n    2147483647 3        0 lo      
240e:352:1902:2e10::/64                     ::                                      U     1024   6        0 br-lan.90
240e:352:1902:2e20::/64                     ::                                      U     1024   2        0 br-lan.1007
240e:352:1902:2e30::/64                     ::                                      U     1024   5        0 br-lan.7
240e:352:1902:2e00::/56                     ::                                      !n    2147483647 5        0 lo      
fdbf:6008:a32f:239::1/128                   ::                                      U     256    1        0 macvlan_app
fdbf:6008:a32f:239::/64                     ::                                      U     1024   5        0 macvlan_app
fdbf:6008:a32f::/48                         ::                                      !n    2147483647 2        0 lo      
fe80::2d0:4ca0:8810:537/128                 ::                                      U     256    1        0 pppoe-wan
fe80::ce1a:faff:fee9:6520/128               ::                                      U     256    1        0 pppoe-wan
fe80::/64                                   ::                                      U     256    5        0 br-lan  
fe80::/64                                   ::                                      U     256    5        0 br-lan.7
fe80::/64                                   ::                                      U     256    5        0 br-lan.90
fe80::/64                                   ::                                      U     256    5        0 br-lan.1007
fe80::/64                                   ::                                      U     256    1        0 br-lan.1008
fe80::/64                                   ::                                      U     256    1        0 macvlan_app
fe80::/64                                   ::                                      U     256    1        0 zt2lrqfsvn
fe80::/64                                   ::                                      U     256    1        0 eth3    
::/0                                        ::                                      !n    -1     2        0 lo      
::1/128                                     ::                                      Un    0      7        0 lo      
240e:350:1804:3e6b::/128                    ::                                      Un    0      3        0 pppoe-wan
*WAN IP*:537/128    ::                                      Un    0      8        0 pppoe-wan
240e:352:1902:2e10::/128                    ::                                      Un    0      3        0 br-lan.90
240e:352:1902:2e10::1/128                   ::                                      Un    0      7        0 br-lan.90
240e:352:1902:2e20::/128                    ::                                      Un    0      3        0 br-lan.1007
240e:352:1902:2e20::1/128                   ::                                      Un    0      9        0 br-lan.1007
240e:352:1902:2e30::/128                    ::                                      Un    0      3        0 br-lan.7
240e:352:1902:2e30::1/128                   ::                                      Un    0      7        0 br-lan.7
fdbf:6008:a32f:239::1/128                   ::                                      Un    0      7        0 macvlan_app
fe80::/128                                  ::                                      Un    0      6        0 br-lan.1008
fe80::/128                                  ::                                      Un    0      3        0 br-lan.90
fe80::/128                                  ::                                      Un    0      3        0 br-lan.7
fe80::/128                                  ::                                      Un    0      3        0 br-lan  
fe80::/128                                  ::                                      Un    0      3        0 br-lan.1007
fe80::/128                                  ::                                      Un    0      3        0 macvlan_app
fe80::/128                                  ::                                      Un    0      3        0 zt2lrqfsvn
fe80::/128                                  ::                                      Un    0      3        0 eth3    
fe80::2d0:4ca0:8810:537/128                 ::                                      Un    0      4        0 pppoe-wan
fe80::2d0:4cff:fe10:534/128                 ::                                      Un    0      8        0 br-lan.1008
fe80::2d0:4cff:fe10:534/128                 ::                                      Un    0      6        0 br-lan.90
fe80::2d0:4cff:fe10:534/128                 ::                                      Un    0      6        0 br-lan.7
fe80::2d0:4cff:fe10:534/128                 ::                                      Un    0      6        0 br-lan  
fe80::2d0:4cff:fe10:534/128                 ::                                      Un    0      6        0 br-lan.1007
fe80::2d0:4cff:fe10:537/128                 ::                                      Un    0      2        0 eth3    
fe80::2442:62ff:fea1:e91a/128               ::                                      Un    0      2        0 zt2lrqfsvn
fe80::8cee:28ff:fef9:be69/128               ::                                      Un    0      6        0 macvlan_app
ff00::/8                                    ::                                      U     256    6        0 macvlan_app
ff00::/8                                    ::                                      U     256    5        0 br-lan  
ff00::/8                                    ::                                      U     256    5        0 br-lan.7
ff00::/8                                    ::                                      U     256    5        0 br-lan.90
ff00::/8                                    ::                                      U     256    5        0 br-lan.1007
ff00::/8                                    ::                                      U     256    5        0 br-lan.1008
ff00::/8                                    ::                                      U     256    5        0 zt2lrqfsvn
ff00::/8                                    ::                                      U     256    2        0 eth3    
ff00::/8                                    ::                                      U     256    5        0 pppoe-wan
::/0                                        ::                                      !n    -1     2        0 lo      

#ip -6 route list
default from 240e:350:1804:3e6b::/64 via fe80::ce1a:faff:fee9:6520 dev pppoe-wan proto static metric 512 pref medium
default from 240e:352:1902:2e00::/56 via fe80::ce1a:faff:fee9:6520 dev pppoe-wan proto static metric 512 pref medium
unreachable 240e:350:1804:3e6b::/64 dev lo proto static metric 2147483647 pref medium
240e:352:1902:2e10::/64 dev br-lan.90 proto static metric 1024 pref medium
240e:352:1902:2e20::/64 dev br-lan.1007 proto static metric 1024 pref medium
240e:352:1902:2e30::/64 dev br-lan.7 proto static metric 1024 pref medium
unreachable 240e:352:1902:2e00::/56 dev lo proto static metric 2147483647 pref medium
fdbf:6008:a32f:239::1 dev macvlan_app proto kernel metric 256 pref medium
fdbf:6008:a32f:239::/64 dev macvlan_app proto static metric 1024 pref medium
unreachable fdbf:6008:a32f::/48 dev lo proto static metric 2147483647 pref medium
fe80::2d0:4ca0:8810:537 dev pppoe-wan proto kernel metric 256 pref medium
fe80::ce1a:faff:fee9:6520 dev pppoe-wan proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev br-lan.7 proto kernel metric 256 pref medium
fe80::/64 dev br-lan.90 proto kernel metric 256 pref medium
fe80::/64 dev br-lan.1007 proto kernel metric 256 pref medium
fe80::/64 dev br-lan.1008 proto kernel metric 256 pref medium
fe80::/64 dev macvlan_app proto kernel metric 256 pref medium
fe80::/64 dev zt2lrqfsvn proto kernel metric 256 pref medium
fe80::/64 dev eth3 proto kernel metric 256 pref medium

#ip -6 rule show
0:  from all lookup local
32764:  from all fwmark 0x162 lookup 354
32765:  from all oif utun [detached] lookup 2022
32766:  from all lookup main
4200000000: from 240e:352:1902:2e10::1/60 iif br-lan.90 unreachable
4200000000: from 240e:352:1902:2e20::1/60 iif br-lan.1007 unreachable
4200000000: from 240e:352:1902:2e30::1/60 iif br-lan.7 unreachable

#===================== 端口占用状态 =====================#

tcp        0      0 :::9090                 :::*                    LISTEN      4330/clash
tcp        0      0 :::7890                 :::*                    LISTEN      4330/clash
tcp        0      0 :::7891                 :::*                    LISTEN      4330/clash
tcp        0      0 :::7892                 :::*                    LISTEN      4330/clash
tcp        0      0 :::7893                 :::*                    LISTEN      4330/clash
tcp        0      0 :::7895                 :::*                    LISTEN      4330/clash
udp        0      0 :::7874                 :::*                                4330/clash
udp        0      0 :::7891                 :::*                                4330/clash
udp        0      0 :::7892                 :::*                                4330/clash
udp        0      0 :::7893                 :::*                                4330/clash
udp        0      0 :::7895                 :::*                                4330/clash

#===================== 测试本机DNS查询(www.baidu.com) =====================#

Server:     127.0.0.1
Address:    127.0.0.1:53

Name:   www.baidu.com
Address: 10.0.0.8

#===================== 测试内核DNS查询(www.instagram.com) =====================#

Status: 0
TC: false
RD: true
RA: false
AD: false
CD: false

Question: 
  Name: www.instagram.com.
  Qtype: 1
  Qclass: 1

Answer: 
  TTL: 167
  data: 128.242.245.189
  name: www.instagram.com.
  type: 1

Status: 0
TC: false
RD: true
RA: true
AD: false
CD: false

Question: 
  Name: www.instagram.com.
  Qtype: 28
  Qclass: 1

Answer: 
  TTL: 42
  data: 2a03:2880:f12c:183:face:b00c:0:25de
  name: www.instagram.com.
  type: 28

Dnsmasq 当前默认 resolv 文件:/tmp/resolv.conf.d/resolv.conf.auto

#===================== /tmp/resolv.conf.d/resolv.conf.auto =====================#

# Interface lan
nameserver 119.29.29.29
nameserver 8.8.8.8

#===================== 测试本机网络连接(www.baidu.com) =====================#

#===================== 测试本机网络下载(raw.githubusercontent.com) =====================#

#===================== 最近运行日志(自动切换为Debug模式) =====================#

#===================== 最近运行日志获取完成(自动切换为silent模式) =====================#
Kation commented 5 months ago

增强模式还有一个奇怪的现象,局域网客户端curl国外IPv4,会显示无法连接
但是在openwrt上,curl国外IPv4可以正常获取到网页内容
局域网客户端curl国外IPv6可以正常获取到网页内容

通过删除nftable规则

table inet fw4 {
    chain openclash {
        meta nfproto ipv4 tcp sport 7893 counter packets 0 bytes 0 return
        ip daddr @localnetwork counter packets 152 bytes 7984 return
        ip protocol tcp ip daddr 10.0.0.0/8 counter packets 0 bytes 0 redirect to :7892
        ip protocol tcp counter packets 67 bytes 3484 redirect to :7892
    }
}

中的ip protocol tcp counter packets 67 bytes 3484 redirect to :7892 局域网客户端curl国外IPv4就能正常获取到网页内容了

所以问题应该是,nftable规则把流量重定向至7892端口有问题,我不知道该如何解决

Kation commented 5 months ago

@jelly21fish 安装了,也不行……

OpenClash 调试日志

生成时间: 2024-06-18 16:37:22
插件版本: v0.46.014-beta
隐私提示: 上传此日志前请注意检查、屏蔽公网IP、节点、密码等相关敏感信息

#===================== 系统信息 =====================#

主机型号: Default string Default string
固件版本: OpenWrt 22.03.3 r20028-43d71ad93e
LuCI版本: git-20.074.84698-ead5e81
内核版本: 5.10.161
处理器架构: x86_64

#此项有值时,如不使用IPv6,建议到网络-接口-lan的设置中禁用IPV6的DHCP
IPV6-DHCP: server

DNS劫持: 停用
#DNS劫持为Dnsmasq时,此项结果应仅有配置文件的DNS监听地址
Dnsmasq转发设置: 

#===================== 依赖检查 =====================#

dnsmasq-full: 已安装
coreutils: 已安装
coreutils-nohup: 已安装
bash: 已安装
curl: 已安装
ca-certificates: 已安装
ipset: 已安装
ip-full: 已安装
libcap: 已安装
libcap-bin: 已安装
ruby: 已安装
ruby-yaml: 已安装
ruby-psych: 已安装
ruby-pstore: 已安装
kmod-tun(TUN模式): 已安装
luci-compat(Luci >= 19.07): 已安装
kmod-inet-diag(PROCESS-NAME): 已安装
unzip: 已安装
kmod-nft-tproxy: 已安装

#===================== 内核检查 =====================#

运行状态: 运行中
运行内核:Meta
进程pid: 8748
运行权限: 8748: cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_ptrace,cap_sys_resource=eip
运行用户: nobody
已选择的架构: linux-amd64

#下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限
Tun内核版本: 2023.08.17-13-gdcc8d87
Tun内核文件: 存在
Tun内核运行权限: 正常

Dev内核版本: v1.18.0-13-gd034a40
Dev内核文件: 存在
Dev内核运行权限: 正常

Meta内核版本: alpha-g0d4e57c
Meta内核文件: 存在
Meta内核运行权限: 正常

#===================== 插件设置 =====================#

当前配置文件: /etc/openclash/config/shadowsocks.au.yaml
启动配置文件: /etc/openclash/shadowsocks.au.yaml
运行模式: fake-ip
默认代理模式: rule
UDP流量转发(tproxy): 启用
自定义DNS: 停用
IPV6代理: 停用
IPV6-DNS解析: 停用
禁用Dnsmasq缓存: 启用
自定义规则: 启用
仅允许内网: 停用
仅代理命中规则流量: 启用
仅允许常用端口流量: 停用
绕过中国大陆IP: 停用
路由本机代理: 启用

#启动异常时建议关闭此项后重试
混合节点: 停用
保留配置: 停用

#启动异常时建议关闭此项后重试
第三方规则: 停用

#===================== 自定义规则 一 =====================#
script:

rules:
- SRC-IP-CIDR,192.168.33.0/24,DIRECT #匹配数据发起IP(直连)

- DOMAIN-SUFFIX,steamcontent.com,DIRECT
- DOMAIN-SUFFIX,downloadmirror.intel.com,DIRECT

##在线IP段转CIDR地址:http://ip2cidr.com
#===================== 自定义规则 二 =====================#
script:

rules:

#===================== 配置文件 =====================#

port: 7890
socks-port: 7891
allow-lan: true
mode: rule
log-level: silent
external-controller: 0.0.0.0:9090
dns:
  enable: true
  ipv6: false
  nameserver:
  - 223.5.5.5
  - 180.76.76.76
  - 119.29.29.29
  - 117.50.11.11
  - 117.50.10.10
  - 114.114.114.114
  - https://dns.alidns.com/dns-query
  - https://doh.360.cn/dns-query
  fallback:
  - 8.8.8.8
  - tls://dns.rubyfish.cn:853
  - tls://1.0.0.1:853
  - tls://dns.google:853
  - https://dns.rubyfish.cn/dns-query
  - https://cloudflare-dns.com/dns-query
  - https://dns.google/dns-query
  fallback-filter:
    geoip: true
    ipcidr:
    - 240.0.0.0/4
    - 0.0.0.0/32
    - 127.0.0.1/32
    domain:
    - "+.google.com"
    - "+.facebook.com"
    - "+.youtube.com"
    - "+.xn--ngstr-lra8j.com"
    - "+.google.cn"
    - "+.googleapis.cn"
    - "+.gvt1.com"
  enhanced-mode: fake-ip
  fake-ip-range: 10.0.0.1/8
  listen: 0.0.0.0:7874
  default-nameserver:
  - 223.5.5.5
  - 180.76.76.76
  - 119.29.29.29
  - 117.50.11.11
  - 117.50.10.10
  - 114.114.114.114
  - 8.8.8.8
  - tls://1.0.0.1:853
redir-port: 7892
tproxy-port: 7895
mixed-port: 7893
bind-address: "*"
external-ui: "/usr/share/openclash/ui"
ipv6: false
sniffer:
  enable: true
  parse-pure-ip: true
profile:
  store-selected: true
  store-fake-ip: true
authentication:
- mofa:123456

#===================== 自定义覆写设置 =====================#

#!/bin/sh
. /usr/share/openclash/ruby.sh
. /usr/share/openclash/log.sh
. /lib/functions.sh

# This script is called by /etc/init.d/openclash
# Add your custom overwrite scripts here, they will be take effict after the OpenClash own srcipts

LOG_OUT "Tip: Start Running Custom Overwrite Scripts..."
LOGTIME=$(echo $(date "+%Y-%m-%d %H:%M:%S"))
LOG_FILE="/tmp/openclash.log"
CONFIG_FILE="$1" #config path

exit 0
#===================== 自定义防火墙设置 =====================#

#!/bin/sh
. /usr/share/openclash/log.sh
. /lib/functions.sh

# This script is called by /etc/init.d/openclash
# Add your custom firewall rules here, they will be added after the end of the OpenClash iptables rules

LOG_OUT "Tip: Start Add Custom Firewall Rules..."

exit 0
#===================== IPTABLES 防火墙设置 =====================#

#IPv4 NAT chain

# Generated by iptables-save v1.8.7 on Tue Jun 18 16:37:23 2024
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Tue Jun 18 16:37:23 2024

#IPv4 Mangle chain

# Generated by iptables-save v1.8.7 on Tue Jun 18 16:37:23 2024
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:qos_Default - [0:0]
:qos_Default_ct - [0:0]
-A qos_Default -j CONNMARK --restore-mark --nfmask 0xf --ctmask 0xf
-A qos_Default -m mark --mark 0x0/0xf -j qos_Default_ct
-A qos_Default -p udp -m mark --mark 0x0/0xf0 -m length --length 0:500 -j MARK --set-xmark 0x22/0xff
-A qos_Default -p icmp -j MARK --set-xmark 0x11/0xff
-A qos_Default -p tcp -m mark --mark 0x0/0xf0 -m tcp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
-A qos_Default -p udp -m mark --mark 0x0/0xf0 -m udp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
-A qos_Default -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
-A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
-A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 20,21,25,80,110,443,993,995 -m comment --comment "ftp, smtp, http(s), imap" -j MARK --set-xmark 0x33/0xff
-A qos_Default_ct -s 192.168.33.6/32 -m mark --mark 0x0/0xf -j MARK --set-xmark 0x33/0xff
-A qos_Default_ct -d 192.168.33.6/32 -m mark --mark 0x0/0xf -j MARK --set-xmark 0x33/0xff
-A qos_Default_ct -s 192.168.33.5/32 -m mark --mark 0x0/0xf -j MARK --set-xmark 0x44/0xff
-A qos_Default_ct -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
COMMIT
# Completed on Tue Jun 18 16:37:23 2024

#IPv4 Filter chain

# Generated by iptables-save v1.8.7 on Tue Jun 18 16:37:23 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -i eth3 -o docker0 -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Tue Jun 18 16:37:23 2024

#IPv6 NAT chain

# Generated by ip6tables-save v1.8.7 on Tue Jun 18 16:37:23 2024
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Tue Jun 18 16:37:23 2024

#IPv6 Mangle chain

# Generated by ip6tables-save v1.8.7 on Tue Jun 18 16:37:23 2024
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:qos_Default - [0:0]
:qos_Default_ct - [0:0]
-A qos_Default -j CONNMARK --restore-mark --nfmask 0xf --ctmask 0xf
-A qos_Default -m mark --mark 0x0/0xf -j qos_Default_ct
-A qos_Default -p udp -m mark --mark 0x0/0xf0 -m length --length 0:500 -j MARK --set-xmark 0x22/0xff
-A qos_Default -p icmp -j MARK --set-xmark 0x11/0xff
-A qos_Default -p tcp -m mark --mark 0x0/0xf0 -m tcp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
-A qos_Default -p udp -m mark --mark 0x0/0xf0 -m udp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
-A qos_Default -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
-A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
-A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 20,21,25,80,110,443,993,995 -m comment --comment "ftp, smtp, http(s), imap" -j MARK --set-xmark 0x33/0xff
-A qos_Default_ct -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
COMMIT
# Completed on Tue Jun 18 16:37:23 2024

#IPv6 Filter chain

# Generated by ip6tables-save v1.8.7 on Tue Jun 18 16:37:23 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Tue Jun 18 16:37:23 2024

#===================== NFTABLES 防火墙设置 =====================#

table inet fw4 {
    chain input {
        type filter hook input priority filter; policy accept;
        iifname "lo" accept comment "!fw4: Accept traffic from loopback"
        ct state established,related accept comment "!fw4: Allow inbound established and related flows"
        tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
        iifname { "br-lan.7", "br-lan.1007", "br-lan.1008" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
        iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
        iifname { "br-lan.90", "br-lan.88", "macvlan_app" } jump input_dmz comment "!fw4: Handle dmz IPv4/IPv6 input traffic"
        iifname "zt2lrqfsvn" jump input_vpn comment "!fw4: Handle vpn IPv4/IPv6 input traffic"
    }
}
table inet fw4 {
    chain forward {
        type filter hook forward priority filter; policy accept;
        meta l4proto { tcp, udp } flow add @ft
        ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
        iifname { "br-lan.7", "br-lan.1007", "br-lan.1008" } jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
        iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
        iifname { "br-lan.90", "br-lan.88", "macvlan_app" } jump forward_dmz comment "!fw4: Handle dmz IPv4/IPv6 forward traffic"
        iifname "zt2lrqfsvn" jump forward_vpn comment "!fw4: Handle vpn IPv4/IPv6 forward traffic"
        jump upnp_forward comment "Hook into miniupnpd forwarding chain"
    }
}
table inet fw4 {
    chain dstnat {
        type nat hook prerouting priority dstnat; policy accept;
        ip daddr { 8.8.4.4, 8.8.8.8 } tcp dport 53 counter packets 0 bytes 0 redirect to :7892 comment "OpenClash Google DNS Hijack"
        iifname "pppoe-wan" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
        iifname { "br-lan.90", "br-lan.88", "macvlan_app" } jump dstnat_dmz comment "!fw4: Handle dmz IPv4/IPv6 dstnat traffic"
        jump upnp_prerouting comment "Hook into miniupnpd prerouting chain"
        ip protocol tcp counter packets 398 bytes 21541 jump openclash
    }
}
table inet fw4 {
    chain srcnat {
        type nat hook postrouting priority srcnat; policy accept;
        oifname "pppoe-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
        jump upnp_postrouting comment "Hook into miniupnpd postrouting chain"
    }
}
table inet fw4 {
    chain nat_output {
        type nat hook output priority filter - 1; policy accept;
        ip protocol tcp counter packets 136 bytes 8160 jump openclash_output
    }
}
table inet fw4 {
    chain mangle_prerouting {
        type filter hook prerouting priority mangle; policy accept;
        ip protocol udp counter packets 1814 bytes 296632 jump openclash_mangle
    }
}
table inet fw4 {
    chain mangle_output {
        type route hook output priority mangle; policy accept;
    }
}
table inet fw4 {
    chain openclash {
        meta nfproto ipv4 tcp sport 7893 counter packets 0 bytes 0 return
        ip daddr @localnetwork counter packets 19 bytes 1121 return
        ip protocol tcp ip daddr 10.0.0.0/8 counter packets 0 bytes 0 redirect to :7892
        ip protocol tcp counter packets 379 bytes 20420 redirect to :7892
    }
}
table inet fw4 {
    chain openclash_mangle {
        meta nfproto ipv4 udp sport 7893 counter packets 0 bytes 0 return
        meta nfproto ipv4 udp sport 500 counter packets 0 bytes 0 return
        meta nfproto ipv4 udp sport 68 counter packets 34 bytes 11152 return
        meta l4proto udp iifname "lo" counter packets 297 bytes 46603 return
        ip daddr @localnetwork counter packets 1086 bytes 185842 return
        udp dport 53 counter packets 14 bytes 837 return
        meta l4proto udp ip daddr 10.0.0.0/8 meta mark set 0x00000162 tproxy ip to 127.0.0.1:7895 counter packets 0 bytes 0 accept
        ip protocol udp counter packets 383 bytes 52198 jump openclash_upnp
        meta l4proto udp meta mark set 0x00000162 tproxy ip to 127.0.0.1:7895 counter packets 383 bytes 52198 accept
    }
}
table inet fw4 {
    chain openclash_output {
        meta nfproto ipv4 tcp sport 7893 counter packets 0 bytes 0 return
        ip saddr 192.168.240.253 tcp sport 8443 counter packets 0 bytes 0 return
        ip daddr @localnetwork counter packets 19 bytes 1140 return
        ip protocol tcp ip daddr 10.0.0.0/8 meta skuid != 65534 counter packets 0 bytes 0 redirect to :7892
        ip protocol tcp meta skuid != 65534 counter packets 0 bytes 0 redirect to :7892
    }
}

#===================== IPSET状态 =====================#

#===================== 路由表状态 =====================#

#IPv4

#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         100.73.0.1      0.0.0.0         UG    0      0        0 pppoe-wan
100.73.0.1      0.0.0.0         255.255.255.255 UH    0      0        0 pppoe-wan
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.32.0    0.0.0.0         255.255.255.0   U     0      0        0 br-lan.88
192.168.33.0    0.0.0.0         255.255.255.0   U     0      0        0 br-lan.90
192.168.64.0    0.0.0.0         255.255.255.0   U     0      0        0 zt2lrqfsvn
192.168.128.0   192.168.64.252  255.255.255.0   UG    5000   0        0 zt2lrqfsvn
192.168.239.0   0.0.0.0         255.255.255.0   U     0      0        0 macvlan_app
192.168.240.0   0.0.0.0         255.255.255.0   U     0      0        0 br-lan.7
192.168.241.0   0.0.0.0         255.255.255.0   U     0      0        0 br-lan.1007
192.168.242.0   0.0.0.0         255.255.255.0   U     0      0        0 br-lan.1008

#ip route list
default via 100.73.0.1 dev pppoe-wan proto static 
100.73.0.1 dev pppoe-wan proto kernel scope link src *WAN IP*.136 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
192.168.32.0/24 dev br-lan.88 proto kernel scope link src 192.168.32.254 
192.168.33.0/24 dev br-lan.90 proto kernel scope link src 192.168.33.254 
192.168.64.0/24 dev zt2lrqfsvn proto kernel scope link src 192.168.64.254 
192.168.128.0/24 via 192.168.64.252 dev zt2lrqfsvn proto static metric 5000 
192.168.239.0/24 dev macvlan_app proto kernel scope link src 192.168.239.254 
192.168.240.0/24 dev br-lan.7 proto kernel scope link src 192.168.240.254 
192.168.241.0/24 dev br-lan.1007 proto kernel scope link src 192.168.241.254 
192.168.242.0/24 dev br-lan.1008 proto kernel scope link src 192.168.242.254 

#ip rule show
0:  from all lookup local
32765:  from all fwmark 0x162 lookup 354
32766:  from all lookup main
32767:  from all lookup default

#IPv6

#route -A inet6
Kernel IPv6 routing table
Destination                                 Next Hop                                Flags Metric Ref    Use Iface
::/0                                        fe80::ce1a:faff:fee9:6520               UG    512    5        0 pppoe-wan
::/0                                        fe80::ce1a:faff:fee9:6520               UG    512    6        0 pppoe-wan
240e:350:1804:6cb9::/64                     ::                                      !n    2147483647 2        0 lo      
240e:352:190e:b300::/64                     ::                                      U     1024   3        0 br-lan.88
240e:352:190e:b310::/64                     ::                                      U     1024   1        0 br-lan.90
240e:352:190e:b320::/64                     ::                                      U     1024   2        0 br-lan.1007
240e:352:190e:b330::/64                     ::                                      U     1024   5        0 br-lan.7
240e:352:190e:b300::/56                     ::                                      !n    2147483647 1        0 lo      
fdbf:6008:a32f:239::1/128                   ::                                      U     256    1        0 macvlan_app
fdbf:6008:a32f:239::/64                     ::                                      U     1024   1        0 macvlan_app
fdbf:6008:a32f::/48                         ::                                      !n    2147483647 2        0 lo      
fe80::2d0:4c61:2110:537/128                 ::                                      U     256    1        0 pppoe-wan
fe80::ce1a:faff:fee9:6520/128               ::                                      U     256    1        0 pppoe-wan
fe80::/64                                   ::                                      U     256    1        0 zt2lrqfsvn
fe80::/64                                   ::                                      U     256    1        0 eth3    
fe80::/64                                   ::                                      U     256    5        0 br-lan  
fe80::/64                                   ::                                      U     256    5        0 br-lan.7
fe80::/64                                   ::                                      U     256    1        0 br-lan.88
fe80::/64                                   ::                                      U     256    4        0 br-lan.90
fe80::/64                                   ::                                      U     256    1        0 br-lan.1007
fe80::/64                                   ::                                      U     256    1        0 br-lan.1008
fe80::/64                                   ::                                      U     256    1        0 macvlan_app
::/0                                        ::                                      !n    -1     2        0 lo      
::1/128                                     ::                                      Un    0      7        0 lo      
240e:350:1804:6cb9::/128                    ::                                      Un    0      3        0 pppoe-wan
*WAN IP*:537/128    ::                                      Un    0      8        0 pppoe-wan
240e:352:190e:b300::/128                    ::                                      Un    0      3        0 br-lan.88
240e:352:190e:b300::1/128                   ::                                      Un    0      5        0 br-lan.88
240e:352:190e:b310::/128                    ::                                      Un    0      3        0 br-lan.90
240e:352:190e:b310::1/128                   ::                                      Un    0      3        0 br-lan.90
240e:352:190e:b320::/128                    ::                                      Un    0      3        0 br-lan.1007
240e:352:190e:b320::1/128                   ::                                      Un    0      8        0 br-lan.1007
240e:352:190e:b330::/128                    ::                                      Un    0      3        0 br-lan.7
240e:352:190e:b330::1/128                   ::                                      Un    0      3        0 br-lan.7
fdbf:6008:a32f:239::1/128                   ::                                      Un    0      2        0 macvlan_app
fe80::/128                                  ::                                      Un    0      4        0 zt2lrqfsvn
fe80::/128                                  ::                                      Un    0      3        0 macvlan_app
fe80::/128                                  ::                                      Un    0      3        0 br-lan.7
fe80::/128                                  ::                                      Un    0      3        0 eth3    
fe80::/128                                  ::                                      Un    0      3        0 br-lan.1008
fe80::/128                                  ::                                      Un    0      3        0 br-lan.88
fe80::/128                                  ::                                      Un    0      3        0 br-lan.90
fe80::/128                                  ::                                      Un    0      3        0 br-lan  
fe80::/128                                  ::                                      Un    0      3        0 br-lan.1007
fe80::2d0:4c61:2110:537/128                 ::                                      Un    0      5        0 pppoe-wan
fe80::2d0:4cff:fe10:534/128                 ::                                      Un    0      7        0 br-lan.7
fe80::2d0:4cff:fe10:534/128                 ::                                      Un    0      2        0 br-lan.1008
fe80::2d0:4cff:fe10:534/128                 ::                                      Un    0      2        0 br-lan.88
fe80::2d0:4cff:fe10:534/128                 ::                                      Un    0      6        0 br-lan.90
fe80::2d0:4cff:fe10:534/128                 ::                                      Un    0      2        0 br-lan  
fe80::2d0:4cff:fe10:534/128                 ::                                      Un    0      2        0 br-lan.1007
fe80::2d0:4cff:fe10:537/128                 ::                                      Un    0      2        0 eth3    
fe80::a47a:7ff:fe5c:e85a/128                ::                                      Un    0      4        0 zt2lrqfsvn
fe80::d41a:aeff:fe7e:d7c2/128               ::                                      Un    0      2        0 macvlan_app
ff00::/8                                    ::                                      U     256    6        0 macvlan_app
ff00::/8                                    ::                                      U     256    5        0 zt2lrqfsvn
ff00::/8                                    ::                                      U     256    4        0 eth3    
ff00::/8                                    ::                                      U     256    4        0 br-lan  
ff00::/8                                    ::                                      U     256    5        0 br-lan.7
ff00::/8                                    ::                                      U     256    5        0 br-lan.88
ff00::/8                                    ::                                      U     256    5        0 br-lan.90
ff00::/8                                    ::                                      U     256    4        0 br-lan.1007
ff00::/8                                    ::                                      U     256    5        0 br-lan.1008
ff00::/8                                    ::                                      U     256    5        0 pppoe-wan
::/0                                        ::                                      !n    -1     2        0 lo      

#ip -6 route list
default from 240e:350:1804:6cb9::/64 via fe80::ce1a:faff:fee9:6520 dev pppoe-wan proto static metric 512 pref medium
default from 240e:352:190e:b300::/56 via fe80::ce1a:faff:fee9:6520 dev pppoe-wan proto static metric 512 pref medium
unreachable 240e:350:1804:6cb9::/64 dev lo proto static metric 2147483647 pref medium
240e:352:190e:b300::/64 dev br-lan.88 proto static metric 1024 pref medium
240e:352:190e:b310::/64 dev br-lan.90 proto static metric 1024 pref medium
240e:352:190e:b320::/64 dev br-lan.1007 proto static metric 1024 pref medium
240e:352:190e:b330::/64 dev br-lan.7 proto static metric 1024 pref medium
unreachable 240e:352:190e:b300::/56 dev lo proto static metric 2147483647 pref medium
fdbf:6008:a32f:239::1 dev macvlan_app proto kernel metric 256 pref medium
fdbf:6008:a32f:239::/64 dev macvlan_app proto static metric 1024 pref medium
unreachable fdbf:6008:a32f::/48 dev lo proto static metric 2147483647 pref medium
fe80::2d0:4c61:2110:537 dev pppoe-wan proto kernel metric 256 pref medium
fe80::ce1a:faff:fee9:6520 dev pppoe-wan proto kernel metric 256 pref medium
fe80::/64 dev zt2lrqfsvn proto kernel metric 256 pref medium
fe80::/64 dev eth3 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev br-lan.7 proto kernel metric 256 pref medium
fe80::/64 dev br-lan.88 proto kernel metric 256 pref medium
fe80::/64 dev br-lan.90 proto kernel metric 256 pref medium
fe80::/64 dev br-lan.1007 proto kernel metric 256 pref medium
fe80::/64 dev br-lan.1008 proto kernel metric 256 pref medium
fe80::/64 dev macvlan_app proto kernel metric 256 pref medium

#ip -6 rule show
0:  from all lookup local
32766:  from all lookup main
4200000000: from 240e:352:190e:b300::1/60 iif br-lan.88 unreachable
4200000000: from 240e:352:190e:b310::1/60 iif br-lan.90 unreachable
4200000000: from 240e:352:190e:b320::1/60 iif br-lan.1007 unreachable
4200000000: from 240e:352:190e:b330::1/60 iif br-lan.7 unreachable

#===================== 端口占用状态 =====================#

tcp        0      0 :::9090                 :::*                    LISTEN      8748/clash
tcp        0      0 :::7890                 :::*                    LISTEN      8748/clash
tcp        0      0 :::7891                 :::*                    LISTEN      8748/clash
tcp        0      0 :::7892                 :::*                    LISTEN      8748/clash
tcp        0      0 :::7893                 :::*                    LISTEN      8748/clash
tcp        0      0 :::7895                 :::*                    LISTEN      8748/clash
udp        0      0 :::59601                :::*                                8748/clash
udp        0      0 :::43648                :::*                                8748/clash
udp        0      0 :::48326                :::*                                8748/clash
udp        0      0 :::36482                :::*                                8748/clash
udp        0      0 :::7874                 :::*                                8748/clash
udp        0      0 :::7891                 :::*                                8748/clash
udp        0      0 :::7892                 :::*                                8748/clash
udp        0      0 :::7893                 :::*                                8748/clash
udp        0      0 :::7895                 :::*                                8748/clash
udp        0      0 :::53891                :::*                                8748/clash
udp        0      0 :::50064                :::*                                8748/clash
udp        0      0 :::50752                :::*                                8748/clash
udp        0      0 :::42639                :::*                                8748/clash

#===================== 测试本机DNS查询(www.baidu.com) =====================#

Server:     127.0.0.1
Address:    127.0.0.1:53

Non-authoritative answer:
www.baidu.com   canonical name = www.a.shifen.com
Name:   www.a.shifen.com
Address: 240e:ff:e020:9ae:0:ff:b014:8e8b
Name:   www.a.shifen.com
Address: 240e:ff:e020:966:0:ff:b042:f296

Non-authoritative answer:
www.baidu.com   canonical name = www.a.shifen.com
Name:   www.a.shifen.com
Address: 183.2.172.185
Name:   www.a.shifen.com
Address: 183.2.172.42

#===================== 测试内核DNS查询(www.instagram.com) =====================#

Status: 0
TC: false
RD: true
RA: true
AD: false
CD: false

Question: 
  Name: www.instagram.com.
  Qtype: 1
  Qclass: 1

Answer: 
  TTL: 10
  data: 128.121.243.76
  name: www.instagram.com.
  type: 1

Status: 0
TC: false
RD: true
RA: true
AD: false
CD: false

Question: 
  Name: www.instagram.com.
  Qtype: 28
  Qclass: 1

Answer: 
  TTL: 1
  data: 2a03:2880:f10e:83:face:b00c:0:25de
  name: www.instagram.com.
  type: 28

Dnsmasq 当前默认 resolv 文件:/tmp/resolv.conf.d/resolv.conf.auto

#===================== /tmp/resolv.conf.d/resolv.conf.auto =====================#

# Interface lan
nameserver 119.29.29.29
nameserver 8.8.8.8

#===================== 测试本机网络连接(www.baidu.com) =====================#

HTTP/1.1 200 OK
Bdpagetype: 1
Bdqid: 0xf5839987001e00d7
Connection: keep-alive
Content-Length: 403128
Content-Type: text/html; charset=utf-8
Date: Tue, 18 Jun 2024 16:37:23 GMT
Server: BWS/1.1
Set-Cookie: BIDUPSID=9F87BA201AAE7D3DDA09DB6FAA70406C; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: PSTM=1718728643; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BDSVRTM=3; path=/
Set-Cookie: BD_HOME=1; path=/
Set-Cookie: BAIDUID=9F87BA201AAE7D3DDA09DB6FAA70406C:FG=1; Path=/; Domain=baidu.com; Max-Age=31536000
Set-Cookie: BAIDUID_BFESS=9F87BA201AAE7D3DDA09DB6FAA70406C:FG=1; Path=/; Domain=baidu.com; Max-Age=31536000; Secure; SameSite=None
Traceid: 1718728643235279668217691152566343041239
Vary: Accept-Encoding
X-Ua-Compatible: IE=Edge,chrome=1
X-Xss-Protection: 1;mode=block

#===================== 测试本机网络下载(raw.githubusercontent.com) =====================#

#===================== 最近运行日志(自动切换为Debug模式) =====================#

time="2024-06-18T16:33:25.884300659Z" level=info msg="Start initial Compatible provider Proxy"
time="2024-06-18T16:33:25.884414159Z" level=info msg="Start initial Compatible provider default"
2024-06-18 16:33:28 Step 6: Wait For The File Downloading...
2024-06-18 16:33:28 Step 7: Set Firewall Rules...
2024-06-18 16:33:28 Warning: Dnsmasq not Support nftset, Use ipset...
2024-06-18 16:33:28 Tip: DNS Hijacking is Disabled...
2024-06-18 16:33:28 Tip: Firewall4 was Detected, Use NFTABLE Rules...
2024-06-18 16:33:28 Tip: Waiting for TUN Interface Start...
2024-06-18 16:33:28 Tip: Start Add Port Bypassing Rules For Firewall Redirect and Firewall Rules...
2024-06-18 16:33:28 Tip: Start Add Custom Firewall Rules...
2024-06-18 16:33:28 Step 8: Restart Dnsmasq...
2024-06-18 16:33:40 Step 9: Add Cron Rules, Start Daemons...
2024-06-18 16:33:40 Warning: OpenClash Start Successful, Please Note That Network May Abnormal With IPv6's DHCP Server
2024-06-18 16:35:22 OpenClash Restart...
2024-06-18 16:35:22 OpenClash Stoping...
2024-06-18 16:35:22 Step 1: Backup The Current Groups State...
2024-06-18 16:35:22 Step 2: Delete OpenClash Firewall Rules...
2024-06-18 16:35:22 Step 3: Close The OpenClash Daemons...
2024-06-18 16:35:22 Step 4: Close The Clash Core Process...
2024-06-18 16:35:22 Step 5: Restart Dnsmasq...
2024-06-18 16:35:35 Step 6: Delete OpenClash Residue File...
2024-06-18 16:35:35 OpenClash Start Running...
2024-06-18 16:35:35 Step 1: Get The Configuration...
2024-06-18 16:35:35 Step 2: Check The Components...
2024-06-18 16:35:35 Tip: Because of the file【 /etc/config/openclash 】modificated, Pause quick start...
2024-06-18 16:35:35 Step 3: Modify The Config File...
2024-06-18 16:35:36 Tip: You have seted the authentication of SOCKS5/HTTP(S) proxy with【mofa:123456】
2024-06-18 16:35:36 Tip: Start Running Custom Overwrite Scripts...
2024-06-18 16:35:36 Step 4: Start Running The Clash Core...
2024-06-18 16:35:36 Tip: Detected The Exclusive Function of The Meta Core, Use Meta Core to Start...
2024-06-18 16:35:36 Test The Config File First...
time="2024-06-18T16:35:36.74554536Z" level=info msg="Start initial configuration in progress"
time="2024-06-18T16:35:36.746421854Z" level=info msg="Geodata Loader mode: memconservative"
time="2024-06-18T16:35:36.746432011Z" level=info msg="Geosite Matcher implementation: succinct"
time="2024-06-18T16:35:37.702781237Z" level=warning msg="[CacheFile] can't open cache file: timeout"
time="2024-06-18T16:35:37.702855578Z" level=warning msg="Deprecated: Use Sniff instead"
time="2024-06-18T16:35:37.702887549Z" level=info msg="Initial configuration complete, total time: 957ms"
2024-06-18 16:35:37 configuration file【/etc/openclash/shadowsocks.au.yaml】test is successful
2024-06-18 16:35:38 Step 5: Check The Core Status...
time="2024-06-18T16:35:39.300629057Z" level=info msg="Start initial configuration in progress"
time="2024-06-18T16:35:39.301519554Z" level=info msg="Geodata Loader mode: memconservative"
time="2024-06-18T16:35:39.301535215Z" level=info msg="Geosite Matcher implementation: succinct"
time="2024-06-18T16:35:39.313537748Z" level=warning msg="Deprecated: Use Sniff instead"
time="2024-06-18T16:35:39.313562671Z" level=info msg="Initial configuration complete, total time: 12ms"
time="2024-06-18T16:35:39.313836903Z" level=info msg="RESTful API listening at: [::]:9090"
time="2024-06-18T16:35:39.321774336Z" level=info msg="Authentication of local server updated"
time="2024-06-18T16:35:39.321796621Z" level=info msg="Sniffer is loaded and working"
time="2024-06-18T16:35:39.321877568Z" level=info msg="DNS server listening at: [::]:7874"
time="2024-06-18T16:35:39.321919332Z" level=info msg="HTTP proxy listening at: [::]:7890"
time="2024-06-18T16:35:39.321945914Z" level=info msg="SOCKS proxy listening at: [::]:7891"
time="2024-06-18T16:35:39.321973626Z" level=info msg="Redirect proxy listening at: [::]:7892"
time="2024-06-18T16:35:39.322019716Z" level=info msg="TProxy server listening at: [::]:7895"
time="2024-06-18T16:35:39.322046424Z" level=info msg="Mixed(http+socks) proxy listening at: [::]:7893"
time="2024-06-18T16:35:39.32318754Z" level=info msg="Start initial Compatible provider Auto"
time="2024-06-18T16:35:39.323246599Z" level=info msg="Start initial Compatible provider Proxy"
time="2024-06-18T16:35:39.323265388Z" level=info msg="Start initial Compatible provider default"
2024-06-18 16:35:41 Step 6: Wait For The File Downloading...
2024-06-18 16:35:41 Step 7: Set Firewall Rules...
2024-06-18 16:35:41 Warning: Dnsmasq not Support nftset, Use ipset...
2024-06-18 16:35:41 Tip: DNS Hijacking is Disabled...
2024-06-18 16:35:41 Tip: Firewall4 was Detected, Use NFTABLE Rules...
2024-06-18 16:35:41 Tip: Start Add Port Bypassing Rules For Firewall Redirect and Firewall Rules...
2024-06-18 16:35:42 Tip: Start Add Custom Firewall Rules...
2024-06-18 16:35:42 Step 8: Restart Dnsmasq...
2024-06-18 16:35:54 Step 9: Add Cron Rules, Start Daemons...
2024-06-18 16:35:54 Warning: OpenClash Start Successful, Please Note That Network May Abnormal With IPv6's DHCP Server
time="2024-06-18T16:37:37.30178984Z" level=debug msg="[Rule] use default rules"
time="2024-06-18T16:37:37.302821242Z" level=debug msg="[Process] find process 52.168.117.169 error: process not found"
time="2024-06-18T16:37:37.303004558Z" level=debug msg="[DNS] cache hit for tw-1.chianginc.com., expire at 2024-06-18 16:37:06"
time="2024-06-18T16:37:37.303136911Z" level=debug msg="[DNS] resolve tw-1.chianginc.com from udp://223.5.5.5:53"
time="2024-06-18T16:37:37.303209821Z" level=debug msg="[DNS] resolve tw-1.chianginc.com from https://dns.alidns.com:443/dns-query"
time="2024-06-18T16:37:37.303223342Z" level=debug msg="[DNS] resolve tw-1.chianginc.com from udp://119.29.29.29:53"
time="2024-06-18T16:37:37.303228687Z" level=debug msg="[DNS] resolve tw-1.chianginc.com from https://doh.360.cn:443/dns-query"
time="2024-06-18T16:37:37.303468775Z" level=debug msg="[DNS] cache hit for dns.alidns.com., expire at 2024-06-18 17:07:15"
time="2024-06-18T16:37:37.303608802Z" level=debug msg="[DNS] cache hit for doh.360.cn., expire at 2024-06-18 16:38:03"
time="2024-06-18T16:37:37.303232168Z" level=debug msg="[DNS] resolve tw-1.chianginc.com from udp://180.76.76.76:53"
time="2024-06-18T16:37:37.303249726Z" level=debug msg="[DNS] resolve tw-1.chianginc.com from udp://117.50.11.11:53"
time="2024-06-18T16:37:37.303246762Z" level=debug msg="[DNS] resolve tw-1.chianginc.com from udp://117.50.10.10:53"
time="2024-06-18T16:37:37.303263385Z" level=debug msg="[DNS] resolve tw-1.chianginc.com from udp://114.114.114.114:53"
time="2024-06-18T16:37:37.322798041Z" level=debug msg="[DNS] tw-1.chianginc.com --> [61.221.120.110] A from udp://223.5.5.5:53"
time="2024-06-18T16:37:37.441687359Z" level=info msg="[TCP] 192.168.241.10:57974 --> 52.168.117.169:443 match DstPort(443) using Proxy[台湾-TW-1-流量倍率:1.0]"
time="2024-06-18T16:37:39.123757692Z" level=debug msg="[Rule] use default rules"
time="2024-06-18T16:37:39.136258566Z" level=warning msg="[TCP] dial DIRECT (match GeoIP/cn) 192.168.241.209:37052 --> 171.107.181.50:21114 error: connect failed: dial tcp 171.107.181.50:21114: connect: connection refused"
time="2024-06-18T16:37:39.15921679Z" level=warning msg="[TCP] dial DIRECT (match GeoIP/cn) 192.168.241.209:37052 --> 171.107.181.50:21114 error: connect failed: dial tcp 171.107.181.50:21114: connect: connection refused"
time="2024-06-18T16:37:39.18624711Z" level=warning msg="[TCP] dial DIRECT (match GeoIP/cn) 192.168.241.209:37052 --> 171.107.181.50:21114 error: connect failed: dial tcp 171.107.181.50:21114: connect: connection refused"
time="2024-06-18T16:37:39.21998839Z" level=warning msg="[TCP] dial DIRECT (match GeoIP/cn) 192.168.241.209:37052 --> 171.107.181.50:21114 error: connect failed: dial tcp 171.107.181.50:21114: connect: connection refused"
time="2024-06-18T16:37:39.307752898Z" level=warning msg="[TCP] dial DIRECT (match GeoIP/cn) 192.168.241.209:37052 --> 171.107.181.50:21114 error: connect failed: dial tcp 171.107.181.50:21114: connect: connection refused"
time="2024-06-18T16:37:39.40865668Z" level=warning msg="[TCP] dial DIRECT (match GeoIP/cn) 192.168.241.209:37052 --> 171.107.181.50:21114 error: connect failed: dial tcp 171.107.181.50:21114: connect: connection refused"
time="2024-06-18T16:37:39.737309892Z" level=warning msg="[TCP] dial DIRECT (match GeoIP/cn) 192.168.241.209:37052 --> 171.107.181.50:21114 error: connect failed: dial tcp 171.107.181.50:21114: connect: connection refused"
time="2024-06-18T16:37:39.762939136Z" level=warning msg="[TCP] dial DIRECT (match GeoIP/cn) 192.168.241.209:37052 --> 171.107.181.50:21114 error: connect failed: dial tcp 171.107.181.50:21114: connect: connection refused"
time="2024-06-18T16:37:40.601000275Z" level=debug msg="TProxy local conn listener exit.. rAddr=118.26.252.214:8053 lAddr=192.168.242.26:54321"
time="2024-06-18T16:37:40.601101963Z" level=debug msg="Closing TProxy local conn... lAddr=192.168.242.26:54321 rAddr=118.26.252.214:8053"
time="2024-06-18T16:37:40.775867753Z" level=warning msg="[TCP] dial DIRECT (match GeoIP/cn) 192.168.241.209:37052 --> 171.107.181.50:21114 error: connect failed: dial tcp 171.107.181.50:21114: connect: connection refused"
time="2024-06-18T16:37:41.741809526Z" level=warning msg="[TCP] dial DIRECT (match GeoIP/cn) 192.168.241.209:37052 --> 171.107.181.50:21114 error: connect failed: dial tcp 171.107.181.50:21114: connect: connection refused"
time="2024-06-18T16:37:42.027530502Z" level=debug msg="[Rule] use default rules"
time="2024-06-18T16:37:42.028676069Z" level=info msg="[UDP] 192.168.242.26:54321 --> 14.215.35.7:8053 match GeoIP(cn) using DIRECT"
time="2024-06-18T16:37:42.042657876Z" level=debug msg="TProxy listenLocalConn rAddr=110.43.63.13:8053 lAddr=192.168.242.26:54321"
time="2024-06-18T16:37:42.050070956Z" level=debug msg="TProxy listenLocalConn rAddr=14.215.35.7:8053 lAddr=192.168.242.26:54321"
time="2024-06-18T16:37:42.070940398Z" level=debug msg="TProxy listenLocalConn rAddr=123.125.102.216:8053 lAddr=192.168.242.26:54321"
time="2024-06-18T16:37:42.076271695Z" level=debug msg="TProxy listenLocalConn rAddr=120.92.65.237:8053 lAddr=192.168.242.26:54321"

#===================== 最近运行日志获取完成(自动切换为silent模式) =====================#
Kation commented 5 months ago

@jelly21fish 访问外网的操作就进不了日志啊,就像openclash没解析到请求一样

Kation commented 5 months ago

@jelly21fish 我明白了,那就是localnetwork的问题
这个是在哪里修改的? 198.18.0.1/16只有65535个地址,我开启了FakeIP持久化,怕不够用……

Kation commented 5 months ago

@jelly21fish 看到了,晚上回去试试,非常感谢

Kation commented 5 months ago

@jelly21fish 流量控制删除了10.0.0.0/8后,openwrt能curl外网网站了
但是局域网客户端不行,FakeIP地址范围改回198.18.0.0/16也不行
感觉快搞通了,不知道哪里还有问题

Kation commented 5 months ago

@jelly21fish 奇怪的问题,我发现其它局域网设备可以上外网了,我本机不行,然后重启就能正常上外网了

所以问题只有流量控制本地 IPv4 绕过地址配置,需要排除FakeIP地址范围

CyrusHou commented 2 months ago

我也遇到这个问题,我无论是fake ip或者redirect模式下,只能用tun或者混合模式才能走通外网,现在[v0.46.031-beta]把tun内核拿掉了,我完全用不了,只能降版本使用,请问作者最后怎么解决的吗

Kation commented 2 months ago

我也遇到这个问题,我无论是fake ip或者redirect模式下,只能用tun或者混合模式才能走通外网,现在[v0.46.031-beta]把tun内核拿掉了,我完全用不了,只能降版本使用,请问作者最后怎么解决的吗

我也不知道怎么弄,我新部署了一个openwrt虚拟机,作为旁路由单独跑openclash,只有fake ip会路由到旁路有,也只有tun能生效。