yichya
commented
11 months ago Run nft list ruleset when it doesn't work and paste result here.
Closed ram108 closed 11 months ago
yichya
commented
11 months ago Run nft list ruleset when it doesn't work and paste result here.
ram108
commented
11 months ago table inet fw4 {
set tp_spec_dv4_sp {
type ipv4_addr
flags constant,interval
elements = { 0.0.0.0/8, 10.0.0.0/8,
100.64.0.0/10, 127.0.0.0/8,
169.254.0.0/16, 172.16.0.0/12,
192.0.0.0/24, 192.52.193.0/24,
192.168.0.0/16, 224.0.0.0/3 }
}
set tp_spec_dv6_sp {
type ipv6_addr
flags constant,interval
elements = { ::,
::1,
::ffff:0.0.0.0/96,
::ffff:0:0:0/96,
64:ff9b::/96,
100::/64,
2001::/32,
2001:20::/28,
2001:db8::/32,
2002::/16,
fc00::/7,
fe80::/10,
ff00::/8 }
}
set tp_spec_dv4_bp {
type ipv4_addr
flags constant,interval
elements = { 94.140.14.14, 94.140.15.15,
192.168.51.1 }
}
set tp_spec_dv4_fw {
type ipv4_addr
flags constant,interval
elements = { 192.168.51.1 }
}
set tp_spec_dv4_dg {
type ipv4_addr
size 16
flags interval
}
set tp_spec_dv6_dg {
type ipv6_addr
size 16
flags interval
}
chain xray_transparent_proxy {
type filter hook prerouting priority filter + 10; policy accept;
meta mark 0x000000fb goto tp_spec_wan_fw
ip protocol tcp accept
ip protocol udp accept
ip6 nexthdr tcp accept
ip6 nexthdr udp accept
accept
}
chain tp_spec_wan_fw {
ip protocol tcp tproxy ip to :1082 accept
ip protocol udp meta mark set 0x000000ff accept
ip6 nexthdr tcp meta mark set 0x000000ff accept
ip6 nexthdr udp meta mark set 0x000000ff accept
accept
}
chain xray_prerouting {
type filter hook prerouting priority mangle + 10; policy accept;
meta mark set ct mark
meta mark 0x000000fb accept comment "Xray remarked from output"
jump tp_spec_lan_mf comment "Xray FakeDNS / manual transparent proxy"
ip protocol tcp iifname "br-lan" goto tp_spec_lan_ac
ip protocol udp iifname "br-lan" goto tp_spec_lan_ac
ip6 nexthdr tcp iifname "br-lan" goto tp_spec_lan_ac
ip6 nexthdr udp iifname "br-lan" goto tp_spec_lan_ac
ip protocol tcp accept
ip protocol udp accept
ip6 nexthdr tcp accept
ip6 nexthdr udp accept
accept
}
chain xray_output {
type route hook output priority mangle + 10; policy accept;
ip protocol tcp goto tp_spec_wan_ac
ip protocol udp goto tp_spec_wan_ac
ip6 nexthdr tcp goto tp_spec_wan_ac
ip6 nexthdr udp goto tp_spec_wan_ac
accept
}
chain tp_spec_wan_ac {
ip protocol tcp meta mark 0x000000fc accept comment "Xray direct outbound TCP4"
ip protocol udp meta mark 0x000000fc accept comment "Xray direct outbound UDP4"
ip6 nexthdr tcp meta mark 0x000000fc accept comment "Xray direct outbound TCP6"
ip6 nexthdr udp meta mark 0x000000fc accept comment "Xray direct outbound UDP6"
meta mark 0x000000fd accept comment "Xray transparent proxy outbound"
meta mark 0x000000fe accept comment "Xray non-IP DNS query outbound"
meta mark 0x000000ff accept comment "Xray specified mark 255 outbound"
jump tp_spec_lan_mf
goto tp_spec_lan_ac
}
chain tp_spec_lan_mf {
return
}
chain tp_spec_lan_ac {
ip daddr @tp_spec_dv4_fw goto tp_spec_lan_fw
ip daddr @tp_spec_dv4_dg accept
ip6 daddr @tp_spec_dv6_dg accept
ip daddr @tp_spec_dv4_bp accept
ip daddr @tp_spec_dv4_sp accept
ip6 daddr @tp_spec_dv6_sp accept
goto tp_spec_lan_re
}
chain tp_spec_lan_re {
tcp dport { 20, 21, 22, 853 } accept
udp dport 853 accept
meta l4proto tcp goto tp_spec_lan_dd
meta l4proto udp goto tp_spec_lan_dd
accept
}
chain tp_spec_lan_dd {
goto tp_spec_lan_fw
}
chain tp_spec_lan_fw {
meta mark set 0x000000fb goto tp_spec_lan_ct
}
chain tp_spec_lan_ct {
ct mark set meta mark accept
}
chain input {
type filter hook input priority filter; policy drop;
iifname "lo" accept comment "!fw4: Accept traffic from loopback"
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
iifname "wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
jump handle_reject
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname "wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
jump handle_reject
}
chain output {
type filter hook output priority filter; policy accept;
oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
ct state established,related accept comment "!fw4: Allow outbound established and related flows"
oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
oifname "wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
}
chain prerouting {
type filter hook prerouting priority filter; policy accept;
iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
}
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject comment "!fw4: Reject any other traffic"
}
chain syn_flood {
limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
drop comment "!fw4: Drop excess packets"
}
chain input_lan {
jump accept_from_lan
}
chain output_lan {
jump accept_to_lan
}
chain forward_lan {
jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
jump accept_to_lan
}
chain helper_lan {
}
chain accept_from_lan {
iifname "br-lan" counter packets 2155 bytes 125510 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain accept_to_lan {
oifname "br-lan" counter packets 31 bytes 5673 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain input_wan {
meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 3 bytes 152 accept comment "!fw4: Allow-ICMPv6-Input"
icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
jump reject_from_wan
}
chain output_wan {
jump accept_to_wan
}
chain forward_wan {
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
jump reject_to_wan
}
chain accept_to_wan {
meta nfproto ipv4 oifname "wan" ct state invalid counter packets 0 bytes 0 drop comment "!fw4: Prevent NAT leakage"
oifname "wan" counter packets 14 bytes 1612 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
}
chain reject_from_wan {
iifname "wan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain reject_to_wan {
oifname "wan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
oifname "wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
}
chain srcnat_wan {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
}
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
}
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
}
chain mangle_input {
type filter hook input priority mangle; policy accept;
}
chain mangle_output {
type route hook output priority mangle; policy accept;
}
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
iifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
oifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
}
}
That seems ok except that default route is missing...
ip route and paste output hereip rule and paste output herecurl --verbose www.youtube.com and paste output hereram108
commented
11 months ago youtube.com and yandex.ru is going direct (as configurated) googl.com has to go forwarded, but no response
ip route
default via 192.168.192.168 dev pppoe-wan
192.168.51.0/24 dev br-lan scope link src 192.168.51.1
192.168.192.168 dev pppoe-wan scope link src 192.168.21.209
ip rule
0: from all lookup local
32765: from all fwmark 0xfb lookup 251
32766: from all lookup main
32767: from all lookup default
curl --verbose www.youtube.com
> GET / HTTP/1.1
> Host: www.youtube.com
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Content-Type: application/binary
< X-Content-Type-Options: nosniff
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: Mon, 01 Jan 1990 00:00:00 GMT
< Date: Thu, 02 Nov 2023 07:44:04 GMT
< Location: https://www.youtube.com/
< Server: ESF
< Content-Length: 0
< X-XSS-Protection: 0
< X-Frame-Options: SAMEORIGIN
curl --verbose google.com
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/8.4.0
> Accept: */*
>
curl --verbose yandex.ru
> GET / HTTP/1.1
> Host: yandex.ru
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/1.1 302 Moved temporarily
< Accept-CH: Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA, Sec-CH-UA-Full-Version-List, Sec-CH-UA-WoW64, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Platform, Sec-CH-UA-Full-Version, Viewport-Width, DPR, Device-Memory, RTT, Downlink, ECT
< Cache-Control: max-age=1209600,private
< Date: Thu, 02 Nov 2023 07:45:23 GMT
< Location: https://dzen.ru/?yredirect=true
< NEL: {"report_to": "network-errors", "max_age": 100, "success_fraction": 0.001, "failure_fraction": 0.1}
< P3P: policyref="/w3c/p3p.xml", CP="NON DSP ADM DEV PSD IVDo OUR IND STP PHY PRE NAV UNI"
< Portal: Home
< Report-To: { "group": "network-errors", "max_age": 100, "endpoints": [{"url": "https://dr.yandex.net/nel", "priority": 1}, {"url": "https://dr2.yandex.net/nel", "priority": 2}]}
< Transfer-Encoding: chunked
< X-Content-Type-Options: nosniff
< X-Robots-Tag: unavailable_after: 12 Sep 2022 00:00:00 PST
< X-Yandex-Req-Id: 1698911123246454-16562439249095112895-balancer-l7leveler-kubr-yp-vla-16-BAL-5236
< set-cookie: is_gdpr=0; Path=/; Domain=.yandex.ru; Expires=Sat, 01 Nov 2025 07:45:23 GMT
< set-cookie: is_gdpr_b=CIauJRDC1wEoAg==; Path=/; Domain=.yandex.ru; Expires=Sat, 01 Nov 2025 07:45:23 GMT
< set-cookie: _yasc=LPPDY6sHLQLwAznbfhRJYRo9HgkICQ; domain=.yandex.ru; path=/; expires=Sun, 30 Oct 2033 07:45:23 GMT; securelog file for google.com
Thu Nov 2 10:45:09 2023 daemon.info xray[2689]: 2023/11/02 07:45:09 [Info] [1135738818] app/dispatcher: sniffed domain: www.google.com
Thu Nov 2 10:45:09 2023 daemon.info xray[2689]: 2023/11/02 07:45:09 [Debug] app/dns: domain www.google.com will use DNS in order: [UDP:192.168.51.1:53]
Thu Nov 2 10:45:09 2023 daemon.info xray[2689]: 2023/11/02 07:45:09 [Debug] app/dns: UDP:192.168.51.1:53 cache HIT www.google.com -> [] > rcode: 5
Thu Nov 2 10:45:09 2023 daemon.info xray[2689]: 2023/11/02 07:45:09 [Info] app/dns: failed to lookup ip for domain www.google.com at server UDP:192.168.51.1:53 > rcode: 5
Thu Nov 2 10:45:09 2023 daemon.info xray[2689]: 2023/11/02 07:45:09 [Info] features/routing/dns: resolve ip for www.google.com > rcode: 5
Thu Nov 2 10:45:09 2023 daemon.info xray[2689]: 2023/11/02 07:45:09 [Debug] app/dns: domain www.google.com will use DNS in order: [UDP:192.168.51.1:53]
Thu Nov 2 10:45:09 2023 daemon.info xray[2689]: 2023/11/02 07:45:09 [Debug] app/dns: UDP:192.168.51.1:53 cache HIT www.google.com -> [] > rcode: 5
Thu Nov 2 10:45:09 2023 daemon.info xray[2689]: 2023/11/02 07:45:09 [Info] app/dns: failed to lookup ip for domain www.google.com at server UDP:192.168.51.1:53 > rcode: 5
Thu Nov 2 10:45:09 2023 daemon.info xray[2689]: 2023/11/02 07:45:09 [Info] features/routing/dns: resolve ip for www.google.com > rcode: 5
Thu Nov 2 10:45:09 2023 daemon.info xray[2689]: 2023/11/02 07:45:09 [Info] [1135738818] app/dispatcher: taking detour [tcp_balancer_v4@balancer_outbound:cfg024a8f] for [tcp:www.google.com:443]
Thu Nov 2 10:45:09 2023 daemon.info xray[2689]: 2023/11/02 07:45:09 [Info] [1135738818] proxy/shadowsocks_2022: tunneling request to tcp:142.250.180.196:443 via vpn4.ram108.ru:443
Thu Nov 2 10:45:09 2023 daemon.info xray[2689]: 2023/11/02 07:45:09 [Info] [1135738818] transport/internet/tcp: dialing TCP to tcp:vpn4.ram108.ru:443
Thu Nov 2 10:45:09 2023 daemon.info xray[2689]: 2023/11/02 07:45:09 [Debug] app/dns: domain vpn4.ram108.ru matches following rules: [domain:ru(DNS idx:1) vpn4.ram108.ru(DNS idx:1)]
Thu Nov 2 10:45:09 2023 daemon.info xray[2689]: 2023/11/02 07:45:09 [Debug] app/dns: domain vpn4.ram108.ru will use DNS in order: [UDP:192.168.51.1:53 UDP:192.168.51.1:53]
Thu Nov 2 10:45:09 2023 daemon.info xray[2689]: 2023/11/02 07:45:09 [Debug] app/dns: UDP:192.168.51.1:53 cache HIT vpn4.ram108.ru -> [176.222.52.210]
Thu Nov 2 10:45:09 2023 daemon.info xray[2689]: 2023/11/02 07:45:09 [Info] transport/internet: replace destination with tcp:176.222.52.210:443
Thu Nov 2 10:45:09 2023 daemon.info xray[2689]: 2023/11/02 07:45:09 [Debug] transport/internet: dialing to tcp:176.222.52.210:443Seems like a DNS problem
service dnsmasq restartram108
commented
11 months ago Sorry, the above log above is wrong, I changed DNS to router local IP to check if it will help. Revered it back to 1.1.1.1
log for google.com
Thu Nov 2 11:05:55 2023 daemon.info xray[4157]: 2023/11/02 08:05:55 [Info] [956257235] proxy/dokodemo: received request for 192.168.51.129:64217
Thu Nov 2 11:05:55 2023 daemon.info xray[4157]: 2023/11/02 08:05:55 [Info] [956257235] app/dispatcher: sniffed domain: google.com
Thu Nov 2 11:05:55 2023 daemon.info xray[4157]: 2023/11/02 08:05:55 [Debug] app/dns: domain google.com will use DNS in order: [UDP:1.1.1.1:53]
Thu Nov 2 11:05:55 2023 daemon.info xray[4157]: 2023/11/02 08:05:55 [Debug] app/dns: UDP:1.1.1.1:53 cache HIT google.com -> [64.233.161.100 64.233.161.101 64.233.161.102 64.233.161.113 64.233.161.138 64.233.161.139 2a00:1450:4010:c08::8b 2a00:1450:4010:c08::64 2a00:1450:4010:c08::8a 2a00:1450:4010:c08::71]
Thu Nov 2 11:05:55 2023 daemon.info xray[4157]: 2023/11/02 08:05:55 [Info] [956257235] app/dispatcher: taking detour [tcp_balancer_v4@balancer_outbound:cfg024a8f] for [tcp:google.com:443]
Thu Nov 2 11:05:55 2023 daemon.info xray[4157]: 2023/11/02 08:05:55 [Info] [956257235] proxy/shadowsocks_2022: tunneling request to tcp:74.125.131.113:443 via vpn4.ram108.ru:443
Thu Nov 2 11:05:55 2023 daemon.info xray[4157]: 2023/11/02 08:05:55 [Info] [956257235] transport/internet/tcp: dialing TCP to tcp:vpn4.ram108.ru:443
Thu Nov 2 11:05:55 2023 daemon.info xray[4157]: 2023/11/02 08:05:55 [Debug] app/dns: domain vpn4.ram108.ru matches following rules: [domain:ru(DNS idx:1) vpn4.ram108.ru(DNS idx:1)]
Thu Nov 2 11:05:55 2023 daemon.info xray[4157]: 2023/11/02 08:05:55 [Debug] app/dns: domain vpn4.ram108.ru will use DNS in order: [UDP:1.1.1.1:53 UDP:1.1.1.1:53]
Thu Nov 2 11:05:55 2023 daemon.info xray[4157]: 2023/11/02 08:05:55 [Debug] app/dns: UDP:1.1.1.1:53 cache HIT vpn4.ram108.ru -> [176.222.52.210]
Thu Nov 2 11:05:55 2023 daemon.info xray[4157]: 2023/11/02 08:05:55 [Info] transport/internet: replace destination with tcp:176.222.52.210:443
Thu Nov 2 11:05:55 2023 daemon.info xray[4157]: 2023/11/02 08:05:55 [Debug] transport/internet: dialing to tcp:176.222.52.210:443
Thu Nov 2 11:05:55 2023 daemon.info xray[4157]: 2023/11/02 08:05:55 [Debug] [3978678650] proxy/dokodemo: processing connection from: 192.168.51.138:65289
Thu Nov 2 11:05:55 2023 daemon.info xray[4157]: 2023/11/02 08:05:55 [Info] [3978678650] proxy/dokodemo: received request for 192.168.51.138:65289
Thu Nov 2 11:05:55 2023 daemon.info xray[4157]: 2023/11/02 08:05:55 [Info] [3978678650] app/dispatcher: sniffed domain: www.google.com
Thu Nov 2 11:05:55 2023 daemon.info xray[4157]: 2023/11/02 08:05:55 [Debug] app/dns: domain www.google.com will use DNS in order: [UDP:1.1.1.1:53]
Thu Nov 2 11:05:55 2023 daemon.info xray[4157]: 2023/11/02 08:05:55 [Debug] app/dns: UDP:1.1.1.1:53 cache HIT www.google.com -> [74.125.131.104 74.125.131.99 74.125.131.106 74.125.131.105 74.125.131.103 74.125.131.147]
Thu Nov 2 11:05:55 2023 daemon.info xray[4157]: 2023/11/02 08:05:55 [Info] [3978678650] app/dispatcher: taking detour [tcp_balancer_v4@balancer_outbound:cfg024a8f] for [tcp:www.google.com:443]
Thu Nov 2 11:05:55 2023 daemon.info xray[4157]: 2023/11/02 08:05:55 [Info] [3978678650] proxy/shadowsocks_2022: tunneling request to tcp:142.250.180.196:443 via vpn4.ram108.ru:443
Thu Nov 2 11:05:55 2023 daemon.info xray[4157]: 2023/11/02 08:05:55 [Info] [3978678650] transport/internet/tcp: dialing TCP to tcp:vpn4.ram108.ru:443
Thu Nov 2 11:05:55 2023 daemon.info xray[4157]: 2023/11/02 08:05:55 [Debug] app/dns: domain vpn4.ram108.ru matches following rules: [domain:ru(DNS idx:1) vpn4.ram108.ru(DNS idx:1)]
Thu Nov 2 11:05:55 2023 daemon.info xray[4157]: 2023/11/02 08:05:55 [Debug] app/dns: domain vpn4.ram108.ru will use DNS in order: [UDP:1.1.1.1:53 UDP:1.1.1.1:53]
Thu Nov 2 11:05:55 2023 daemon.info xray[4157]: 2023/11/02 08:05:55 [Debug] app/dns: UDP:1.1.1.1:53 cache HIT vpn4.ram108.ru -> [176.222.52.210]
Thu Nov 2 11:05:55 2023 daemon.info xray[4157]: 2023/11/02 08:05:55 [Info] transport/internet: replace destination with tcp:176.222.52.210:443
Thu Nov 2 11:05:55 2023 daemon.info xray[4157]: 2023/11/02 08:05:55 [Debug] transport/internet: dialing to tcp:176.222.52.210:443log for dnsmasq restart
Thu Nov 2 11:01:35 2023 daemon.info dnsmasq[1]: started, version 2.89 cachesize 1000
Thu Nov 2 11:01:35 2023 daemon.info dnsmasq[1]: DNS service limited to local subnets
Thu Nov 2 11:01:35 2023 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
Thu Nov 2 11:01:35 2023 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus
Thu Nov 2 11:01:35 2023 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.51.100 -- 192.168.51.249, lease time 12h
Thu Nov 2 11:01:35 2023 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5353
Thu Nov 2 11:01:35 2023 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5300 for domain #
Thu Nov 2 11:01:35 2023 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5300
Thu Nov 2 11:01:35 2023 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5301
Thu Nov 2 11:01:35 2023 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5302
Thu Nov 2 11:01:35 2023 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5303
Thu Nov 2 11:01:35 2023 daemon.info dnsmasq[1]: using only locally-known addresses for test
Thu Nov 2 11:01:35 2023 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Thu Nov 2 11:01:35 2023 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Thu Nov 2 11:01:35 2023 daemon.info dnsmasq[1]: using only locally-known addresses for local
Thu Nov 2 11:01:35 2023 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Thu Nov 2 11:01:35 2023 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Thu Nov 2 11:01:35 2023 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Thu Nov 2 11:01:35 2023 daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Thu Nov 2 11:01:35 2023 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 4 names
Thu Nov 2 11:01:35 2023 daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 2 names
Thu Nov 2 11:01:35 2023 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addressesdig google.com
; <<>> DiG 9.18.11 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24977
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 88 IN A 142.250.201.206
;; Query time: 0 msec
;; SERVER: 192.168.51.1#53(192.168.51.1) (UDP)
;; WHEN: Thu Nov 02 11:04:48 MSK 2023
;; MSG SIZE rcvd: 55curl --verbose www.google.com
> GET / HTTP/1.1
> Host: www.google.com
> User-Agent: curl/8.4.0
> Accept: */*
>
* Empty reply from server
curl: (52) Empty reply from serverIf I off Transparent Proxy, google.com is able to open.
yichya
commented
11 months ago ram108
commented
11 months ago I don’t think the problem is with DNS, otherwise all sites would stop opening.
Tryed to check and uncheck "Ignore resolv file" - the same result
Thu Nov 2 11:28:47 2023 daemon.info dnsmasq[1]: started, version 2.89 cachesize 1000
Thu Nov 2 11:28:47 2023 daemon.info dnsmasq[1]: DNS service limited to local subnets
Thu Nov 2 11:28:47 2023 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
Thu Nov 2 11:28:47 2023 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus
Thu Nov 2 11:28:47 2023 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.51.100 -- 192.168.51.249, lease time 12h
Thu Nov 2 11:28:47 2023 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5300 for domain #
Thu Nov 2 11:28:47 2023 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5300
Thu Nov 2 11:28:47 2023 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5301
Thu Nov 2 11:28:47 2023 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5302
Thu Nov 2 11:28:47 2023 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5303
Thu Nov 2 11:28:47 2023 daemon.info dnsmasq[1]: using only locally-known addresses for test
Thu Nov 2 11:28:47 2023 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Thu Nov 2 11:28:47 2023 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Thu Nov 2 11:28:47 2023 daemon.info dnsmasq[1]: using only locally-known addresses for local
Thu Nov 2 11:28:47 2023 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Thu Nov 2 11:28:47 2023 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Thu Nov 2 11:28:47 2023 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Thu Nov 2 11:28:47 2023 daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Thu Nov 2 11:28:47 2023 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 4 names
Thu Nov 2 11:28:47 2023 daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 2 names
Thu Nov 2 11:28:47 2023 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
dig google.com
; <<>> DiG 9.18.11 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51649
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 600 IN A 74.125.131.101
google.com. 600 IN A 74.125.131.113
google.com. 600 IN A 74.125.131.139
google.com. 600 IN A 74.125.131.102
google.com. 600 IN A 74.125.131.138
google.com. 600 IN A 74.125.131.100
;; Query time: 30 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Nov 02 11:26:58 MSK 2023
;; MSG SIZE rcvd: 124
curl --verbose www.google.com
> GET / HTTP/1.1
> Host: www.google.com
> User-Agent: curl/8.4.0
> Accept: */*
>
* Empty reply from server
curl: (52) Empty reply from server
curl --verbose yandex.ru
> GET / HTTP/1.1
> Host: yandex.ru
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/1.1 302 Moved temporarily
< Accept-CH: Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA, Sec-CH-UA-Full-Version-List, Sec-CH-UA-WoW64, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Platform, Sec-CH-UA-Full-Version, Viewport-Width, DPR, Device-Memory, RTT, Downlink, ECT
< Cache-Control: max-age=1209600,private
< Date: Thu, 02 Nov 2023 08:33:04 GMT
< Location: https://dzen.ru/?yredirect=true
Did you enable sniffing? Try disabling it temporarily
ram108
commented
11 months ago Transparent Proxy is enables, Sniffing is diabled:
curl --verbose www.google.com
> GET / HTTP/1.1
> Host: www.google.com
> User-Agent: curl/8.4.0
> Accept: */*
>
^C
curl --verbose yandex.ru
> GET / HTTP/1.1
> Host: yandex.ru
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/1.1 302 Moved temporarily
< Accept-CH: Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA, Sec-CH-UA-Full-Version-List, Sec-CH-UA-WoW64, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Platform, Sec-CH-UA-Full-Version, Viewport-Width, DPR, Device-Memory, RTT, Downlink, ECT
< Location: http://yandex.ru/showcaptchaThat is really strange...
Try running curl with proxy:
env https_proxy=http://127.0.0.1:1081 curl --verbose https://www.google.com
ram108
commented
11 months ago env https_proxy=http://127.0.0.1:1081 curl --verbose https://www.google.com
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> User-Agent: curl/8.4.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
> GET / HTTP/2
> Host: www.google.com
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/2 200
< date: Thu, 02 Nov 2023 09:03:12 GMT
< expires: -1
< cache-control: private, max-age=0
< content-type: text/html; charset=ISO-8859-1
< content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-rXaOQ7kkIacE7dPJIQUPaA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
< p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< server: gws
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< set-cookie: 1P_JAR=2023-11-02-09; expires=Sat, 02-Dec-2023 09:03:12 GMT; path=/; domain=.google.com; Secure
< set-cookie: AEC=Ackid1Ri1P59Q8LB3lChfxk6orAmuasTT_8PkfJFwi0R3eY07FLhgJx-WQ; expires=Tue, 30-Apr-2024 09:03:12 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
< set-cookie: NID=511=dlLwGOefnrecuyS8V2vdDWPD1oAVX0GyvspxSuryElwPXvL34Ee5wkDocCr342nFOpC_hJGgr2llQ-p1xGIR_crPukt34DsL0-xGvJnEBYcgL9oLxrwZMYalsbvEaIQdFvEYMGZGguzkYyYpMapqYspQnkXzCFGHHPJm5ri-LW4; expires=Fri, 03-May-2024 09:03:12 GMT; path=/; domain=.google.com; HttpOnly
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
< accept-ranges: none
< vary: Accept-Encoding
<
<!doctype html>
[cut]That works as expected so I still think there's something wrong with DNS.
Try curl --verbose --resolve www.google.com:443:74.125.131.101 https://www.google.com
ram108
commented
11 months ago Sorry for delay. I have to switch on and off Proxy, to access to github, it is not working when proxy enabled too.
Now with Proxy enabled and Sniffing disabled:
root@shiva:~# env https_proxy=http://127.0.0.1:1081 curl --verbose https://www.google.com
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> User-Agent: curl/8.4.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
^C
root@shiva:~# curl --verbose --resolve www.google.com:443:74.125.131.101 https://www.google.com
^CIs there any error in system log when curl with https_proxy does not work?
ram108
commented
11 months ago I dont see any google.com in logs, but I can see 74.125.131.101 Here is the log Looks like no error
root@shiva:~# curl --verbose --resolve www.google.com:443:74.125.131.101 https://www.google.com
^C
Thu Nov 2 13:01:46 2023 daemon.info xray[2879]: 2023/11/02 10:01:46 [Debug] [2969682845] proxy/dokodemo: processing connection from: 192.168.7.182:41932
Thu Nov 2 13:01:46 2023 daemon.info xray[2879]: 2023/11/02 10:01:46 [Info] [2969682845] proxy/dokodemo: received request for 192.168.7.182:41932
Thu Nov 2 13:01:46 2023 daemon.info xray[2879]: 2023/11/02 10:01:46 [Info] [2969682845] app/dispatcher: taking detour [tcp_balancer_v4@balancer_outbound:cfg024a8f] for [tcp:74.125.131.101:443]
Thu Nov 2 13:01:46 2023 daemon.info xray[2879]: 2023/11/02 10:01:46 [Info] [2969682845] proxy/shadowsocks_2022: tunneling request to tcp:74.125.131.101:443 via vpn4.ram108.ru:443
Thu Nov 2 13:01:46 2023 daemon.info xray[2879]: 2023/11/02 10:01:46 [Info] [2969682845] transport/internet/tcp: dialing TCP to tcp:vpn4.ram108.ru:443
Thu Nov 2 13:01:46 2023 daemon.info xray[2879]: 2023/11/02 10:01:46 [Debug] app/dns: domain vpn4.ram108.ru matches following rules: [domain:ru(DNS idx:1) vpn4.ram108.ru(DNS idx:1)]
Thu Nov 2 13:01:46 2023 daemon.info xray[2879]: 2023/11/02 10:01:46 [Debug] app/dns: domain vpn4.ram108.ru will use DNS in order: [UDP:1.1.1.1:53 UDP:1.1.1.1:53]
Thu Nov 2 13:01:46 2023 daemon.info xray[2879]: 2023/11/02 10:01:46 [Debug] app/dns: UDP:1.1.1.1:53 cache HIT vpn4.ram108.ru -> [176.222.52.210]
Thu Nov 2 13:01:46 2023 daemon.info xray[2879]: 2023/11/02 10:01:46 [Info] transport/internet: replace destination with tcp:176.222.52.210:443
Thu Nov 2 13:01:46 2023 daemon.info xray[2879]: 2023/11/02 10:01:46 [Debug] transport/internet: dialing to tcp:176.222.52.210:443
Thu Nov 2 13:01:47 2023 daemon.info xray[2879]: 2023/11/02 10:01:47 [Debug] [501462645] proxy/dokodemo: processing connection from: 192.168.51.138:58944
Thu Nov 2 13:01:47 2023 daemon.info xray[2879]: 2023/11/02 10:01:47 [Info] [501462645] proxy/dokodemo: received request for 192.168.51.138:58944
Thu Nov 2 13:01:47 2023 daemon.info xray[2879]: 2023/11/02 10:01:47 [Info] [501462645] app/dispatcher: taking detour [tcp_balancer_v4@balancer_outbound:cfg024a8f] for [tcp:64.233.164.95:443]
Thu Nov 2 13:01:47 2023 daemon.info xray[2879]: 2023/11/02 10:01:47 [Info] [501462645] proxy/shadowsocks_2022: tunneling request to tcp:64.233.164.95:443 via vpn4.ram108.ru:443
Thu Nov 2 13:01:47 2023 daemon.info xray[2879]: 2023/11/02 10:01:47 [Info] [501462645] transport/internet/tcp: dialing TCP to tcp:vpn4.ram108.ru:443
Thu Nov 2 13:01:47 2023 daemon.info xray[2879]: 2023/11/02 10:01:47 [Debug] app/dns: domain vpn4.ram108.ru matches following rules: [domain:ru(DNS idx:1) vpn4.ram108.ru(DNS idx:1)]
Thu Nov 2 13:01:47 2023 daemon.info xray[2879]: 2023/11/02 10:01:47 [Debug] app/dns: domain vpn4.ram108.ru will use DNS in order: [UDP:1.1.1.1:53 UDP:1.1.1.1:53]
Thu Nov 2 13:01:47 2023 daemon.info xray[2879]: 2023/11/02 10:01:47 [Debug] app/dns: UDP:1.1.1.1:53 cache HIT vpn4.ram108.ru -> [176.222.52.210]
Thu Nov 2 13:01:47 2023 daemon.info xray[2879]: 2023/11/02 10:01:47 [Info] transport/internet: replace destination with tcp:176.222.52.210:443
Thu Nov 2 13:01:47 2023 daemon.info xray[2879]: 2023/11/02 10:01:47 [Debug] transport/internet: dialing to tcp:176.222.52.210:443
According to the logs, it redirects the request to the proxy and there are no errors. But there is no response.
ram108
commented
11 months ago Sometimes when I turn the proxy on and off a few times, it starts working. I do not touch any other settings.
It's working now:
root@shiva:~# curl --verbose --resolve www.google.com:443:74.125.131.101 https://www.google.com
> GET / HTTP/2
> Host: www.google.com
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/2 200
< date: Thu, 02 Nov 2023 10:19:30 GMTBut if you reboot the router in this working state, the proxy doesn't work again.
yichya
commented
11 months ago That seems really weird. Does it work now without --resolve www.google.com:443:74.125.131.101?
ram108
commented
11 months ago root@shiva:~# curl --verbose https://www.google.com
> GET / HTTP/2
> Host: www.google.com
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/2 200
< date: Thu, 02 Nov 2023 10:28:47 GMT
< expires: -1
Thu Nov 2 13:29:07 2023 daemon.info xray[4469]: 2023/11/02 10:29:07 [Debug] [2981811929] proxy/dokodemo: processing connection from: 127.0.0.1:45029
Thu Nov 2 13:29:07 2023 daemon.info xray[4469]: 2023/11/02 10:29:07 [Info] [2981811929] proxy/dokodemo: received request for 127.0.0.1:45029
Thu Nov 2 13:29:07 2023 daemon.info xray[4469]: 2023/11/02 10:29:07 [Info] [2981811929] app/dispatcher: taking detour [dns_server_outbound] for [udp:1.1.1.1:53]
Thu Nov 2 13:29:07 2023 daemon.info xray[4469]: 2023/11/02 10:29:07 [Info] [2981811929] proxy/dns: handling DNS traffic to udp:1.1.1.1:53
Thu Nov 2 13:29:07 2023 daemon.info xray[4469]: 2023/11/02 10:29:07 [Debug] app/dns: domain mtalk.google.com will use DNS in order: [UDP:1.1.1.1:53]
Thu Nov 2 13:29:07 2023 daemon.info xray[4469]: 2023/11/02 10:29:07 [Debug] app/dns: UDP:1.1.1.1:53 querying DNS for: mtalk.google.com.
Thu Nov 2 13:29:07 2023 daemon.info xray[4469]: 2023/11/02 10:29:07 [Debug] transport/internet/udp: dispatch request to: udp:1.1.1.1:53
Thu Nov 2 13:29:07 2023 daemon.info xray[4469]: 2023/11/02 10:29:07 [Info] app/dns: UDP:1.1.1.1:53 got answer: mtalk.google.com. TypeA -> [64.233.165.188] 29.436823ms
Thu Nov 2 13:29:07 2023 daemon.info xray[4469]: 2023/11/02 10:29:07 [Debug] app/dns: UDP:1.1.1.1:53 updating IP records for domain:mtalk.google.com.
Thu Nov 2 13:29:07 2023 daemon.info xray[4469]: 2023/11/02 10:29:07 [Debug] [3116324627] proxy/dokodemo: processing connection from: 192.168.51.138:59820
Thu Nov 2 13:29:07 2023 daemon.info xray[4469]: 2023/11/02 10:29:07 [Info] [3116324627] proxy/dokodemo: received request for 192.168.51.138:59820
Thu Nov 2 13:29:07 2023 daemon.info xray[4469]: 2023/11/02 10:29:07 [Info] [3116324627] app/dispatcher: taking detour [tcp_balancer_v4@balancer_outbound:cfg024a8f] for [tcp:64.233.165.188:5228]
Thu Nov 2 13:29:07 2023 daemon.info xray[4469]: 2023/11/02 10:29:07 [Info] [3116324627] proxy/shadowsocks_2022: tunneling request to tcp:64.233.165.188:5228 via vpn4.ram108.ru:443
Thu Nov 2 13:29:07 2023 daemon.info xray[4469]: 2023/11/02 10:29:07 [Info] [3116324627] transport/internet/tcp: dialing TCP to tcp:vpn4.ram108.ru:443
Thu Nov 2 13:29:07 2023 daemon.info xray[4469]: 2023/11/02 10:29:07 [Debug] app/dns: domain vpn4.ram108.ru matches following rules: [domain:ru(DNS idx:1) vpn4.ram108.ru(DNS idx:1)]
Thu Nov 2 13:29:07 2023 daemon.info xray[4469]: 2023/11/02 10:29:07 [Debug] app/dns: domain vpn4.ram108.ru will use DNS in order: [UDP:1.1.1.1:53 UDP:1.1.1.1:53]
Thu Nov 2 13:29:07 2023 daemon.info xray[4469]: 2023/11/02 10:29:07 [Debug] app/dns: UDP:1.1.1.1:53 cache HIT vpn4.ram108.ru -> [176.222.52.210]
Thu Nov 2 13:29:07 2023 daemon.info xray[4469]: 2023/11/02 10:29:07 [Info] transport/internet: replace destination with tcp:176.222.52.210:443
Thu Nov 2 13:29:07 2023 daemon.info xray[4469]: 2023/11/02 10:29:07 [Debug] transport/internet: dialing to tcp:176.222.52.210:443And I see my proxy IP in IP check. Now I will reboot router.
ram108
commented
11 months ago After reboot: There is no errors, logs are the same but it does not work
root@shiva:~# curl --verbose https://www.google.com
^C
Thu Nov 2 13:19:58 2023 daemon.info xray[2728]: 2023/11/02 10:19:58 [Info] [3039547138] proxy/dokodemo: received request for 127.0.0.1:34189
Thu Nov 2 13:19:58 2023 daemon.info xray[2728]: 2023/11/02 10:19:58 [Info] [3039547138] app/dispatcher: taking detour [dns_server_outbound] for [udp:1.1.1.1:53]
Thu Nov 2 13:19:58 2023 daemon.info xray[2728]: 2023/11/02 10:19:58 [Info] [3039547138] proxy/dns: handling DNS traffic to udp:1.1.1.1:53
Thu Nov 2 13:19:58 2023 daemon.info xray[2728]: 2023/11/02 10:19:58 [Debug] app/dns: domain dns.google.com will use DNS in order: [UDP:1.1.1.1:53]
Thu Nov 2 13:19:58 2023 daemon.info xray[2728]: 2023/11/02 10:19:58 [Debug] app/dns: UDP:1.1.1.1:53 querying DNS for: dns.google.com.
Thu Nov 2 13:19:58 2023 daemon.info xray[2728]: 2023/11/02 10:19:58 [Debug] transport/internet/udp: dispatch request to: udp:1.1.1.1:53
Thu Nov 2 13:19:58 2023 daemon.info xray[2728]: 2023/11/02 10:19:58 [Info] app/dns: UDP:1.1.1.1:53 got answer: dns.google.com. TypeA -> [8.8.8.8 8.8.4.4] 28.988077ms
Thu Nov 2 13:19:58 2023 daemon.info xray[2728]: 2023/11/02 10:19:58 [Debug] app/dns: UDP:1.1.1.1:53 updating IP records for domain:dns.google.com.
Thu Nov 2 13:19:58 2023 daemon.info xray[2728]: 2023/11/02 10:19:58 [Debug] [2260680747] proxy/dokodemo: processing connection from: 192.168.51.138:60815
Thu Nov 2 13:19:58 2023 daemon.info xray[2728]: 2023/11/02 10:19:58 [Info] [2260680747] proxy/dokodemo: received request for 192.168.51.138:60815
Thu Nov 2 13:19:58 2023 daemon.info xray[2728]: 2023/11/02 10:19:58 [Info] [2260680747] app/dispatcher: taking detour [tcp_balancer_v4@balancer_outbound:cfg024a8f] for [tcp:8.8.8.8:443]
Thu Nov 2 13:19:58 2023 daemon.info xray[2728]: 2023/11/02 10:19:58 [Info] [2260680747] proxy/shadowsocks_2022: tunneling request to tcp:8.8.8.8:443 via vpn4.ram108.ru:443
Thu Nov 2 13:19:58 2023 daemon.info xray[2728]: 2023/11/02 10:19:58 [Info] [2260680747] transport/internet/tcp: dialing TCP to tcp:vpn4.ram108.ru:443
Thu Nov 2 13:19:58 2023 daemon.info xray[2728]: 2023/11/02 10:19:58 [Debug] app/dns: domain vpn4.ram108.ru matches following rules: [domain:ru(DNS idx:1) vpn4.ram108.ru(DNS idx:1)]
Thu Nov 2 13:19:58 2023 daemon.info xray[2728]: 2023/11/02 10:19:58 [Debug] app/dns: domain vpn4.ram108.ru will use DNS in order: [UDP:1.1.1.1:53 UDP:1.1.1.1:53]
Thu Nov 2 13:19:58 2023 daemon.info xray[2728]: 2023/11/02 10:19:58 [Debug] app/dns: UDP:1.1.1.1:53 cache HIT vpn4.ram108.ru -> [176.222.52.210]
Thu Nov 2 13:19:58 2023 daemon.info xray[2728]: 2023/11/02 10:19:58 [Info] transport/internet: replace destination with tcp:176.222.52.210:443
Thu Nov 2 13:19:58 2023 daemon.info xray[2728]: 2023/11/02 10:19:58 [Debug] transport/internet: dialing to tcp:176.222.52.210:443
Thu Nov 2 13:19:59 2023 daemon.info xray[2728]: 2023/11/02 10:19:59 [Debug] [2025668730] proxy/dokodemo: processing connection from: 192.168.51.138:60816
Thu Nov 2 13:19:59 2023 daemon.info xray[2728]: 2023/11/02 10:19:59 [Info] [2025668730] proxy/dokodemo: received request for 192.168.51.138:60816
Thu Nov 2 13:19:59 2023 daemon.info xray[2728]: 2023/11/02 10:19:59 [Info] [2025668730] app/dispatcher: taking detour [tcp_balancer_v4@balancer_outbound:cfg024a8f] for [tcp:149.154.167.41:443]
Thu Nov 2 13:19:59 2023 daemon.info xray[2728]: 2023/11/02 10:19:59 [Info] [2025668730] proxy/shadowsocks_2022: tunneling request to tcp:149.154.167.41:443 via vpn4.ram108.ru:443
Thu Nov 2 13:19:59 2023 daemon.info xray[2728]: 2023/11/02 10:19:59 [Info] [2025668730] transport/internet/tcp: dialing TCP to tcp:vpn4.ram108.ru:443
Maybe try adjusting time on your router? I'm not sure about it but your log indicates ~15min slower clock
ram108
commented
11 months ago Time is correct according to my local time:
yichya
commented
11 months ago According to shadowsocks-2022 specification time drift should be less than 30 seconds:
Maybe try tuning it more accurately
ram108
commented
11 months ago When router is online and able to sync time, it is the same as on my laptop.
How can I sync time mannualy to check this?
yichya
commented
11 months ago Click "Sync with browser"
ram108
commented
11 months ago Heh... I do not know, but may be you are right here. Now the time is the same and I turn on TProxy. It is working.
So the problem could be that when you reboot, the router does not adjust the time synchronization with the internet and Shadowsocks stops working?
If I add the list of NTP servers to the bypass list, can this solve the problem?
yichya
commented
11 months ago Heh... I do not know, but may be you are right here. Now the time is the same and I turn on TProxy. It is working.
So the problem could be that when you reboot, the router does not adjust the time synchronization with the internet and Shadowsocks stops working?
That's a pretty common issue for cheap routers...
If I add the list of NTP servers to the exclusive xray, can this solve the problem?
NTP protocol can't be sniffed by Xray so you may need to fill in IP addresses of NTP servers and add them to Bypassed IPs list.
ram108
commented
11 months ago The router is not so cheap: https://openwrt.org/toh/xiaomi/redmi_ax6000
Yes. That was the problem.
Now it is working after reboot.
It turns out that version 3.1.1 loads faster than 2.1.2 on boot, the network gets blocked and the router can't update the time.
ram108
commented
11 months ago Thank you for your time, patience and help.
I have configured xray and DNS Settings and Transparent Proxy Rules so that local Russian sites are bounced directly and foreign sites are bounced via proxy (shadowsocks-2022).
Everything works as configured. But after rebooting the router, Russian sites continue to open, foreign sites do not open at all. Ping and DNS works for all sites.
There are no errors in the logs (DEBUG is set).
Only disabling Transparent Proxy helps. Then all traffic goes directly. Neither rebooting the xray service nor xray-core has any effect.
Version 2.X was working fine.
Screenshots: