Comments (39)
yichya
commented on August 23, 2024
F12 console 贴一下。
from luci-app-xray.
LitCcc
commented on August 23, 2024
from luci-app-xray.
yichya
commented on August 23, 2024
这啥也没有啊,刷新一下呢
from luci-app-xray.
LitCcc
commented on August 23, 2024
刷新后依然是同样的输出,没有任何error
from luci-app-xray.
LitCcc
commented on August 23, 2024
查询服务端日志后发现无法访问的网站没有任何记录,有没有什么办法查询客户端的日志?自己尝试修改config.json后重启会被还原
from luci-app-xray.
yichya
commented on August 23, 2024
查询服务端日志后发现无法访问的网站没有任何记录,有没有什么办法查询客户端的日志?
warning 级别以上的错误用 logread 看
刷新后依然是同样的输出,没有任何error
那你试试 curl --verbose https://www.pixiv.net 然后贴一下输出
from luci-app-xray.
LitCcc
commented on August 23, 2024
from luci-app-xray.
yichya
commented on August 23, 2024
这看着像 SNI Reset,你确定只有这两个网站打不开么
from luci-app-xray.
LitCcc
commented on August 23, 2024
这看着像 SNI Reset,你确定只有这两个网站打不开么
试了一下确实有更多网站有相同的情况
from luci-app-xray.
yichya
commented on August 23, 2024
这个基本上就意味着透明代理的几个 iptables 都没生效,看一下 system log 里面有没有什么报错之类的
from luci-app-xray.
LitCcc
commented on August 23, 2024
系统日志如下:
Mon Nov 22 13:54:38 2021 user.warn xray[5338]: (Re)generationg Xray configuration files...
Mon Nov 22 13:54:38 2021 user.warn xray[5338]: Starting Xray from /usr/bin/xray
Mon Nov 22 13:54:38 2021 user.warn xray[5338]: Setting dnsmasq and firewall for transparent proxy...
Mon Nov 22 13:54:38 2021 user.warn xray[5338]: # Generated dnsmasq configurations by luci-app-xray strict-order server=/#/127.0.0.1#5300 server=127.0.0.1#5300 server=127.0.0.1#5301 server=127.0.0.1#5302 server=127.0.0.1#5303
Mon Nov 22 13:54:38 2021 user.notice dnsmasq: DNS rebinding protection is active, will discard upstream RFC1918 responses!
Mon Nov 22 13:54:38 2021 user.notice dnsmasq: Allowing 127.0.0.0/8 responses
Mon Nov 22 13:54:41 2021 user.info transparent-proxy-ipset[5578]: flush_ipset_rules
Mon Nov 22 13:54:41 2021 user.info transparent-proxy-ipset[5578]: ipset_init
Mon Nov 22 13:54:41 2021 user.info transparent-proxy-ipset[5578]: gen_lan_host_ipset_entry
Mon Nov 22 13:54:41 2021 kern.emerg transparent-proxy-ipset[5578]: gen_lan_host_ipset_entry
Mon Nov 22 13:54:41 2021 user.info transparent-proxy-ipset[5578]: default gateway available at 100.114.255.155
Mon Nov 22 13:54:42 2021 daemon.info xray[5659]: Xray 1.5.0 (Xray, Penetrates Everything.) Custom (go1.17.3 linux/arm64)
Mon Nov 22 13:54:42 2021 daemon.info xray[5659]: A unified platform for anti-censorship.
Mon Nov 22 13:54:42 2021 daemon.err xray[5659]: 2021/11/22 05:54:42 Using confdir from arg: /var/etc/xray
Mon Nov 22 13:54:42 2021 daemon.info xray[5659]: 2021/11/22 05:54:42 [Info] infra/conf/serial: Reading config: /var/etc/xray/config.json
Mon Nov 22 13:54:42 2021 daemon.info xray[5659]: 2021/11/22 05:54:42 [Info] infra/conf/serial: Reading config: /var/etc/xray/config_custom.json
Mon Nov 22 14:10:42 2021 user.warn xray[6075]: (Re)generationg Xray configuration files...
Mon Nov 22 14:10:42 2021 user.warn xray[6075]: Starting Xray from /usr/bin/xray
Mon Nov 22 14:10:42 2021 user.warn xray[6075]: Setting dnsmasq and firewall for transparent proxy...
Mon Nov 22 14:10:42 2021 user.warn xray[6075]: # Generated dnsmasq configurations by luci-app-xray strict-order server=/#/127.0.0.1#5300 server=127.0.0.1#5300 server=127.0.0.1#5301 server=127.0.0.1#5302 server=127.0.0.1#5303
Mon Nov 22 14:10:42 2021 user.notice dnsmasq: DNS rebinding protection is active, will discard upstream RFC1918 responses!
Mon Nov 22 14:10:42 2021 user.notice dnsmasq: Allowing 127.0.0.0/8 responses
Mon Nov 22 14:10:45 2021 user.info transparent-proxy-ipset[6315]: flush_ipset_rules
Mon Nov 22 14:10:45 2021 user.info transparent-proxy-ipset[6315]: ipset_init
Mon Nov 22 14:10:45 2021 user.info transparent-proxy-ipset[6315]: gen_lan_host_ipset_entry
Mon Nov 22 14:10:45 2021 kern.emerg transparent-proxy-ipset[6315]: gen_lan_host_ipset_entry
Mon Nov 22 14:10:45 2021 user.info transparent-proxy-ipset[6315]: default gateway available at 100.114.255.155
Mon Nov 22 14:10:46 2021 daemon.info xray[6419]: Xray 1.5.0 (Xray, Penetrates Everything.) Custom (go1.17.3 linux/arm64)
Mon Nov 22 14:10:46 2021 daemon.info xray[6419]: A unified platform for anti-censorship.
Mon Nov 22 14:10:46 2021 daemon.err xray[6419]: 2021/11/22 06:10:46 Using confdir from arg: /var/etc/xray
Mon Nov 22 14:10:46 2021 daemon.info xray[6419]: 2021/11/22 06:10:46 [Info] infra/conf/serial: Reading config: /var/etc/xray/config.json
Mon Nov 22 14:10:46 2021 daemon.info xray[6419]: 2021/11/22 06:10:46 [Info] infra/conf/serial: Reading config: /var/etc/xray/config_custom.json
Mon Nov 22 14:13:56 2021 user.warn xray[6491]: (Re)generationg Xray configuration files...
Mon Nov 22 14:13:56 2021 user.warn xray[6491]: Starting Xray from /usr/bin/xray
Mon Nov 22 14:13:56 2021 user.warn xray[6491]: Setting dnsmasq and firewall for transparent proxy...
Mon Nov 22 14:13:56 2021 user.warn xray[6491]: # Generated dnsmasq configurations by luci-app-xray strict-order server=/#/127.0.0.1#5300 server=127.0.0.1#5300 server=127.0.0.1#5301 server=127.0.0.1#5302 server=127.0.0.1#5303
Mon Nov 22 14:13:56 2021 user.notice dnsmasq: DNS rebinding protection is active, will discard upstream RFC1918 responses!
Mon Nov 22 14:13:56 2021 user.notice dnsmasq: Allowing 127.0.0.0/8 responses
Mon Nov 22 14:13:59 2021 user.info transparent-proxy-ipset[6731]: flush_ipset_rules
Mon Nov 22 14:13:59 2021 user.info transparent-proxy-ipset[6731]: ipset_init
Mon Nov 22 14:13:59 2021 user.info transparent-proxy-ipset[6731]: gen_lan_host_ipset_entry
Mon Nov 22 14:13:59 2021 kern.emerg transparent-proxy-ipset[6731]: gen_lan_host_ipset_entry
Mon Nov 22 14:13:59 2021 user.info transparent-proxy-ipset[6731]: default gateway available at 100.114.255.155
Mon Nov 22 14:14:00 2021 daemon.info xray[6835]: Xray 1.5.0 (Xray, Penetrates Everything.) Custom (go1.17.3 linux/arm64)
Mon Nov 22 14:14:00 2021 daemon.info xray[6835]: A unified platform for anti-censorship.
Mon Nov 22 14:14:00 2021 daemon.err xray[6835]: 2021/11/22 06:14:00 Using confdir from arg: /var/etc/xray
Mon Nov 22 14:14:00 2021 daemon.info xray[6835]: 2021/11/22 06:14:00 [Info] infra/conf/serial: Reading config: /var/etc/xray/config.json
Mon Nov 22 14:14:03 2021 daemon.info xray[6835]: 2021/11/22 06:14:03 [Warning] core: Xray 1.5.0 started
执行iptables-save输出如下:
root@ImmortalWrt:~# iptables-save
# Generated by iptables-save v1.8.7 on Mon Nov 22 14:27:32 2021
*raw
:PREROUTING ACCEPT [55142:17301827]
:OUTPUT ACCEPT [43363:15826243]
:zone_lan_helper - [0:0]
-A PREROUTING -i eth0 -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
-A zone_lan_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
-A zone_lan_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
-A zone_lan_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
-A zone_lan_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
-A zone_lan_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
-A zone_lan_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
-A zone_lan_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
-A zone_lan_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
-A zone_lan_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
-A zone_lan_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
COMMIT
# Completed on Mon Nov 22 14:27:32 2021
# Generated by iptables-save v1.8.7 on Mon Nov 22 14:27:32 2021
*nat
:PREROUTING ACCEPT [9874:2875187]
:INPUT ACCEPT [1794:130075]
:OUTPUT ACCEPT [2683:180604]
:POSTROUTING ACCEPT [1778:115678]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j FULLCONENAT
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -m comment --comment "!fw3" -j FULLCONENAT
COMMIT
# Completed on Mon Nov 22 14:27:32 2021
# Generated by iptables-save v1.8.7 on Mon Nov 22 14:27:32 2021
*mangle
:PREROUTING ACCEPT [36770:14405505]
:INPUT ACCEPT [44847:14328149]
:FORWARD ACCEPT [2063:260791]
:OUTPUT ACCEPT [43360:15830071]
:POSTROUTING ACCEPT [45135:16078046]
:TP_SPEC_LAN_AC - [0:0]
:TP_SPEC_LAN_DG - [0:0]
:TP_SPEC_WAN_AC - [0:0]
:TP_SPEC_WAN_DG - [0:0]
:TP_SPEC_WAN_FW - [0:0]
-A PREROUTING -i eth0 -j TP_SPEC_LAN_DG
-A PREROUTING -m mark --mark 0xfc -j TP_SPEC_WAN_AC
-A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j TP_SPEC_WAN_DG
-A TP_SPEC_LAN_AC -m set --match-set tp_spec_src_bp src -j RETURN
-A TP_SPEC_LAN_AC -m set --match-set tp_spec_src_fw src -j TP_SPEC_WAN_FW
-A TP_SPEC_LAN_AC -m set --match-set tp_spec_src_ac src -j TP_SPEC_WAN_AC
-A TP_SPEC_LAN_AC -j TP_SPEC_WAN_AC
-A TP_SPEC_LAN_DG -m set --match-set tp_spec_dst_sp dst -j RETURN
-A TP_SPEC_LAN_DG -p tcp -j TP_SPEC_LAN_AC
-A TP_SPEC_LAN_DG -p udp -j TP_SPEC_LAN_AC
-A TP_SPEC_WAN_AC -m set --match-set tp_spec_dst_fw dst -j TP_SPEC_WAN_FW
-A TP_SPEC_WAN_AC -m set --match-set tp_spec_dst_bp dst -j RETURN
-A TP_SPEC_WAN_AC -j TP_SPEC_WAN_FW
-A TP_SPEC_WAN_DG -m set --match-set tp_spec_dst_sp dst -j RETURN
-A TP_SPEC_WAN_DG -m set --match-set tp_spec_dst_bp dst -j RETURN
-A TP_SPEC_WAN_DG -m set --match-set tp_spec_def_gw dst -j RETURN
-A TP_SPEC_WAN_DG -m mark --mark 0xff -j RETURN
-A TP_SPEC_WAN_DG -p tcp -j MARK --set-xmark 0xfc/0xffffffff
-A TP_SPEC_WAN_DG -p udp -j MARK --set-xmark 0xfc/0xffffffff
-A TP_SPEC_WAN_FW -p tcp -j TPROXY --on-port 1080 --on-ip 0.0.0.0 --tproxy-mark 0xfb/0xffffffff
-A TP_SPEC_WAN_FW -p udp -j TPROXY --on-port 1081 --on-ip 0.0.0.0 --tproxy-mark 0xfb/0xffffffff
COMMIT
# Completed on Mon Nov 22 14:27:32 2021
# Generated by iptables-save v1.8.7 on Mon Nov 22 14:27:32 2021
*filter
:INPUT ACCEPT [50:2696]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i eth0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Mon Nov 22 14:27:32 2021
我的xray配置:
config general
option xray_bin '/usr/bin/xray'
option mark '255'
option tproxy_port_tcp '1080'
option tproxy_port_udp '1081'
option socks_port '1082'
option http_port '1083'
option dns_port '5300'
option dns_count '3'
option fast_dns '114.114.114.114'
option secure_dns '8.8.8.8'
option default_dns '1.1.1.1'
list bypassed_domain_rules 'geosite:cn'
list forwarded_domain_rules 'geosite:geolocation-!cn'
option transparent_proxy_enable '1'
option wan_bp_list '/dev/null'
option lan_target 'TP_SPEC_WAN_AC'
list wan_bp_ips '114.114.114.114'
list wan_bp_ips '104.16.0.0/12'
option xray_api '1'
option main_server 'cfg024a8f'
option tproxy_sniffing '1'
option tproxy_udp_server 'cfg024a8f'
option geoip_direct_code 'cn'
option routing_domain_strategy 'IPIfNonMatch'
option lan_ifaces 'eth0'
config servers
option security 'auto'
option tls '0'
option tests_enabled 'none'
option protocol 'vless'
option server_port '443'
option vless_security 'none'
option vless_encryption 'none'
option alias 'xxxxxx'
option server 'xxxxxxxxxxxx'
option password 'xxxxxxxxxxx'
option vless_tls 'tls'
option vless_tls_host 'xxxxxxx'
option vless_tls_insecure '0'
list vless_tls_alpn 'h2'
option transport 'grpc'
option grpc_service_name 'xxxxxxxx'
from luci-app-xray.
yichya
commented on August 23, 2024
-A PREROUTING -i eth0 -j TP_SPEC_LAN_DG
你的 lan 接口很奇怪,为什么在开了交换机的情况下
option lan_ifaces 'eth0'
配置上只有一个 eth0?
from luci-app-xray.
LitCcc
commented on August 23, 2024
因为用不到主路由的无线就取消eth0和wifi的桥接并关闭wifi了,启用桥接后两处都变为 'br-lan',依然是同样的结果
from luci-app-xray.
yichya
commented on August 23, 2024
你有哪些网站可以访问嘛,比如 checkip.dyndns.com 显示的 ip 是不是 outbound 那台服务器的 ip
from luci-app-xray.
LitCcc
commented on August 23, 2024
Google,Facebook,Youtube,twitter等主流网站完全没问题,只有个别网站不行,目前发现的有v2ex.com, pixiv.net, scmp.com和rsf.org
checkip.dyndns.com显示的是outbound 服务器的 ip
from luci-app-xray.
yichya
commented on August 23, 2024
list wan_bp_ips '104.16.0.0/12'
把这个删掉试试。
from luci-app-xray.
LitCcc
commented on August 23, 2024
list wan_bp_ips 只保留 '114.114.114.114' 依然是一样的结果,我准备重新编译固件排除一下问题
from luci-app-xray.
yichya
commented on August 23, 2024
那还真是神奇。。。看你的 iptables 也挺干净的,也不像是有别的什么东西互相影响了。你用的 geoip.dat 是哪个?
from luci-app-xray.
LitCcc
commented on August 23, 2024
https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geoip.dat
from luci-app-xray.
yichya
commented on August 23, 2024
那就真的不知道为啥了。。。
from luci-app-xray.
SasamiMasakiJurai
commented on August 23, 2024
啊 原来是插件问题吗?
我还以为是自己广告屏蔽插件导致的,
等我到家后也测试下,
报告下错误日志看看。
from luci-app-xray.
SasamiMasakiJurai
commented on August 23, 2024
from luci-app-xray.
SasamiMasakiJurai
commented on August 23, 2024
from luci-app-xray.
yichya
commented on August 23, 2024
啊 原来是插件问题吗? 我还以为是自己广告屏蔽插件导致的, 等我到家后也测试下, 报告下错误日志看看。
你去掉 list wan_bp_ips '104.16.0.0/12' 这个了嘛
from luci-app-xray.
SasamiMasakiJurai
commented on August 23, 2024
/$ iptables-save
Generated by iptables-save v1.8.7 on Mon Nov 22 19:12:31 2021
*nat
:PREROUTING ACCEPT [155585:16717852]
:INPUT ACCEPT [113432:10126906]
:OUTPUT ACCEPT [66686:4473404]
:POSTROUTING ACCEPT [71373:3647049]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -j MINIUPNPD
COMMIT
Completed on Mon Nov 22 19:12:31 2021
Generated by iptables-save v1.8.7 on Mon Nov 22 19:12:31 2021
*mangle
:PREROUTING ACCEPT [11392772:14498994099]
:INPUT ACCEPT [16485323:16243116850]
:FORWARD ACCEPT [352955:282326411]
:OUTPUT ACCEPT [6528358:15771746692]
:POSTROUTING ACCEPT [6880896:16054056617]
:TP_SPEC_LAN_AC - [0:0]
:TP_SPEC_LAN_DG - [0:0]
:TP_SPEC_WAN_AC - [0:0]
:TP_SPEC_WAN_DG - [0:0]
:TP_SPEC_WAN_FW - [0:0]
-A PREROUTING -i br-lan -j TP_SPEC_LAN_DG
-A PREROUTING -m mark --mark 0xfc -j TP_SPEC_WAN_AC
-A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j TP_SPEC_WAN_DG
-A TP_SPEC_LAN_AC -m set --match-set tp_spec_src_bp src -j RETURN
-A TP_SPEC_LAN_AC -m set --match-set tp_spec_src_fw src -j TP_SPEC_WAN_FW
-A TP_SPEC_LAN_AC -m set --match-set tp_spec_src_ac src -j TP_SPEC_WAN_AC
-A TP_SPEC_LAN_AC -j TP_SPEC_WAN_AC
-A TP_SPEC_LAN_DG -m set --match-set tp_spec_dst_sp dst -j RETURN
-A TP_SPEC_LAN_DG -p tcp -j TP_SPEC_LAN_AC
-A TP_SPEC_LAN_DG -p udp -j TP_SPEC_LAN_AC
-A TP_SPEC_WAN_AC -m set --match-set tp_spec_dst_fw dst -j TP_SPEC_WAN_FW
-A TP_SPEC_WAN_AC -m set --match-set tp_spec_dst_bp dst -j RETURN
-A TP_SPEC_WAN_AC -j TP_SPEC_WAN_FW
-A TP_SPEC_WAN_DG -m set --match-set tp_spec_dst_sp dst -j RETURN
-A TP_SPEC_WAN_DG -m set --match-set tp_spec_dst_bp dst -j RETURN
-A TP_SPEC_WAN_DG -m set --match-set tp_spec_def_gw dst -j RETURN
-A TP_SPEC_WAN_DG -m mark --mark 0xff -j RETURN
-A TP_SPEC_WAN_DG -p tcp -j MARK --set-xmark 0xfc/0xffffffff
-A TP_SPEC_WAN_DG -p udp -j MARK --set-xmark 0xfc/0xffffffff
-A TP_SPEC_WAN_FW -p tcp -j TPROXY --on-port 1080 --on-ip 0.0.0.0 --tproxy-mark 0xfb/0xffffffff
-A TP_SPEC_WAN_FW -p udp -j TPROXY --on-port 1081 --on-ip 0.0.0.0 --tproxy-mark 0xfb/0xffffffff
COMMIT
Completed on Mon Nov 22 19:12:31 2021
Generated by iptables-save v1.8.7 on Mon Nov 22 19:12:31 2021
*filter
:INPUT ACCEPT [840:41863]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -j MINIUPNPD
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
Completed on Mon Nov 22 19:12:31 2021
from luci-app-xray.
SasamiMasakiJurai
commented on August 23, 2024
没有额,
我去掉试试看
from luci-app-xray.
SasamiMasakiJurai
commented on August 23, 2024
去掉后还是不行
from luci-app-xray.
3xpert
commented on August 23, 2024
我这里的情况类似,南早一直都打不开,楼主说的其它三个网站,除了v2ex也一直打不开外,偶尔能打开,多数时间也不行
from luci-app-xray.
yichya
commented on August 23, 2024
@LitCcc @SasamiMasakiJurai @3xpert
去掉上面说的那个 104.16.0.0/12 之后用 service xray restart 重启一下,再试试看
from luci-app-xray.
3xpert
commented on August 23, 2024
v2ex还不行,其它的都可以了
from luci-app-xray.
yichya
commented on August 23, 2024
v2ex 还不行,其它的都可以了
这个样子不像是被墙啊。。。
from luci-app-xray.
3xpert
commented on August 23, 2024
anxray上可以的
from luci-app-xray.
3xpert
commented on August 23, 2024
看来是chrome的问题了,我用firefox访问正常了
from luci-app-xray.
yichya
commented on August 23, 2024
这波修了两个问题,104.16.0.0/12 是 cloudflare 的一部分 IP,一不小心写到默认配置里面了;以及改配置没有 restart 清理 ipset
from luci-app-xray.
SasamiMasakiJurai
commented on August 23, 2024
ok,
路由重启后,
都可以了。
v2ex也可以。
from luci-app-xray.
LitCcc
commented on August 23, 2024
可以了,感谢修复
from luci-app-xray.
LitCcc
commented on August 23, 2024
这两天又测试了下,出现该问题还有一个原因是因为开启了ipv6,windows和android会优先使用ipv6导致域名被污染,只能重启路由器,大约24小时后该问题复现,目前的解决办法是关闭ipv6
from luci-app-xray.
yichya
commented on August 23, 2024
这两天又测试了下,出现该问题还有一个原因是因为开启了ipv6,windows和android会优先使用ipv6导致域名被污染,只能重启路由器,大约24小时后该问题复现,目前的解决办法是关闭ipv6
IPv6 目前暂时没有打算做。。。
from luci-app-xray.
3xpert
commented on August 23, 2024
访问apkmirror.com
Bypassed IP中的cf地址段已经删除
from luci-app-xray.
Related Issues (20)
- Please add import via URL HOT 5
- Version 3.2.1 feedback
- I was confued on how to setting up routing HOT 4
- Version 3.3.0 feedback HOT 7
- 如何正确的使用FakeDNS分流? HOT 2
- Version 3.3.1 feedback
- 仅使用FakeDNS分流会存在缺陷 HOT 2
- Version 3.4.0 feedback HOT 12
- XTLS Reality can't establish connection with hostname like example.domain.ru:443 HOT 3
- Version 3.4.1 feedback HOT 3
- Passthrough DNS queries via local dnsmasq HOT 1
- lucy-app-xray: "Forwarded domain rules" doesnt work HOT 2
- config.json HOT 11
- Configuration hook HOT 8
- Fragment
- SDK has changed from xz to zst. Script tar unzip is not workable. HOT 1
- Xray startup failure with configuration deserialization error HOT 1
- 手机连接WiFi叹号 HOT 2
- 请问这个luci怎么在openwrt的sdk里面编译? HOT 1
- Grpc HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from luci-app-xray.