Closed woaihsw closed 3 years ago
是这样的, 我有个pihole跑在内网地址10.0.0.2的树莓派上...
说实话我也不图它给我过滤什么广告, 我用它是为了统计下各个设备的dns请求...
但是我发现只要升级到十月二十号之后的premium内核, 包括十一月十九号的版本, pihole就收不到任何dns请求了...
后果就是国内国外都无法访问
之前的版本都一切正常...
使用的模式是redir-host混合模式...
后附最新内核的日志
OpenClash 调试日志
生成时间: 2020-11-20 13:17:21 插件版本: v0.40.15-beta 隐私提示: 上传此日志前请注意检查、屏蔽公网IP、节点、密码等相关敏感信息
#===================== 系统信息 =====================# 主机型号: Intel(R) Core(TM) i3-5###U CPU @ 2.00GHz : 2 Core 4 Thread 固件版本: OpenWrt SNAPSHOT r3558-eaf077020e LuCI版本: git-20.256.12360-1a54222-1 内核版本: 4.19.123 处理器架构: x86_64 #此项在使用Tun模式时应为ACCEPT 防火墙转发: ACCEPT #此项有值时建议到网络-接口-lan的设置中禁用IPV6的DHCP IPV6-DHCP: #此项结果应仅有配置文件的DNS监听地址 Dnsmasq转发设置: 127.0.0.1#7874 #===================== 依赖检查 =====================# dnsmasq-full: 已安装 coreutils: 已安装 coreutils-nohup: 已安装 bash: 已安装 curl: 已安装 jsonfilter: 已安装 ca-certificates: 已安装 ipset: 已安装 ip-full: 已安装 iptables-mod-tproxy: 已安装 iptables-mod-extra: 已安装 libcap: 已安装 libcap-bin: 已安装 kmod-tun(TUN模式): 已安装 luci-compat(Luci-19.07): 未安装 #===================== 内核检查 =====================# 运行状态: 运行中 进程pid: 20696 运行权限: 20696: cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_resource=eip 运行用户: nobody 已选择的架构: linux-amd64 #下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限 Tun内核版本: 2020.11.19.g6e99b3d Tun内核文件: 存在 Tun内核运行权限: 正常 Game内核版本: Game内核文件: 存在 Game内核运行权限: 正常 Dev内核版本: Dev内核文件: 不存在 Dev内核运行权限: 否 #===================== 插件设置 =====================# 当前配置文件: /etc/openclash/config/Master.yaml 运行模式: redir-host-mix 默认代理模式: rule UDP流量转发: 停用 DNS劫持: 启用 自定义DNS: 启用 IPV6-DNS解析: 停用 禁用Dnsmasq缓存: 启用 自定义规则: 启用 仅允许内网: 停用 仅代理命中规则流量: 停用 绕过中国大陆IP: 停用 #启动异常时建议关闭此项后重试 保留配置: 停用 第三方规则: 停用 #===================== 自定义规则 一 =====================# ##- DOMAIN-SUFFIX,google.com,Proxy 匹配域名后缀(交由Proxy代理服务器组) ##- DOMAIN-KEYWORD,google,Proxy 匹配域名关键字(交由Proxy代理服务器组) ##- DOMAIN,google.com,Proxy 匹配域名(交由Proxy代理服务器组) ##- DOMAIN-SUFFIX,ad.com,REJECT 匹配域名后缀(拒绝) ##- IP-CIDR,127.0.0.0/8,DIRECT 匹配数据目标IP(直连) ##- SRC-IP-CIDR,192.168.1.201/32,DIRECT 匹配数据发起IP(直连) ##- DST-PORT,80,DIRECT 匹配数据目标端口(直连) ##- SRC-PORT,7777,DIRECT 匹配数据源端口(直连) ##排序在上的规则优先生效,如添加(去除规则前的#号): ##IP段:192.168.1.2-192.168.1.200 直连 ##- SRC-IP-CIDR,192.168.1.2/31,DIRECT ##- SRC-IP-CIDR,192.168.1.4/30,DIRECT ##- SRC-IP-CIDR,192.168.1.8/29,DIRECT ##- SRC-IP-CIDR,192.168.1.16/28,DIRECT ##- SRC-IP-CIDR,192.168.1.32/27,DIRECT ##- SRC-IP-CIDR,192.168.1.64/26,DIRECT ##- SRC-IP-CIDR,192.168.1.128/26,DIRECT ##- SRC-IP-CIDR,192.168.1.192/29,DIRECT ##- SRC-IP-CIDR,192.168.1.200/32,DIRECT ##IP段:192.168.1.202-192.168.1.255 直连 ##- SRC-IP-CIDR,192.168.1.202/31,DIRECT ##- SRC-IP-CIDR,192.168.1.204/30,DIRECT ##- SRC-IP-CIDR,192.168.1.208/28,DIRECT ##- SRC-IP-CIDR,192.168.1.224/27,DIRECT ##此时IP为192.168.1.1和192.168.1.201的客户端流量走代理(策略),其余客户端不走代理 ##因为Fake-IP模式下,IP地址为192.168.1.1的路由器自身流量可走代理(策略),所以需要排除 ##在线IP段转CIDR地址:http://ip2cidr.com #===================== 自定义规则 二 =====================# ##- DOMAIN-SUFFIX,google.com,Proxy 匹配域名后缀(交由Proxy代理服务器组) ##- DOMAIN-KEYWORD,google,Proxy 匹配域名关键字(交由Proxy代理服务器组) ##- DOMAIN,google.com,Proxy 匹配域名(交由Proxy代理服务器组) ##- DOMAIN-SUFFIX,ad.com,REJECT 匹配域名后缀(拒绝) ##- IP-CIDR,127.0.0.0/8,DIRECT 匹配数据目标IP(直连) ##- SRC-IP-CIDR,192.168.1.201/32,DIRECT 匹配数据发起IP(直连) ##- DST-PORT,80,DIRECT 匹配数据目标端口(直连) ##- SRC-PORT,7777,DIRECT 匹配数据源端口(直连) #===================== 配置文件 =====================# redir-port: 7892 interface-name: pppoe-wan port: 7890 socks-port: 7891 ipv6: false mode: rule log-level: silent external-controller: 0.0.0.0:9090 allow-lan: true bind-address: "*" external-ui: "/usr/share/openclash/dashboard" tun: enable: true stack: system dns-hijack: - tcp://8.8.8.8:53 - tcp://8.8.4.4:53 hosts: ##Custom HOSTS## # experimental hosts, support wildcard (e.g. *.clash.dev Even *.foo.*.example.com) # static domain has a higher priority than wildcard domain (foo.example.com > *.example.com) # NOTE: hosts don't work with `fake-ip` # '*.clash.dev': 127.0.0.1 # 'alpha.clash.dev': '::1' ##Custom HOSTS END## dns: use-hosts: true listen: 127.0.0.1:7874 enable: true ipv6: false enhanced-mode: redir-host nameserver: ##Custom DNS## - 10.0.0.2:53 #===================== 防火墙设置 =====================# #NAT chain # Generated by iptables-save v1.8.4 on Fri Nov 20 13:17:22 2020 *nat :PREROUTING ACCEPT [112:8595] :INPUT ACCEPT [101:6483] :OUTPUT ACCEPT [179:12017] :POSTROUTING ACCEPT [51:3480] :MINIUPNPD - [0:0] :MINIUPNPD-POSTROUTING - [0:0] :openclash - [0:0] :openclash_output - [0:0] :postrouting_lan_rule - [0:0] :postrouting_lan_tri_rule - [0:0] :postrouting_rule - [0:0] :postrouting_wan_rule - [0:0] :prerouting_lan_rule - [0:0] :prerouting_lan_tri_rule - [0:0] :prerouting_rule - [0:0] :prerouting_wan_rule - [0:0] :zone_lan_postrouting - [0:0] :zone_lan_prerouting - [0:0] :zone_lan_tri_postrouting - [0:0] :zone_lan_tri_prerouting - [0:0] :zone_wan_postrouting - [0:0] :zone_wan_prerouting - [0:0] -A PREROUTING -d 8.8.4.4/32 -p tcp -j ACCEPT -A PREROUTING -d 8.8.8.8/32 -p tcp -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting -A PREROUTING -i br-lan_tri -m comment --comment "!fw3" -j zone_lan_tri_prerouting -A PREROUTING -p tcp -j openclash -A OUTPUT -j openclash_output -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting -A POSTROUTING -o br-lan_tri -m comment --comment "!fw3" -j zone_lan_tri_postrouting -A MINIUPNPD -p udp -m udp --dport 49502 -j DNAT --to-destination 10.0.0.111:49502 -A MINIUPNPD -p udp -m udp --dport 46226 -j DNAT --to-destination 10.0.0.111:46226 -A MINIUPNPD -p udp -m udp --dport 53538 -j DNAT --to-destination 10.0.0.111:53538 -A MINIUPNPD -p tcp -m tcp --dport 15668 -j DNAT --to-destination 10.0.0.121:15668 -A MINIUPNPD -p tcp -m tcp --dport 15669 -j DNAT --to-destination 10.0.0.121:15669 -A MINIUPNPD -p udp -m udp --dport 54633 -j DNAT --to-destination 10.0.0.111:54633 -A MINIUPNPD -p udp -m udp --dport 47227 -j DNAT --to-destination 10.0.0.111:47227 -A MINIUPNPD -p udp -m udp --dport 45387 -j DNAT --to-destination 10.0.0.133:45387 -A MINIUPNPD -p udp -m udp --dport 48575 -j DNAT --to-destination 10.0.0.111:48575 -A MINIUPNPD -p udp -m udp --dport 40384 -j DNAT --to-destination 10.0.0.121:40384 -A MINIUPNPD -p udp -m udp --dport 40431 -j DNAT --to-destination 10.0.0.121:40431 -A MINIUPNPD -p udp -m udp --dport 48475 -j DNAT --to-destination 10.0.0.121:48475 -A MINIUPNPD -p udp -m udp --dport 48429 -j DNAT --to-destination 10.0.0.121:48429 -A MINIUPNPD -p udp -m udp --dport 49065 -j DNAT --to-destination 10.0.0.121:49065 -A MINIUPNPD -p udp -m udp --dport 49091 -j DNAT --to-destination 10.0.0.121:49091 -A MINIUPNPD -p udp -m udp --dport 49122 -j DNAT --to-destination 10.0.0.121:49122 -A MINIUPNPD -p udp -m udp --dport 49142 -j DNAT --to-destination 10.0.0.121:49142 -A MINIUPNPD -p udp -m udp --dport 49922 -j DNAT --to-destination 10.0.0.121:49922 -A MINIUPNPD -p udp -m udp --dport 53415 -j DNAT --to-destination 10.0.0.111:53415 -A MINIUPNPD -p udp -m udp --dport 37318 -j DNAT --to-destination 10.0.0.121:37318 -A MINIUPNPD -p tcp -m tcp --dport 56666 -j DNAT --to-destination 10.0.0.2:56666 -A openclash -m set --match-set localnetwork dst -j RETURN -A openclash -p tcp -j REDIRECT --to-ports 7892 -A openclash_output -p tcp -m tcp --sport 1688 -j RETURN -A openclash_output -p tcp -m tcp --sport 9998 -j RETURN -A openclash_output -p tcp -m tcp --sport 4500 -j RETURN -A openclash_output -p tcp -m tcp --sport 500 -j RETURN -A openclash_output -p tcp -m tcp --sport 1723 -j RETURN -A openclash_output -p tcp -m tcp --sport 8920 -j RETURN -A openclash_output -p tcp -m tcp --sport 28892 -j RETURN -A openclash_output -p tcp -m tcp --sport 65430 -j RETURN -A openclash_output -p tcp -m tcp --sport 23333 -j RETURN -A openclash_output -p tcp -m tcp --sport 56666 -j RETURN -A openclash_output -p tcp -m tcp --sport 9091 -j RETURN -A openclash_output -p tcp -m tcp --sport 10001 -j RETURN -A openclash_output -p tcp -m tcp --sport 9876 -j RETURN -A openclash_output -p tcp -m tcp --sport 5001 -j RETURN -A openclash_output -p tcp -m tcp --sport 5000 -j RETURN -A openclash_output -m set --match-set localnetwork dst -j RETURN -A openclash_output -p tcp -m owner ! --uid-owner 65534 -m multiport --dports 80,443 -j REDIRECT --to-ports 7892 -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule -A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p tcp -m tcp --dport 5000 -m comment --comment "!fw3: DSM_HTTP (reflection)" -j SNAT --to-source 10.0.0.1 -A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p udp -m udp --dport 5000 -m comment --comment "!fw3: DSM_HTTP (reflection)" -j SNAT --to-source 10.0.0.1 -A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p tcp -m tcp --dport 5001 -m comment --comment "!fw3: DSM_HTTPS (reflection)" -j SNAT --to-source 10.0.0.1 -A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p udp -m udp --dport 5001 -m comment --comment "!fw3: DSM_HTTPS (reflection)" -j SNAT --to-source 10.0.0.1 -A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p tcp -m tcp --dport 9876 -m comment --comment "!fw3: SMOKEPING (reflection)" -j SNAT --to-source 10.0.0.1 -A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p udp -m udp --dport 9876 -m comment --comment "!fw3: SMOKEPING (reflection)" -j SNAT --to-source 10.0.0.1 -A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.111/32 -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: RDP_VM (reflection)" -j SNAT --to-source 10.0.0.1 -A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.111/32 -p udp -m udp --dport 3389 -m comment --comment "!fw3: RDP_VM (reflection)" -j SNAT --to-source 10.0.0.1 -A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p tcp -m tcp --dport 9091 -m comment --comment "!fw3: TR_UI (reflection)" -j SNAT --to-source 10.0.0.1 -A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p udp -m udp --dport 9091 -m comment --comment "!fw3: TR_UI (reflection)" -j SNAT --to-source 10.0.0.1 -A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p tcp -m tcp --dport 56666 -m comment --comment "!fw3: TR_DATA (reflection)" -j SNAT --to-source 10.0.0.1 -A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p udp -m udp --dport 56666 -m comment --comment "!fw3: TR_DATA (reflection)" -j SNAT --to-source 10.0.0.1 -A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p tcp -m tcp --dport 23333 -m comment --comment "!fw3: DSM_SFTP (reflection)" -j SNAT --to-source 10.0.0.1 -A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p udp -m udp --dport 23333 -m comment --comment "!fw3: DSM_SFTP (reflection)" -j SNAT --to-source 10.0.0.1 -A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p tcp -m tcp --dport 65430 -m comment --comment "!fw3: SPEEDTEST (reflection)" -j SNAT --to-source 10.0.0.1 -A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p udp -m udp --dport 65430 -m comment --comment "!fw3: SPEEDTEST (reflection)" -j SNAT --to-source 10.0.0.1 -A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p tcp -m tcp --dport 28892 -m comment --comment "!fw3: BITWARDEN (reflection)" -j SNAT --to-source 10.0.0.1 -A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.2/32 -p udp -m udp --dport 28892 -m comment --comment "!fw3: BITWARDEN (reflection)" -j SNAT --to-source 10.0.0.1 -A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.1.2/32 -p tcp -m tcp --dport 8920 -m comment --comment "!fw3: JELLYFIN (reflection)" -j SNAT --to-source 10.0.0.1 -A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.1.2/32 -p udp -m udp --dport 8920 -m comment --comment "!fw3: JELLYFIN (reflection)" -j SNAT --to-source 10.0.0.1 -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule -A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p tcp -m tcp --dport 5000 -m comment --comment "!fw3: DSM_HTTP (reflection)" -j DNAT --to-destination 10.0.0.2:5000 -A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p udp -m udp --dport 5000 -m comment --comment "!fw3: DSM_HTTP (reflection)" -j DNAT --to-destination 10.0.0.2:5000 -A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p tcp -m tcp --dport 5001 -m comment --comment "!fw3: DSM_HTTPS (reflection)" -j DNAT --to-destination 10.0.0.2:5001 -A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p udp -m udp --dport 5001 -m comment --comment "!fw3: DSM_HTTPS (reflection)" -j DNAT --to-destination 10.0.0.2:5001 -A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p tcp -m tcp --dport 9876 -m comment --comment "!fw3: SMOKEPING (reflection)" -j DNAT --to-destination 10.0.0.2:9876 -A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p udp -m udp --dport 9876 -m comment --comment "!fw3: SMOKEPING (reflection)" -j DNAT --to-destination 10.0.0.2:9876 -A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p tcp -m tcp --dport 10001 -m comment --comment "!fw3: RDP_VM (reflection)" -j DNAT --to-destination 10.0.0.111:3389 -A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p udp -m udp --dport 10001 -m comment --comment "!fw3: RDP_VM (reflection)" -j DNAT --to-destination 10.0.0.111:3389 -A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p tcp -m tcp --dport 9091 -m comment --comment "!fw3: TR_UI (reflection)" -j DNAT --to-destination 10.0.0.2:9091 -A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p udp -m udp --dport 9091 -m comment --comment "!fw3: TR_UI (reflection)" -j DNAT --to-destination 10.0.0.2:9091 -A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p tcp -m tcp --dport 56666 -m comment --comment "!fw3: TR_DATA (reflection)" -j DNAT --to-destination 10.0.0.2:56666 -A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p udp -m udp --dport 56666 -m comment --comment "!fw3: TR_DATA (reflection)" -j DNAT --to-destination 10.0.0.2:56666 -A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p tcp -m tcp --dport 23333 -m comment --comment "!fw3: DSM_SFTP (reflection)" -j DNAT --to-destination 10.0.0.2:23333 -A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p udp -m udp --dport 23333 -m comment --comment "!fw3: DSM_SFTP (reflection)" -j DNAT --to-destination 10.0.0.2:23333 -A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p tcp -m tcp --dport 65430 -m comment --comment "!fw3: SPEEDTEST (reflection)" -j DNAT --to-destination 10.0.0.2:65430 -A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p udp -m udp --dport 65430 -m comment --comment "!fw3: SPEEDTEST (reflection)" -j DNAT --to-destination 10.0.0.2:65430 -A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p tcp -m tcp --dport 28892 -m comment --comment "!fw3: BITWARDEN (reflection)" -j DNAT --to-destination 10.0.0.2:28892 -A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p udp -m udp --dport 28892 -m comment --comment "!fw3: BITWARDEN (reflection)" -j DNAT --to-destination 10.0.0.2:28892 -A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p tcp -m tcp --dport 8920 -m comment --comment "!fw3: JELLYFIN (reflection)" -j DNAT --to-destination 10.0.1.2:8920 -A zone_lan_prerouting -s 10.0.0.0/24 -d 124.126.155.164/32 -p udp -m udp --dport 8920 -m comment --comment "!fw3: JELLYFIN (reflection)" -j DNAT --to-destination 10.0.1.2:8920 -A zone_lan_tri_postrouting -m comment --comment "!fw3: Custom lan_tri postrouting rule chain" -j postrouting_lan_tri_rule -A zone_lan_tri_postrouting -s 10.0.1.0/24 -d 10.0.1.2/32 -p tcp -m tcp --dport 1723 -m comment --comment "!fw3: pptp (reflection)" -j SNAT --to-source 10.0.1.1 -A zone_lan_tri_postrouting -s 10.0.1.0/24 -d 10.0.1.2/32 -p udp -m udp --dport 1723 -m comment --comment "!fw3: pptp (reflection)" -j SNAT --to-source 10.0.1.1 -A zone_lan_tri_postrouting -s 10.0.1.0/24 -d 10.0.1.2/32 -p tcp -m tcp --dport 500 -m comment --comment "!fw3: ike (reflection)" -j SNAT --to-source 10.0.1.1 -A zone_lan_tri_postrouting -s 10.0.1.0/24 -d 10.0.1.2/32 -p udp -m udp --dport 500 -m comment --comment "!fw3: ike (reflection)" -j SNAT --to-source 10.0.1.1 -A zone_lan_tri_postrouting -s 10.0.1.0/24 -d 10.0.1.2/32 -p tcp -m tcp --dport 4500 -m comment --comment "!fw3: ipsec (reflection)" -j SNAT --to-source 10.0.1.1 -A zone_lan_tri_postrouting -s 10.0.1.0/24 -d 10.0.1.2/32 -p udp -m udp --dport 4500 -m comment --comment "!fw3: ipsec (reflection)" -j SNAT --to-source 10.0.1.1 -A zone_lan_tri_prerouting -m comment --comment "!fw3: Custom lan_tri prerouting rule chain" -j prerouting_lan_tri_rule -A zone_lan_tri_prerouting -s 10.0.1.0/24 -d 124.126.155.164/32 -p tcp -m tcp --dport 1723 -m comment --comment "!fw3: pptp (reflection)" -j DNAT --to-destination 10.0.1.2:1723 -A zone_lan_tri_prerouting -s 10.0.1.0/24 -d 124.126.155.164/32 -p udp -m udp --dport 1723 -m comment --comment "!fw3: pptp (reflection)" -j DNAT --to-destination 10.0.1.2:1723 -A zone_lan_tri_prerouting -s 10.0.1.0/24 -d 124.126.155.164/32 -p tcp -m tcp --dport 500 -m comment --comment "!fw3: ike (reflection)" -j DNAT --to-destination 10.0.1.2:500 -A zone_lan_tri_prerouting -s 10.0.1.0/24 -d 124.126.155.164/32 -p udp -m udp --dport 500 -m comment --comment "!fw3: ike (reflection)" -j DNAT --to-destination 10.0.1.2:500 -A zone_lan_tri_prerouting -s 10.0.1.0/24 -d 124.126.155.164/32 -p tcp -m tcp --dport 4500 -m comment --comment "!fw3: ipsec (reflection)" -j DNAT --to-destination 10.0.1.2:4500 -A zone_lan_tri_prerouting -s 10.0.1.0/24 -d 124.126.155.164/32 -p udp -m udp --dport 4500 -m comment --comment "!fw3: ipsec (reflection)" -j DNAT --to-destination 10.0.1.2:4500 -A zone_wan_postrouting -j MINIUPNPD-POSTROUTING -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule -A zone_wan_postrouting -m comment --comment "!fw3" -j FULLCONENAT -A zone_wan_prerouting -j MINIUPNPD -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule -A zone_wan_prerouting -p tcp -m tcp --dport 5000 -m comment --comment "!fw3: DSM_HTTP" -j DNAT --to-destination 10.0.0.2:5000 -A zone_wan_prerouting -p udp -m udp --dport 5000 -m comment --comment "!fw3: DSM_HTTP" -j DNAT --to-destination 10.0.0.2:5000 -A zone_wan_prerouting -p tcp -m tcp --dport 5001 -m comment --comment "!fw3: DSM_HTTPS" -j DNAT --to-destination 10.0.0.2:5001 -A zone_wan_prerouting -p udp -m udp --dport 5001 -m comment --comment "!fw3: DSM_HTTPS" -j DNAT --to-destination 10.0.0.2:5001 -A zone_wan_prerouting -p tcp -m tcp --dport 9876 -m comment --comment "!fw3: SMOKEPING" -j DNAT --to-destination 10.0.0.2:9876 -A zone_wan_prerouting -p udp -m udp --dport 9876 -m comment --comment "!fw3: SMOKEPING" -j DNAT --to-destination 10.0.0.2:9876 -A zone_wan_prerouting -p tcp -m tcp --dport 10001 -m comment --comment "!fw3: RDP_VM" -j DNAT --to-destination 10.0.0.111:3389 -A zone_wan_prerouting -p udp -m udp --dport 10001 -m comment --comment "!fw3: RDP_VM" -j DNAT --to-destination 10.0.0.111:3389 -A zone_wan_prerouting -p tcp -m tcp --dport 9091 -m comment --comment "!fw3: TR_UI" -j DNAT --to-destination 10.0.0.2:9091 -A zone_wan_prerouting -p udp -m udp --dport 9091 -m comment --comment "!fw3: TR_UI" -j DNAT --to-destination 10.0.0.2:9091 -A zone_wan_prerouting -p tcp -m tcp --dport 56666 -m comment --comment "!fw3: TR_DATA" -j DNAT --to-destination 10.0.0.2:56666 -A zone_wan_prerouting -p udp -m udp --dport 56666 -m comment --comment "!fw3: TR_DATA" -j DNAT --to-destination 10.0.0.2:56666 -A zone_wan_prerouting -p tcp -m tcp --dport 23333 -m comment --comment "!fw3: DSM_SFTP" -j DNAT --to-destination 10.0.0.2:23333 -A zone_wan_prerouting -p udp -m udp --dport 23333 -m comment --comment "!fw3: DSM_SFTP" -j DNAT --to-destination 10.0.0.2:23333 -A zone_wan_prerouting -p tcp -m tcp --dport 65430 -m comment --comment "!fw3: SPEEDTEST" -j DNAT --to-destination 10.0.0.2:65430 -A zone_wan_prerouting -p udp -m udp --dport 65430 -m comment --comment "!fw3: SPEEDTEST" -j DNAT --to-destination 10.0.0.2:65430 -A zone_wan_prerouting -p tcp -m tcp --dport 28892 -m comment --comment "!fw3: BITWARDEN" -j DNAT --to-destination 10.0.0.2:28892 -A zone_wan_prerouting -p udp -m udp --dport 28892 -m comment --comment "!fw3: BITWARDEN" -j DNAT --to-destination 10.0.0.2:28892 -A zone_wan_prerouting -p tcp -m tcp --dport 8920 -m comment --comment "!fw3: JELLYFIN" -j DNAT --to-destination 10.0.1.2:8920 -A zone_wan_prerouting -p udp -m udp --dport 8920 -m comment --comment "!fw3: JELLYFIN" -j DNAT --to-destination 10.0.1.2:8920 -A zone_wan_prerouting -p tcp -m tcp --dport 1723 -m comment --comment "!fw3: pptp" -j DNAT --to-destination 10.0.1.2:1723 -A zone_wan_prerouting -p udp -m udp --dport 1723 -m comment --comment "!fw3: pptp" -j DNAT --to-destination 10.0.1.2:1723 -A zone_wan_prerouting -p tcp -m tcp --dport 500 -m comment --comment "!fw3: ike" -j DNAT --to-destination 10.0.1.2:500 -A zone_wan_prerouting -p udp -m udp --dport 500 -m comment --comment "!fw3: ike" -j DNAT --to-destination 10.0.1.2:500 -A zone_wan_prerouting -p tcp -m tcp --dport 4500 -m comment --comment "!fw3: ipsec" -j DNAT --to-destination 10.0.1.2:4500 -A zone_wan_prerouting -p udp -m udp --dport 4500 -m comment --comment "!fw3: ipsec" -j DNAT --to-destination 10.0.1.2:4500 -A zone_wan_prerouting -m comment --comment "!fw3" -j FULLCONENAT COMMIT # Completed on Fri Nov 20 13:17:22 2020 #Mangle chain # Generated by iptables-save v1.8.4 on Fri Nov 20 13:17:22 2020 *mangle :PREROUTING ACCEPT [1599:206311] :INPUT ACCEPT [1225:158006] :FORWARD ACCEPT [363:47179] :OUTPUT ACCEPT [1184:361188] :POSTROUTING ACCEPT [1543:408207] :openclash - [0:0] :openclash_dns_hijack - [0:0] -A PREROUTING -p udp -j openclash -A PREROUTING -p tcp -m tcp --dport 53 -j openclash_dns_hijack -A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu -A openclash -p udp -m udp --dport 9998 -j RETURN -A openclash -p udp -m udp --dport 500 -j RETURN -A openclash -p udp -m udp --dport 546 -j RETURN -A openclash -p udp -m udp --dport 68 -j RETURN -A openclash -p udp -m udp --dport 4500 -j RETURN -A openclash -p udp -m udp --dport 500 -j RETURN -A openclash -p udp -m udp --dport 1723 -j RETURN -A openclash -p udp -m udp --dport 8920 -j RETURN -A openclash -p udp -m udp --dport 28892 -j RETURN -A openclash -p udp -m udp --dport 65430 -j RETURN -A openclash -p udp -m udp --dport 23333 -j RETURN -A openclash -p udp -m udp --dport 56666 -j RETURN -A openclash -p udp -m udp --dport 9091 -j RETURN -A openclash -p udp -m udp --dport 10001 -j RETURN -A openclash -p udp -m udp --dport 9876 -j RETURN -A openclash -p udp -m udp --dport 5001 -j RETURN -A openclash -p udp -m udp --dport 5000 -j RETURN -A openclash -m set --match-set localnetwork dst -j RETURN -A openclash -j MARK --set-xmark 0x162/0xffffffff -A openclash_dns_hijack -d 8.8.8.8/32 -j MARK --set-xmark 0x162/0xffffffff -A openclash_dns_hijack -d 8.8.4.4/32 -j MARK --set-xmark 0x162/0xffffffff COMMIT # Completed on Fri Nov 20 13:17:22 2020 #===================== 路由表状态 =====================# #route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 124.126.152.1 0.0.0.0 UG 0 0 0 pppoe-wan 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan 10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan_tri 124.126.152.1 0.0.0.0 255.255.255.255 UH 0 0 0 pppoe-wan 198.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 utun #ip route list default via 124.126.152.1 dev pppoe-wan proto static 10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1 10.0.1.0/24 dev br-lan_tri proto kernel scope link src 10.0.1.1 124.126.152.1 dev pppoe-wan proto kernel scope link src 124.126.155.164 198.18.0.0/16 dev utun proto kernel scope link src 198.18.0.1 #ip rule show 0: from all lookup local 219: from all fwmark 0x162 lookup 354 220: from all lookup 220 32766: from all lookup main 32767: from all lookup default #===================== Tun设备状态 =====================# utun: tun pi filter #===================== 端口占用状态 =====================# tcp 0 0 198.18.0.1:7777 0.0.0.0:* LISTEN 20696/clash tcp 0 0 :::7890 :::* LISTEN 20696/clash tcp 0 0 :::7891 :::* LISTEN 20696/clash tcp 0 0 :::7892 :::* LISTEN 20696/clash tcp 0 0 :::9090 :::* LISTEN 20696/clash udp 0 0 127.0.0.1:7874 0.0.0.0:* 20696/clash udp 0 0 198.18.0.1:7777 0.0.0.0:* 20696/clash udp 0 0 :::57466 :::* 20696/clash udp 0 0 :::47769 :::* 20696/clash udp 0 0 :::44716 :::* 20696/clash udp 0 0 :::58572 :::* 20696/clash udp 0 0 :::7891 :::* 20696/clash udp 0 0 :::7892 :::* 20696/clash udp 0 0 :::40382 :::* 20696/clash #===================== 测试本机DNS查询 =====================# Server: 127.0.0.1 Address: 127.0.0.1#53 ** server can't find www.baidu.com: SERVFAIL *** Can't find www.baidu.com: No answer #===================== resolv.conf.auto =====================# # Interface wan nameserver 219.141.140.10 nameserver 219.141.136.10 #===================== 测试本机网络连接 =====================# #===================== 测试本机网络下载 =====================# #===================== 最近运行日志 =====================# 2020-11-20 13:14:58 Error: OpenClash 【Tun】 Core Update Error 2020-11-20 13:15:14 Error: OpenClash 【Tun】 Core Update Error 2020-11-20 13:15:38 Error: OpenClash 【Tun】 Core Update Error time="2020-11-20T05:16:03Z" level=info msg="Start initial provider DlerIEPL_Sub" time="2020-11-20T05:16:03Z" level=info msg="Start initial provider DlerCTM_Sub" time="2020-11-20T05:16:03Z" level=info msg="Start initial compatible provider Speedtest_DlerAGA" time="2020-11-20T05:16:03Z" level=info msg="Start initial compatible provider AUTO" time="2020-11-20T05:16:03Z" level=info msg="Start initial compatible provider PROXY" time="2020-11-20T05:16:03Z" level=info msg="Start initial rule provider ChinaIP" time="2020-11-20T05:16:03Z" level=info msg="Start initial rule provider Unbreak" time="2020-11-20T05:16:03Z" level=info msg="Start initial rule provider Global" time="2020-11-20T05:16:03Z" level=info msg="Start initial rule provider China" time="2020-11-20T05:16:03Z" level=info msg="DNS server listening at: 127.0.0.1:7874" 2020-11-20 13:15:53 OpenClash Start Successful 2020-11-20 13:16:28 OpenClash 【Tun】 Core Update Successful time="2020-11-20T05:16:46Z" level=info msg="Start initial provider DlerIEPL_Sub" time="2020-11-20T05:16:46Z" level=info msg="Start initial provider DlerCTM_Sub" time="2020-11-20T05:16:46Z" level=info msg="Start initial compatible provider Speedtest_DlerAGA" time="2020-11-20T05:16:46Z" level=info msg="Start initial compatible provider AUTO" time="2020-11-20T05:16:46Z" level=info msg="Start initial compatible provider PROXY" time="2020-11-20T05:16:46Z" level=info msg="Start initial rule provider Unbreak" time="2020-11-20T05:16:46Z" level=info msg="Start initial rule provider Global" time="2020-11-20T05:16:46Z" level=info msg="Start initial rule provider China" time="2020-11-20T05:16:46Z" level=info msg="Start initial rule provider ChinaIP" time="2020-11-20T05:16:46Z" level=info msg="DNS server listening at: 127.0.0.1:7874" 2020-11-20 13:16:36 OpenClash Start Successful
之前我反应过,他们说正常的,后来我反复搞,发现用OpenWrt老点的内核大概是5.4.6x的没问题。7几的就不行了。
@vernesong 麻烦来瞅瞅...我是真没办法了...
interface-name: pppoe-wan 你到etc/init.d/openclash文件脚本里面禁用相关命令后,删除配置文件里面这段再重启
Problem solved, THX.
是这样的, 我有个pihole跑在内网地址10.0.0.2的树莓派上...
说实话我也不图它给我过滤什么广告, 我用它是为了统计下各个设备的dns请求...
但是我发现只要升级到十月二十号之后的premium内核, 包括十一月十九号的版本, pihole就收不到任何dns请求了...
后果就是国内国外都无法访问
之前的版本都一切正常...
使用的模式是redir-host混合模式...
后附最新内核的日志
OpenClash 调试日志
生成时间: 2020-11-20 13:17:21 插件版本: v0.40.15-beta 隐私提示: 上传此日志前请注意检查、屏蔽公网IP、节点、密码等相关敏感信息