开启openclash后，端口映射只能连接openwrt，下挂的其它设备都无法连接，提示连接已重置，请问有大佬遇到过这个问题吗

[michealhansun]

开启openclash后，端口映射只能连接openwrt，下挂的其它设备都无法连接，提示连接已重置，请问有大佬遇到过这个问题吗

[RodmanWang]

用fake ip 增强模式或混合模式

[vernesong]

启动后的防火墙？按照预期，目标是转发端口的流量不会进入clash

[michealhansun]

openwrt版本：koolshare LEDE 2.36 openclash版本：0.40.6 当前【Dev分支】内核版本 | v1.1.0-19-g8766287 当前【TUN模式】内核版本 | 2020.09.22.g2d3377d Fake-IP（增强）模式 本地DNS劫持 启用 自定义上游DNS服务器 启用 配置文件 服务器&策略组管理（支持配置文件一键生成） 选择配置文件模板 ConnersHua(规则集) 规则

---

大概配置信息就这样，其它没动， 群晖、远程电脑登映射后连接不上，关掉openclash，才能连上。。

[vernesong]

防火墙发出来，koolshare我不清楚什么情况

[michealhansun]

防火墙 - 自定义规则 自定义规则允许您执行不属于防火墙框架的任意 iptables 命令。每次重启防火墙时，在默认的规则运行后这些命令将立即执行。

iptables -I FORWARD -i ztnfaho2an -j ACCEPT iptables -I FORWARD -o ztnfaho2an -j ACCEPT iptables -t nat -I POSTROUTING -o ztnfaho2an -j MASQUERADE

[michealhansun]

OpenClash 调试日志

生成时间: 2020-09-28 08:21:44 插件版本: v0.40.6-beta

===================== 系统信息 =====================

主机型号: QEMU Standard PC (i440FX + PIIX, 1996) 固件版本: Openwrt Koolshare mod V2.36 r14941-67f6fa0a30 LuCI版本: git-20.074.84698-ead5e81 内核版本: 5.4.52 处理器架构: x86_64

此项在使用Tun模式时应为ACCEPT

防火墙转发: ACCEPT

此项有值时建议到网络-接口-lan的设置中禁用IPV6的DHCP

IPV6-DHCP:

此项结果应仅有配置文件的DNS监听地址

Dnsmasq转发设置: 127.0.0.1#7874

===================== 依赖检查 =====================

dnsmasq-full: 已安装 coreutils: 已安装 coreutils-nohup: 已安装 bash: 已安装 curl: 已安装 jsonfilter: 已安装 ca-certificates: 已安装 ipset: 已安装 ip-full: 已安装 iptables-mod-tproxy: 已安装 kmod-tun(TUN模式): 已安装 luci-compat(Luci-19.07): 已安装

===================== 内核检查 =====================

运行状态: 运行中 已选择的架构: linux-amd64

下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限

Tun内核版本: 2020.09.22.g2d3377d Tun内核文件: 存在 Tun内核运行权限: 正常

Game内核版本: v0.17.0-194-gbe86985 Game内核文件: 存在 Game内核运行权限: 正常

Dev内核版本: v1.1.0-19-g8766287 Dev内核文件: 存在 Dev内核运行权限: 正常

===================== 插件设置 =====================

当前配置文件: /etc/openclash/config/config.yaml 运行模式: fake-ip 默认代理模式: rule UDP流量转发: 启用 DNS劫持: 启用 自定义DNS: 启用 IPV6-DNS解析: 停用 禁用Dnsmasq缓存: 启用 自定义规则: 停用 仅允许内网: 停用 仅代理命中规则流量: 启用 绕过中国大陆IP: 停用

启动异常时建议关闭此项后重试

保留配置: 停用

启动异常时建议关闭此项后重试

第三方规则: ConnersHua 第三方规则策略组设置: GlobalTV: GlobalTV AsianTV: AsianTV Proxy: Proxy Apple: Apple Netflix: Netflix Spotify: Spotify Steam: Steam AdBlock: AdBlock Netease Music: Speedtest: Speedtest Telegram: Telegram Microsoft: Microsoft PayPal: PayPal Domestic: Domestic Others: Others

读取的配置文件策略组: Auto - UrlTest Proxy Domestic Others AsianTV GlobalTV DIRECT REJECT

===================== 配置文件 =====================

redir-port: 7892 port: 7890 socks-port: 7891 ipv6: false mode: rule log-level: silent external-controller: 0.0.0.0:9090 secret: "123456" allow-lan: true bind-address: "*" external-ui: "/usr/share/openclash/dashboard" dns: enable: true ipv6: false enhanced-mode: fake-ip fake-ip-range: 198.18.0.1/16 listen: 127.0.0.1:7874 fake-ip-filter:

Custom fake-ip-filter

• '*.lan'
• 'time.windows.com'
• 'time.nist.gov'
• 'time.apple.com'
• 'time.asia.apple.com'
• '*.ntp.org.cn'
• '*.openwrt.pool.ntp.org'
• 'time1.cloud.tencent.com'
• 'time.ustc.edu.cn'
• 'pool.ntp.org'
• 'ntp.ubuntu.com'
• 'ntp.aliyun.com'
• 'ntp1.aliyun.com'
• 'ntp2.aliyun.com'
• 'ntp3.aliyun.com'
• 'ntp4.aliyun.com'
• 'ntp5.aliyun.com'
• 'ntp6.aliyun.com'
• 'ntp7.aliyun.com'
• 'time1.aliyun.com'
• 'time2.aliyun.com'
• 'time3.aliyun.com'
• 'time4.aliyun.com'
• 'time5.aliyun.com'
• 'time6.aliyun.com'
• 'time7.aliyun.com'
• '*.time.edu.cn'
• 'time1.apple.com'
• 'time2.apple.com'
• 'time3.apple.com'
• 'time4.apple.com'
• 'time5.apple.com'
• 'time6.apple.com'
• 'time7.apple.com'
• 'time1.google.com'
• 'time2.google.com'
• 'time3.google.com'
• 'time4.google.com'
• 'music.163.com'
• '*.music.163.com'
• '*.126.net'
• 'musicapi.taihe.com'
• 'music.taihe.com'
• 'songsearch.kugou.com'
• 'trackercdn.kugou.com'
• '*.kuwo.cn'
• 'api-jooxtt.sanook.com'
• 'api.joox.com'
• 'joox.com'
• 'y.qq.com'
• '*.y.qq.com'
• 'streamoc.music.tc.qq.com'
• 'mobileoc.music.tc.qq.com'
• 'isure.stream.qqmusic.qq.com'
• 'dl.stream.qqmusic.qq.com'
• 'aqqmusic.tc.qq.com'
• 'amobile.music.tc.qq.com'
• '*.xiami.com'
• '*.music.migu.cn'
• 'music.migu.cn'
• '*.msftconnecttest.com'
• '*.msftncsi.com'
• 'localhost.ptlogin2.qq.com'
• '..*.srv.nintendo.net'
• '..stun.playstation.net'
• 'xbox...microsoft.com'
• '..xboxlive.com'
• 'proxy.golang.org'

  Custom fake-ip-filter END

  nameserver:

  Custom DNS

• 192.168.1.3:5335
• tcp://192.168.1.3:5335 fallback:
• 192.168.1.3:5335
• tcp://192.168.1.3:5335 fallback-filter: geoip: true ipcidr:
  • 0.0.0.0/8
  • 10.0.0.0/8
  • 100.64.0.0/10
  • 127.0.0.0/8
  • 169.254.0.0/16
  • 172.16.0.0/12
  • 192.0.0.0/24
  • 192.0.2.0/24
  • 192.88.99.0/24
  • 192.168.0.0/16
  • 198.18.0.0/15
  • 198.51.100.0/24
  • 203.0.113.0/24
  • 224.0.0.0/4
  • 240.0.0.0/4
  • 255.255.255.255/32

===================== 防火墙设置 =====================

NAT chain

Chain PREROUTING (policy ACCEPT) num target prot opt source destination
1 REDIRECT tcp -- 0.0.0.0/0 8.8.4.4 redir ports 7892 2 REDIRECT tcp -- 0.0.0.0/0 8.8.8.8 redir ports 7892 3 prerouting_rule all -- 0.0.0.0/0 0.0.0.0/0 / !fw3: Custom prerouting rule chain / 4 KOOLPROXY tcp -- 0.0.0.0/0 0.0.0.0/0
5 zone_lan_prerouting all -- 0.0.0.0/0 0.0.0.0/0 / !fw3 / 6 openclash tcp -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT) num target prot opt source destination
1 openclash_output tcp -- 0.0.0.0/0 0.0.0.0/0

Mangle chain

Chain PREROUTING (policy ACCEPT) num target prot opt source destination
1 openclash udp -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT) num target prot opt source destination

===================== 路由表状态 =====================

route -n

Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.2 0.0.0.0 UG 0 0 0 br-lan 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan 192.168.191.0 0.0.0.0 255.255.255.0 U 0 0 0 ztnfaho2an

ip route list

default via 192.168.1.2 dev br-lan proto static 192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.3 192.168.191.0/24 dev ztnfaho2an proto kernel scope link src 192.168.191.3

ip rule show

0: from all lookup local 32765: from all fwmark 0x162 lookup 354 32766: from all lookup main 32767: from all lookup default

===================== 端口占用状态 =====================

tcp 0 0 :::9090 ::: LISTEN 29866/clash tcp 0 0 :::7890 ::: LISTEN 29866/clash tcp 0 0 :::7891 ::: LISTEN 29866/clash tcp 0 0 :::7892 ::: LISTEN 29866/clash udp 0 0 127.0.0.1:7874 0.0.0.0: 29866/clash udp 0 0 :::50205 ::: 29866/clash udp 0 0 :::7891 ::: 29866/clash udp 0 0 :::7892 ::: 29866/clash udp 0 0 :::30466 ::: 29866/clash udp 0 0 :::12094 ::: 29866/clash udp 0 0 :::24402 ::: 29866/clash udp 0 0 :::19795 ::: 29866/clash udp 0 0 :::25470 ::: 29866/clash udp 0 0 :::59829 ::: 29866/clash udp 0 0 :::30169 ::: 29866/clash udp 0 0 :::12252 ::: 29866/clash

===================== 测试本机DNS查询 =====================

Name: www.baidu.com Address 1: 198.18.0.40

===================== resolv.conf.d =====================

Interface lan

nameserver 192.168.1.3

===================== 测试本机网络连接 =====================

HTTP/1.1 200 OK Accept-Ranges: bytes Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Connection: keep-alive Content-Length: 277 Content-Type: text/html Date: Mon, 28 Sep 2020 00:21:44 GMT Etag: "575e1f60-115" Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT Pragma: no-cache Server: bfe/1.0.8.18

===================== 测试本机网络下载 =====================

HTTP/1.1 200 Connection established

HTTP/1.1 200 OK Connection: keep-alive Content-Length: 78 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "97afa4c0bbc75244ccc8a610b442a7a9b44a59804544f5c8f9c969cd2a952777" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block Via: 1.1 varnish (Varnish/6.0) X-GitHub-Request-Id: C76A:7EF8:4F7D0:5CE0D:5F712B5F Accept-Ranges: bytes Date: Mon, 28 Sep 2020 00:21:45 GMT Via: 1.1 varnish X-Served-By: cache-hkg17921-HKG X-Cache: HIT, HIT X-Cache-Hits: 1, 1 X-Timer: S1601252505.153481,VS0,VE298 Vary: Authorization,Accept-Encoding Access-Control-Allow-Origin: * X-Fastly-Request-ID: a1de5f7a64040899029123d05716dbd2047d85f8 Expires: Mon, 28 Sep 2020 00:26:45 GMT Source-Age: 0

===================== 最近运行日志 =====================

time="2020-09-27T00:00:12+08:00" level=info msg="Start initial compatible provider Proxy" time="2020-09-27T00:00:12+08:00" level=info msg="Start initial compatible provider Domestic" time="2020-09-27T00:00:12+08:00" level=info msg="Start initial compatible provider GlobalTV" time="2020-09-27T00:00:12+08:00" level=info msg="Start initial compatible provider AsianTV" time="2020-09-27T00:00:12+08:00" level=info msg="Start initial compatible provider Others" time="2020-09-27T00:00:12+08:00" level=info msg="Start initial rule provider China" time="2020-09-27T00:00:12+08:00" level=info msg="Start initial rule provider ChinaIP" time="2020-09-27T00:00:12+08:00" level=info msg="Start initial rule provider Unbreak" time="2020-09-27T00:00:12+08:00" level=info msg="Start initial rule provider Streaming" time="2020-09-27T00:00:12+08:00" level=info msg="Start initial rule provider StreamingSE" time="2020-09-27T00:00:12+08:00" level=info msg="Start initial rule provider Global" time="2020-09-27T00:00:13+08:00" level=info msg="DNS server listening at: 127.0.0.1:7874" 2020-09-27 00:00:08 OpenClash Start Successful 2020-09-27 00:00:00 GEOIP Database Update Successful 2020-09-28 00:00:00 Updated Other Rules 【ConnersHua】 No Change, Do Nothing time="2020-09-28T00:02:49+08:00" level=info msg="Start initial compatible provider Others" time="2020-09-28T00:02:49+08:00" level=info msg="Start initial compatible provider Auto - UrlTest" time="2020-09-28T00:02:49+08:00" level=info msg="Start initial compatible provider Proxy" time="2020-09-28T00:02:49+08:00" level=info msg="Start initial compatible provider Domestic" time="2020-09-28T00:02:49+08:00" level=info msg="Start initial compatible provider GlobalTV" time="2020-09-28T00:02:49+08:00" level=info msg="Start initial compatible provider AsianTV" time="2020-09-28T00:02:49+08:00" level=info msg="Start initial rule provider StreamingSE" time="2020-09-28T00:02:49+08:00" level=info msg="Start initial rule provider Global" time="2020-09-28T00:02:49+08:00" level=info msg="Start initial rule provider China" time="2020-09-28T00:02:49+08:00" level=info msg="Start initial rule provider ChinaIP" time="2020-09-28T00:02:49+08:00" level=info msg="Start initial rule provider Unbreak" time="2020-09-28T00:02:49+08:00" level=info msg="Start initial rule provider Streaming" time="2020-09-28T00:02:49+08:00" level=info msg="DNS server listening at: 127.0.0.1:7874" 2020-09-28 00:02:45 OpenClash Start Successful 2020-09-28 00:00:00 GEOIP Database Update Successful

[michealhansun]

找到解决方案了，运行模式改为 Redir-Host；局域网访问控制模式 黑名单模式，把需要映射的设备IP添加进入就可以连接上了

[ghost]

你用的fakeip模式呀，fakeip要求所有的流量都必须经过clash的，如果你不想让其他设备受影响，你要在其他设备上设置114.114.114.114或你们当地运营商的dns服务器，来取代默认的openwrt的dns服务器（因为在fake-ip下openwrt的dns服务器分配的是fake-ip），同时，你还要看看在openwrt的防火墙那里是不是配置的dns 53端口强制转发，如果有的话，给删除@michealhansun

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

[loohalh]

找到解决方案了，运行模式改为 Redir-Host；局域网访问控制模式 黑名单模式，把需要映射的设备IP添加进入就可以连接上了

请问需要映射的设备IP添加到不走代理的wan口还是lan口，我的openwrt是旁路由

[Zephyr-Ran]

旁路由直接删掉WAN口就可以

[simbaweng]

找到解决方案了，运行模式改为 Redir-Host；局域网访问控制模式 黑名单模式，把需要映射的设备IP添加进入就可以连接上了

如果是all in one系统，有点不太好，虽然解决了远程访问，可是all in one内的win10不能出国了！最好黑名单ip 分配给不需要出国的NAS，远程桌面的系统，可以用绕过核心的来源端口！

[RealHossie]

同样的问题，EXSI虚拟机上的路由器，前面是ikuai，旁边挂个openwrt，上面开始openclash用redir-host模式，目前解决方案只能挂在黑名单中，但是好像也不是所有都可以生效，有谁能从根本上解决这个问题吗？

[TerryBusy]

你用的fakeip模式呀，fakeip要求所有的流量都必须经过clash的，如果你不想让其他设备受影响，你要在其他设备上设置114.114.114.114或你们当地运营商的dns服务器，来取代默认的openwrt的dns服务器（因为在fake-ip下openwrt的dns服务器分配的是fake-ip），同时，你还要看看在openwrt的防火墙那里是不是配置的dns 53端口强制转发，如果有的话，给删除@michealhansun

防火墙-自定义规则两条注释就好了

iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53

iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53