1020之后的内核都无法使用局域网内的dns服务器

是这样的, 我有个pihole跑在内网地址10.0.0.2的树莓派上...
说实话我也不图它给我过滤什么广告, 我用它是为了统计下各个设备的dns请求...
但是我发现只要升级到十月二十号之后的premium内核, 包括十一月十九号的版本, pihole就收不到任何dns请求了...
后果就是国内国外都无法访问
之前的版本都一切正常...
使用的模式是redir-host混合模式...
后附最新内核的日志
OpenClash 调试日志
生成时间: 2020-11-20 13:17:21 插件版本: v0.40.15-beta 隐私提示: 上传此日志前请注意检查、屏蔽公网IP、节点、密码等相关敏感信息

#===================== 系统信息 =====================#
主机型号: Intel(R) Core(TM) i3-5###U CPU @ 2.00GHz : 2 Core 4 Thread
固件版本: OpenWrt SNAPSHOT r3558-eaf077020e
LuCI版本: git-20.256.12360-1a54222-1
内核版本: 4.19.123
处理器架构: x86_64

#此项在使用Tun模式时应为ACCEPT
防火墙转发: ACCEPT

#此项有值时建议到网络-接口-lan的设置中禁用IPV6的DHCP
IPV6-DHCP: 

#此项结果应仅有配置文件的DNS监听地址
Dnsmasq转发设置: 127.0.0.1#7874

#===================== 依赖检查 =====================#
dnsmasq-full: 已安装
coreutils: 已安装
coreutils-nohup: 已安装
bash: 已安装
curl: 已安装
jsonfilter: 已安装
ca-certificates: 已安装
ipset: 已安装
ip-full: 已安装
iptables-mod-tproxy: 已安装
iptables-mod-extra: 已安装
libcap: 已安装
libcap-bin: 已安装
kmod-tun(TUN模式): 已安装
luci-compat(Luci-19.07): 未安装

#===================== 内核检查 =====================#
运行状态: 运行中
进程pid: 20696
运行权限: 20696: cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_resource=eip
运行用户: nobody
已选择的架构: linux-amd64

#下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限
Tun内核版本: 2020.11.19.g6e99b3d
Tun内核文件: 存在
Tun内核运行权限: 正常

Game内核版本: 
Game内核文件: 存在
Game内核运行权限: 正常

Dev内核版本: 
Dev内核文件: 不存在
Dev内核运行权限: 否

#===================== 插件设置 =====================#
当前配置文件: /etc/openclash/config/Master.yaml
运行模式: redir-host-mix
默认代理模式: rule
UDP流量转发: 停用
DNS劫持: 启用
自定义DNS: 启用
IPV6-DNS解析: 停用
禁用Dnsmasq缓存: 启用
自定义规则: 启用
仅允许内网: 停用
仅代理命中规则流量: 停用
绕过中国大陆IP: 停用

#启动异常时建议关闭此项后重试
保留配置: 停用
第三方规则: 停用

#===================== 自定义规则 一 =====================#
##- DOMAIN-SUFFIX,google.com,Proxy 匹配域名后缀(交由Proxy代理服务器组)
##- DOMAIN-KEYWORD,google,Proxy 匹配域名关键字(交由Proxy代理服务器组)
##- DOMAIN,google.com,Proxy 匹配域名(交由Proxy代理服务器组)
##- DOMAIN-SUFFIX,ad.com,REJECT 匹配域名后缀(拒绝)
##- IP-CIDR,127.0.0.0/8,DIRECT 匹配数据目标IP(直连)
##- SRC-IP-CIDR,192.168.1.201/32,DIRECT 匹配数据发起IP(直连)
##- DST-PORT,80,DIRECT 匹配数据目标端口(直连)
##- SRC-PORT,7777,DIRECT 匹配数据源端口(直连)

##排序在上的规则优先生效,如添加（去除规则前的#号）：
##IP段：192.168.1.2-192.168.1.200 直连
##- SRC-IP-CIDR,192.168.1.2/31,DIRECT
##- SRC-IP-CIDR,192.168.1.4/30,DIRECT
##- SRC-IP-CIDR,192.168.1.8/29,DIRECT
##- SRC-IP-CIDR,192.168.1.16/28,DIRECT
##- SRC-IP-CIDR,192.168.1.32/27,DIRECT
##- SRC-IP-CIDR,192.168.1.64/26,DIRECT
##- SRC-IP-CIDR,192.168.1.128/26,DIRECT
##- SRC-IP-CIDR,192.168.1.192/29,DIRECT
##- SRC-IP-CIDR,192.168.1.200/32,DIRECT

##IP段：192.168.1.202-192.168.1.255 直连
##- SRC-IP-CIDR,192.168.1.202/31,DIRECT
##- SRC-IP-CIDR,192.168.1.204/30,DIRECT
##- SRC-IP-CIDR,192.168.1.208/28,DIRECT
##- SRC-IP-CIDR,192.168.1.224/27,DIRECT

##此时IP为192.168.1.1和192.168.1.201的客户端流量走代理（策略），其余客户端不走代理
##因为Fake-IP模式下，IP地址为192.168.1.1的路由器自身流量可走代理（策略），所以需要排除
##在线IP段转CIDR地址：http://ip2cidr.com
#===================== 自定义规则 二 =====================#
##- DOMAIN-SUFFIX,google.com,Proxy 匹配域名后缀(交由Proxy代理服务器组)
##- DOMAIN-KEYWORD,google,Proxy 匹配域名关键字(交由Proxy代理服务器组)
##- DOMAIN,google.com,Proxy 匹配域名(交由Proxy代理服务器组)
##- DOMAIN-SUFFIX,ad.com,REJECT 匹配域名后缀(拒绝)
##- IP-CIDR,127.0.0.0/8,DIRECT 匹配数据目标IP(直连)
##- SRC-IP-CIDR,192.168.1.201/32,DIRECT 匹配数据发起IP(直连)
##- DST-PORT,80,DIRECT 匹配数据目标端口(直连)
##- SRC-PORT,7777,DIRECT 匹配数据源端口(直连)

#===================== 配置文件 =====================#
redir-port: 7892
interface-name: pppoe-wan
port: 7890
socks-port: 7891
ipv6: false
mode: rule
log-level: silent
external-controller: 0.0.0.0:9090
allow-lan: true
bind-address: "*"
external-ui: "/usr/share/openclash/dashboard"
tun:
  enable: true
  stack: system
  dns-hijack:
    - tcp://8.8.8.8:53
    - tcp://8.8.4.4:53
hosts:
##Custom HOSTS##
#  experimental hosts, support wildcard (e.g. *.clash.dev Even *.foo.*.example.com)
#  static domain has a higher priority than wildcard domain (foo.example.com > *.example.com)
#  NOTE: hosts don't work with `fake-ip`

#  '*.clash.dev': 127.0.0.1
#  'alpha.clash.dev': '::1'
##Custom HOSTS END##
dns:
  use-hosts: true
  listen: 127.0.0.1:7874
  enable: true
  ipv6: false
  enhanced-mode: redir-host
  nameserver:
##Custom DNS##
    - 10.0.0.2:53

#===================== 防火墙设置 =====================#

#NAT chain

# Generated by iptables-save v1.8.4 on Fri Nov 20 13:17:22 2020
*nat
:PREROUTING ACCEPT [112:8595]
:INPUT ACCEPT [101:6483]
:OUTPUT ACCEPT [179:12017]
:POSTROUTING ACCEPT [51:3480]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:openclash - [0:0]
:openclash_output - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_lan_tri_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_lan_tri_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_lan_tri_postrouting - [0:0]
:zone_lan_tri_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -d 8.8.4.4/32 -p tcp -j ACCEPT
-A PREROUTING -d 8.8.8.8/32 -p tcp -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i br-lan_tri -m comment --comment "!fw3" -j zone_lan_tri_prerouting
-A PREROUTING -p tcp -j openclash
-A OUTPUT -j openclash_output
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o br-lan_tri -m comment --comment "!fw3" -j zone_lan_tri_postrouting
-A MINIUPNPD -p udp -m udp --dport 49502 -j DNAT --to-destination 10.0.0.111:49502
-A MINIUPNPD -p udp -m udp --dport 46226 -j DNAT --to-destination 10.0.0.111:46226
-A MINIUPNPD -p udp -m udp --dport 53538 -j DNAT --to-destination 10.0.0.111:53538
-A MINIUPNPD -p tcp -m tcp --dport 15668 -j DNAT --to-destination 10.0.0.121:15668
-A MINIUPNPD -p tcp -m tcp --dport 15669 -j DNAT --to-destination 10.0.0.121:15669
-A MINIUPNPD -p udp -m udp --dport 54633 -j DNAT --to-destination 10.0.0.111:54633
-A MINIUPNPD -p udp -m udp --dport 47227 -j DNAT --to-destination 10.0.0.111:47227
-A MINIUPNPD -p udp -m udp --dport 45387 -j DNAT --to-destination 10.0.0.133:45387
-A MINIUPNPD -p udp -m udp --dport 48575 -j DNAT --to-destination 10.0.0.111:48575
-A MINIUPNPD -p udp -m udp --dport 40384 -j DNAT --to-destination 10.0.0.121:40384
-A MINIUPNPD -p udp -m udp --dport 40431 -j DNAT --to-destination 10.0.0.121:40431
-A MINIUPNPD -p udp -m udp --dport 48475 -j DNAT --to-destination 10.0.0.121:48475
-A MINIUPNPD -p udp -m udp --dport 48429 -j DNAT --to-destination 10.0.0.121:48429
-A MINIUPNPD -p udp -m udp --dport 49065 -j DNAT --to-destination 10.0.0.121:49065
-A MINIUPNPD -p udp -m udp --dport 49091 -j DNAT --to-destination 10.0.0.121:49091
-A MINIUPNPD -p udp -m udp --dport 49122 -j DNAT --to-destination 10.0.0.121:49122
-A MINIUPNPD -p udp -m udp --dport 49142 -j DNAT --to-destination 10.0.0.121:49142
-A MINIUPNPD -p udp -m udp --dport 49922 -j DNAT --to-destination 10.0.0.121:49922
-A MINIUPNPD -p udp -m udp --dport 53415 -j DNAT --to-destination 10.0.0.111:53415
-A MINIUPNPD -p udp -m udp --dport 37318 -j DNAT --to-destination 10.0.0.121:37318
-A MINIUPNPD -p tcp -m tcp --dport 56666 -j DNAT --to-destination 10.0.0.2:56666
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -p tcp -j REDIRECT --to-ports 7892
-A openclash_output -p tcp -m tcp --sport 1688 -j RETURN
-A openclash_output -p tcp -m tcp --sport 9998 -j RETURN
-A openclash_output -p tcp -m tcp --sport 4500 -j RETURN
-A openclash_output -p tcp -m tcp --sport 500 -j RETURN
-A openclash_output -p tcp -m tcp --sport 1723 -j RETURN
-A openclash_output -p tcp -m tcp --sport 8920 -j RETURN
-A openclash_output -p tcp -m tcp --sport 28892 -j RETURN
-A openclash_output -p tcp -m tcp --sport 65430 -j RETURN
-A openclash_output -p tcp -m tcp --sport 23333 -j RETURN
-A openclash_output -p tcp -m tcp --sport 56666 -j RETURN
-A openclash_output -p tcp -m tcp --sport 9091 -j RETURN
-A openclash_output -p tcp -m tcp --sport 10001 -j RETURN
-A openclash_output -p tcp -m tcp --sport 9876 -j RETURN
-A openclash_output -p tcp -m tcp --sport 5001 -j RETURN
-A openclash_output -p tcp -m tcp --sport 5000 -j RETURN
-A openclash_output -m set --match-set localnetwork dst -j RETURN
-A openclash_output -p tcp -m owner ! --uid-owner 65534 -m multiport --dports 80,443 -j REDIRECT --to-ports 7892
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p tcp -m tcp --dport 5000 -m comment --comment "!fw3: DSM_HTTP (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p udp -m udp --dport 5000 -m comment --comment "!fw3: DSM_HTTP (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p tcp -m tcp --dport 5001 -m comment --comment "!fw3: DSM_HTTPS (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p udp -m udp --dport 5001 -m comment --comment "!fw3: DSM_HTTPS (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p tcp -m tcp --dport 9876 -m comment --comment "!fw3: SMOKEPING (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p udp -m udp --dport 9876 -m comment --comment "!fw3: SMOKEPING (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.111/32 -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: RDP_VM (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.111/32 -p udp -m udp --dport 3389 -m comment --comment "!fw3: RDP_VM (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p tcp -m tcp --dport 9091 -m comment --comment "!fw3: TR_UI (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p udp -m udp --dport 9091 -m comment --comment "!fw3: TR_UI (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p tcp -m tcp --dport 56666 -m comment --comment "!fw3: TR_DATA (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p udp -m udp --dport 56666 -m comment --comment "!fw3: TR_DATA (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p tcp -m tcp --dport 23333 -m comment --comment "!fw3: DSM_SFTP (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p udp -m udp --dport 23333 -m comment --comment "!fw3: DSM_SFTP (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p tcp -m tcp --dport 65430 -m comment --comment "!fw3: SPEEDTEST (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p udp -m udp --dport 65430 -m comment --comment "!fw3: SPEEDTEST (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p tcp -m tcp --dport 28892 -m comment --comment "!fw3: BITWARDEN (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p udp -m udp --dport 28892 -m comment --comment "!fw3: BITWARDEN (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.1.2/32 -p tcp -m tcp --dport 8920 -m comment --comment "!fw3: JELLYFIN (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.1.2/32 -p udp -m udp --dport 8920 -m comment --comment "!fw3: JELLYFIN (reflection)" -j SNAT --to-source 10.0.0.1
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p tcp -m tcp --dport 5000 -m comment --comment "!fw3: DSM_HTTP (reflection)" -j DNAT --to-destination 10.0.0.2:5000
-A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p udp -m udp --dport 5000 -m comment --comment "!fw3: DSM_HTTP (reflection)" -j DNAT --to-destination 10.0.0.2:5000
-A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p tcp -m tcp --dport 5001 -m comment --comment "!fw3: DSM_HTTPS (reflection)" -j DNAT --to-destination 10.0.0.2:5001
-A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p udp -m udp --dport 5001 -m comment --comment "!fw3: DSM_HTTPS (reflection)" -j DNAT --to-destination 10.0.0.2:5001
-A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p tcp -m tcp --dport 9876 -m comment --comment "!fw3: SMOKEPING (reflection)" -j DNAT --to-destination 10.0.0.2:9876
-A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p udp -m udp --dport 9876 -m comment --comment "!fw3: SMOKEPING (reflection)" -j DNAT --to-destination 10.0.0.2:9876
-A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p tcp -m tcp --dport 10001 -m comment --comment "!fw3: RDP_VM (reflection)" -j DNAT --to-destination 10.0.0.111:3389
-A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p udp -m udp --dport 10001 -m comment --comment "!fw3: RDP_VM (reflection)" -j DNAT --to-destination 10.0.0.111:3389
-A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p tcp -m tcp --dport 9091 -m comment --comment "!fw3: TR_UI (reflection)" -j DNAT --to-destination 10.0.0.2:9091
-A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p udp -m udp --dport 9091 -m comment --comment "!fw3: TR_UI (reflection)" -j DNAT --to-destination 10.0.0.2:9091
-A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p tcp -m tcp --dport 56666 -m comment --comment "!fw3: TR_DATA (reflection)" -j DNAT --to-destination 10.0.0.2:56666
-A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p udp -m udp --dport 56666 -m comment --comment "!fw3: TR_DATA (reflection)" -j DNAT --to-destination 10.0.0.2:56666
-A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p tcp -m tcp --dport 23333 -m comment --comment "!fw3: DSM_SFTP (reflection)" -j DNAT --to-destination 10.0.0.2:23333
-A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p udp -m udp --dport 23333 -m comment --comment "!fw3: DSM_SFTP (reflection)" -j DNAT --to-destination 10.0.0.2:23333
-A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p tcp -m tcp --dport 65430 -m comment --comment "!fw3: SPEEDTEST (reflection)" -j DNAT --to-destination 10.0.0.2:65430
-A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p udp -m udp --dport 65430 -m comment --comment "!fw3: SPEEDTEST (reflection)" -j DNAT --to-destination 10.0.0.2:65430
-A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p tcp -m tcp --dport 28892 -m comment --comment "!fw3: BITWARDEN (reflection)" -j DNAT --to-destination 10.0.0.2:28892
-A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p udp -m udp --dport 28892 -m comment --comment "!fw3: BITWARDEN (reflection)" -j DNAT --to-destination 10.0.0.2:28892
-A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p tcp -m tcp --dport 8920 -m comment --comment "!fw3: JELLYFIN (reflection)" -j DNAT --to-destination 10.0.1.2:8920
-A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p udp -m udp --dport 8920 -m comment --comment "!fw3: JELLYFIN (reflection)" -j DNAT --to-destination 10.0.1.2:8920
-A zone_lan_tri_postrouting -m comment --comment "!fw3: Custom lan_tri postrouting rule chain" -j postrouting_lan_tri_rule
-A zone_lan_tri_postrouting -s 10.0.1.0/24 -d 10.0.1.2/32 -p tcp -m tcp --dport 1723 -m comment --comment "!fw3: pptp (reflection)" -j SNAT --to-source 10.0.1.1
-A zone_lan_tri_postrouting -s 10.0.1.0/24 -d 10.0.1.2/32 -p udp -m udp --dport 1723 -m comment --comment "!fw3: pptp (reflection)" -j SNAT --to-source 10.0.1.1
-A zone_lan_tri_postrouting -s 10.0.1.0/24 -d 10.0.1.2/32 -p tcp -m tcp --dport 500 -m comment --comment "!fw3: ike (reflection)" -j SNAT --to-source 10.0.1.1
-A zone_lan_tri_postrouting -s 10.0.1.0/24 -d 10.0.1.2/32 -p udp -m udp --dport 500 -m comment --comment "!fw3: ike (reflection)" -j SNAT --to-source 10.0.1.1
-A zone_lan_tri_postrouting -s 10.0.1.0/24 -d 10.0.1.2/32 -p tcp -m tcp --dport 4500 -m comment --comment "!fw3: ipsec (reflection)" -j SNAT --to-source 10.0.1.1
-A zone_lan_tri_postrouting -s 10.0.1.0/24 -d 10.0.1.2/32 -p udp -m udp --dport 4500 -m comment --comment "!fw3: ipsec (reflection)" -j SNAT --to-source 10.0.1.1
-A zone_lan_tri_prerouting -m comment --comment "!fw3: Custom lan_tri prerouting rule chain" -j prerouting_lan_tri_rule
-A zone_lan_tri_prerouting -s 10.0.1.0/24 -d 124.126.155.164/32 -p tcp -m tcp --dport 1723 -m comment --comment "!fw3: pptp (reflection)" -j DNAT --to-destination 10.0.1.2:1723
-A zone_lan_tri_prerouting -s 10.0.1.0/24 -d 124.126.155.164/32 -p udp -m udp --dport 1723 -m comment --comment "!fw3: pptp (reflection)" -j DNAT --to-destination 10.0.1.2:1723
-A zone_lan_tri_prerouting -s 10.0.1.0/24 -d 124.126.155.164/32 -p tcp -m tcp --dport 500 -m comment --comment "!fw3: ike (reflection)" -j DNAT --to-destination 10.0.1.2:500
-A zone_lan_tri_prerouting -s 10.0.1.0/24 -d 124.126.155.164/32 -p udp -m udp --dport 500 -m comment --comment "!fw3: ike (reflection)" -j DNAT --to-destination 10.0.1.2:500
-A zone_lan_tri_prerouting -s 10.0.1.0/24 -d 124.126.155.164/32 -p tcp -m tcp --dport 4500 -m comment --comment "!fw3: ipsec (reflection)" -j DNAT --to-destination 10.0.1.2:4500
-A zone_lan_tri_prerouting -s 10.0.1.0/24 -d 124.126.155.164/32 -p udp -m udp --dport 4500 -m comment --comment "!fw3: ipsec (reflection)" -j DNAT --to-destination 10.0.1.2:4500
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j FULLCONENAT
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 5000 -m comment --comment "!fw3: DSM_HTTP" -j DNAT --to-destination 10.0.0.2:5000
-A zone_wan_prerouting -p udp -m udp --dport 5000 -m comment --comment "!fw3: DSM_HTTP" -j DNAT --to-destination 10.0.0.2:5000
-A zone_wan_prerouting -p tcp -m tcp --dport 5001 -m comment --comment "!fw3: DSM_HTTPS" -j DNAT --to-destination 10.0.0.2:5001
-A zone_wan_prerouting -p udp -m udp --dport 5001 -m comment --comment "!fw3: DSM_HTTPS" -j DNAT --to-destination 10.0.0.2:5001
-A zone_wan_prerouting -p tcp -m tcp --dport 9876 -m comment --comment "!fw3: SMOKEPING" -j DNAT --to-destination 10.0.0.2:9876
-A zone_wan_prerouting -p udp -m udp --dport 9876 -m comment --comment "!fw3: SMOKEPING" -j DNAT --to-destination 10.0.0.2:9876
-A zone_wan_prerouting -p tcp -m tcp --dport 10001 -m comment --comment "!fw3: RDP_VM" -j DNAT --to-destination 10.0.0.111:3389
-A zone_wan_prerouting -p udp -m udp --dport 10001 -m comment --comment "!fw3: RDP_VM" -j DNAT --to-destination 10.0.0.111:3389
-A zone_wan_prerouting -p tcp -m tcp --dport 9091 -m comment --comment "!fw3: TR_UI" -j DNAT --to-destination 10.0.0.2:9091
-A zone_wan_prerouting -p udp -m udp --dport 9091 -m comment --comment "!fw3: TR_UI" -j DNAT --to-destination 10.0.0.2:9091
-A zone_wan_prerouting -p tcp -m tcp --dport 56666 -m comment --comment "!fw3: TR_DATA" -j DNAT --to-destination 10.0.0.2:56666
-A zone_wan_prerouting -p udp -m udp --dport 56666 -m comment --comment "!fw3: TR_DATA" -j DNAT --to-destination 10.0.0.2:56666
-A zone_wan_prerouting -p tcp -m tcp --dport 23333 -m comment --comment "!fw3: DSM_SFTP" -j DNAT --to-destination 10.0.0.2:23333
-A zone_wan_prerouting -p udp -m udp --dport 23333 -m comment --comment "!fw3: DSM_SFTP" -j DNAT --to-destination 10.0.0.2:23333
-A zone_wan_prerouting -p tcp -m tcp --dport 65430 -m comment --comment "!fw3: SPEEDTEST" -j DNAT --to-destination 10.0.0.2:65430
-A zone_wan_prerouting -p udp -m udp --dport 65430 -m comment --comment "!fw3: SPEEDTEST" -j DNAT --to-destination 10.0.0.2:65430
-A zone_wan_prerouting -p tcp -m tcp --dport 28892 -m comment --comment "!fw3: BITWARDEN" -j DNAT --to-destination 10.0.0.2:28892
-A zone_wan_prerouting -p udp -m udp --dport 28892 -m comment --comment "!fw3: BITWARDEN" -j DNAT --to-destination 10.0.0.2:28892
-A zone_wan_prerouting -p tcp -m tcp --dport 8920 -m comment --comment "!fw3: JELLYFIN" -j DNAT --to-destination 10.0.1.2:8920
-A zone_wan_prerouting -p udp -m udp --dport 8920 -m comment --comment "!fw3: JELLYFIN" -j DNAT --to-destination 10.0.1.2:8920
-A zone_wan_prerouting -p tcp -m tcp --dport 1723 -m comment --comment "!fw3: pptp" -j DNAT --to-destination 10.0.1.2:1723
-A zone_wan_prerouting -p udp -m udp --dport 1723 -m comment --comment "!fw3: pptp" -j DNAT --to-destination 10.0.1.2:1723
-A zone_wan_prerouting -p tcp -m tcp --dport 500 -m comment --comment "!fw3: ike" -j DNAT --to-destination 10.0.1.2:500
-A zone_wan_prerouting -p udp -m udp --dport 500 -m comment --comment "!fw3: ike" -j DNAT --to-destination 10.0.1.2:500
-A zone_wan_prerouting -p tcp -m tcp --dport 4500 -m comment --comment "!fw3: ipsec" -j DNAT --to-destination 10.0.1.2:4500
-A zone_wan_prerouting -p udp -m udp --dport 4500 -m comment --comment "!fw3: ipsec" -j DNAT --to-destination 10.0.1.2:4500
-A zone_wan_prerouting -m comment --comment "!fw3" -j FULLCONENAT
COMMIT
# Completed on Fri Nov 20 13:17:22 2020

#Mangle chain

# Generated by iptables-save v1.8.4 on Fri Nov 20 13:17:22 2020
*mangle
:PREROUTING ACCEPT [1599:206311]
:INPUT ACCEPT [1225:158006]
:FORWARD ACCEPT [363:47179]
:OUTPUT ACCEPT [1184:361188]
:POSTROUTING ACCEPT [1543:408207]
:openclash - [0:0]
:openclash_dns_hijack - [0:0]
-A PREROUTING -p udp -j openclash
-A PREROUTING -p tcp -m tcp --dport 53 -j openclash_dns_hijack
-A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A openclash -p udp -m udp --dport 9998 -j RETURN
-A openclash -p udp -m udp --dport 500 -j RETURN
-A openclash -p udp -m udp --dport 546 -j RETURN
-A openclash -p udp -m udp --dport 68 -j RETURN
-A openclash -p udp -m udp --dport 4500 -j RETURN
-A openclash -p udp -m udp --dport 500 -j RETURN
-A openclash -p udp -m udp --dport 1723 -j RETURN
-A openclash -p udp -m udp --dport 8920 -j RETURN
-A openclash -p udp -m udp --dport 28892 -j RETURN
-A openclash -p udp -m udp --dport 65430 -j RETURN
-A openclash -p udp -m udp --dport 23333 -j RETURN
-A openclash -p udp -m udp --dport 56666 -j RETURN
-A openclash -p udp -m udp --dport 9091 -j RETURN
-A openclash -p udp -m udp --dport 10001 -j RETURN
-A openclash -p udp -m udp --dport 9876 -j RETURN
-A openclash -p udp -m udp --dport 5001 -j RETURN
-A openclash -p udp -m udp --dport 5000 -j RETURN
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -j MARK --set-xmark 0x162/0xffffffff
-A openclash_dns_hijack -d 8.8.8.8/32 -j MARK --set-xmark 0x162/0xffffffff
-A openclash_dns_hijack -d 8.8.4.4/32 -j MARK --set-xmark 0x162/0xffffffff
COMMIT
# Completed on Fri Nov 20 13:17:22 2020

#===================== 路由表状态 =====================#
#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         124.126.152.1   0.0.0.0         UG    0      0        0 pppoe-wan
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 br-lan
10.0.1.0        0.0.0.0         255.255.255.0   U     0      0        0 br-lan_tri
124.126.152.1   0.0.0.0         255.255.255.255 UH    0      0        0 pppoe-wan
198.18.0.0      0.0.0.0         255.255.0.0     U     0      0        0 utun
#ip route list
default via 124.126.152.1 dev pppoe-wan proto static 
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1 
10.0.1.0/24 dev br-lan_tri proto kernel scope link src 10.0.1.1 
124.126.152.1 dev pppoe-wan proto kernel scope link src 124.126.155.164 
198.18.0.0/16 dev utun proto kernel scope link src 198.18.0.1 
#ip rule show
0:  from all lookup local 
219:    from all fwmark 0x162 lookup 354 
220:    from all lookup 220 
32766:  from all lookup main 
32767:  from all lookup default 

#===================== Tun设备状态 =====================#
utun: tun pi filter

#===================== 端口占用状态 =====================#
tcp        0      0 198.18.0.1:7777         0.0.0.0:*               LISTEN      20696/clash
tcp        0      0 :::7890                 :::*                    LISTEN      20696/clash
tcp        0      0 :::7891                 :::*                    LISTEN      20696/clash
tcp        0      0 :::7892                 :::*                    LISTEN      20696/clash
tcp        0      0 :::9090                 :::*                    LISTEN      20696/clash
udp        0      0 127.0.0.1:7874          0.0.0.0:*                           20696/clash
udp        0      0 198.18.0.1:7777         0.0.0.0:*                           20696/clash
udp        0      0 :::57466                :::*                                20696/clash
udp        0      0 :::47769                :::*                                20696/clash
udp        0      0 :::44716                :::*                                20696/clash
udp        0      0 :::58572                :::*                                20696/clash
udp        0      0 :::7891                 :::*                                20696/clash
udp        0      0 :::7892                 :::*                                20696/clash
udp        0      0 :::40382                :::*                                20696/clash

#===================== 测试本机DNS查询 =====================#
Server:     127.0.0.1
Address:    127.0.0.1#53

** server can't find www.baidu.com: SERVFAIL
*** Can't find www.baidu.com: No answer

#===================== resolv.conf.auto =====================#
# Interface wan
nameserver 219.141.140.10
nameserver 219.141.136.10

#===================== 测试本机网络连接 =====================#

#===================== 测试本机网络下载 =====================#

#===================== 最近运行日志 =====================#
2020-11-20 13:14:58 Error: OpenClash 【Tun】 Core Update Error
2020-11-20 13:15:14 Error: OpenClash 【Tun】 Core Update Error
2020-11-20 13:15:38 Error: OpenClash 【Tun】 Core Update Error
time="2020-11-20T05:16:03Z" level=info msg="Start initial provider DlerIEPL_Sub"
time="2020-11-20T05:16:03Z" level=info msg="Start initial provider DlerCTM_Sub"
time="2020-11-20T05:16:03Z" level=info msg="Start initial compatible provider Speedtest_DlerAGA"
time="2020-11-20T05:16:03Z" level=info msg="Start initial compatible provider AUTO"
time="2020-11-20T05:16:03Z" level=info msg="Start initial compatible provider PROXY"
time="2020-11-20T05:16:03Z" level=info msg="Start initial rule provider ChinaIP"
time="2020-11-20T05:16:03Z" level=info msg="Start initial rule provider Unbreak"
time="2020-11-20T05:16:03Z" level=info msg="Start initial rule provider Global"
time="2020-11-20T05:16:03Z" level=info msg="Start initial rule provider China"
time="2020-11-20T05:16:03Z" level=info msg="DNS server listening at: 127.0.0.1:7874"
2020-11-20 13:15:53 OpenClash Start Successful
2020-11-20 13:16:28 OpenClash 【Tun】 Core Update Successful
time="2020-11-20T05:16:46Z" level=info msg="Start initial provider DlerIEPL_Sub"
time="2020-11-20T05:16:46Z" level=info msg="Start initial provider DlerCTM_Sub"
time="2020-11-20T05:16:46Z" level=info msg="Start initial compatible provider Speedtest_DlerAGA"
time="2020-11-20T05:16:46Z" level=info msg="Start initial compatible provider AUTO"
time="2020-11-20T05:16:46Z" level=info msg="Start initial compatible provider PROXY"
time="2020-11-20T05:16:46Z" level=info msg="Start initial rule provider Unbreak"
time="2020-11-20T05:16:46Z" level=info msg="Start initial rule provider Global"
time="2020-11-20T05:16:46Z" level=info msg="Start initial rule provider China"
time="2020-11-20T05:16:46Z" level=info msg="Start initial rule provider ChinaIP"
time="2020-11-20T05:16:46Z" level=info msg="DNS server listening at: 127.0.0.1:7874"
2020-11-20 13:16:36 OpenClash Start Successful
vernesong / OpenClash

1020之后的内核都无法使用局域网内的dns服务器 #999
