clash icon indicating copy to clipboard operation
clash copied to clipboard

Published 20 hours ago verified publisher icon Dreamacro

[Bug] With fake-ip, I'm unable to connect to Samba/SMB servers from my Mac with Finder.

Open cyanlink opened this issue 2 years ago • 6 comments

Verify steps

  • [X] 如果你可以自己 debug 并解决的话,提交 PR 吧 Is this something you can debug and fix? Send a pull request! Bug fixes and documentation fixes are welcome.
  • [X] 我已经在 Issue Tracker 中找过我要提出的问题 I have searched on the issue tracker for a related issue.
  • [X] 我已经使用 dev 分支版本测试过,问题依旧存在 I have tested using the dev branch, and the issue still exists.
  • [X] 我已经仔细看过 Documentation 并无法自行解决问题 I have read the documentation and was unable to solve the issue.
  • [X] 这是 Clash 核心的问题,并非我所使用的 Clash 衍生版本(如 OpenClash、KoolClash 等)的特定问题 This is an issue of the Clash core per se, not to the derivatives of Clash, like OpenClash or KoolClash.

Clash version

2022.08.26 Premium (51626)

What OS are you seeing the problem on?

macOS

Clash config

dns:
  enable: true
  enhanced-mode: fake-ip
  nameserver:
    - 114.114.114.114
    - 223.5.5.5
    - 8.8.8.8
  fallback:
    - 1.1.1.1
  fake-ip-filter:
    - +.stun.*.*
    - +.stun.*.*.*
    - +.stun.*.*.*.*
    - +.stun.*.*.*.*.*
    - "*.n.n.srv.nintendo.net"
    - +.stun.playstation.net
    - xbox.*.*.microsoft.com
    - "*.*.xboxlive.com"
    - apps.apple.com
tun:
  enable: true
  stack: gvisor
  auto-route: true
  auto-detect-interface: true
  dns-hijack:
    - any:53

Clash log

19:23:51 DBG [TCP] accept connection lAddr=198.18.0.1:51762 rAddr=gamingpc:445 inbound=TUN
19:23:51 DBG [Matcher] find process success addr=gamingpc path=/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent
19:23:51 WRN [Gvisor] can't create TCP Endpoint in ipstack error=connection was refused
19:23:51 DBG [TCP] accept connection lAddr=198.18.0.1:51764 rAddr=gamingpc:445 inbound=TUN
19:23:51 DBG [Matcher] find process failed error=no such process addr=gamingpc
19:23:52 DBG [DNS] dns response source=1.1.1.1:53 qType=A name=gamingpc. answer=[]
19:23:52 DBG [Matcher] resolve failed error=couldn't find ip: gamingpc host=gamingpc
19:23:52 DBG [Matcher] resolve failed error=couldn't find ip: gamingpc host=gamingpc
19:23:52 WRN [TCP] dial failed error=couldn't find ip: gamingpc proxy=🐟 漏网之鱼 rAddr=gamingpc:445 rule=Match rulePayload=
19:23:52 WRN [TCP] dial failed error=couldn't find ip: gamingpc proxy=🐟 漏网之鱼 rAddr=gamingpc:445 rule=Match rulePayload=
19:23:53 DBG [TCP] accept connection lAddr=198.18.0.1:51765 rAddr=gamingpc:445 inbound=TUN
19:23:53 DBG [Matcher] find process success addr=gamingpc path=/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent
19:23:53 DBG [Matcher] resolve failed error=couldn't find ip: gamingpc host=gamingpc
19:23:53 WRN [TCP] dial failed error=couldn't find ip: gamingpc proxy=🐟 漏网之鱼 rAddr=gamingpc:445 rule=Match rulePayload=
19:23:53 WRN [Gvisor] can't create TCP Endpoint in ipstack error=connection was refused
19:23:53 DBG [TCP] accept connection lAddr=198.18.0.1:51767 rAddr=gamingpc:445 inbound=TUN
19:23:53 DBG [Matcher] find process failed error=no such process addr=gamingpc
19:23:53 DBG [Matcher] resolve failed error=couldn't find ip: gamingpc host=gamingpc
19:23:53 WRN [TCP] dial failed error=couldn't find ip: gamingpc proxy=🐟 漏网之鱼 rAddr=gamingpc:445 rule=Match rulePayload=

Description

我使用的是Mac版Clash For Windows,使用Mac自带的Finder尝试访问Windows电脑上的Samba共享,在开启TUN模式使用fake-ip时,无法与samba服务器建立连接,关闭后可以正常访问。尝试过切换gvisor/system stack,问题依旧。将“gamingpc”加入fake-ip-filter无效,依旧会使gamingpc这个host走fake-ip,有时finder会提示“此文件服务器已在您的电脑上可用。请从本地访问宗卷和文件。”,依旧无法连接。

related: #242 #2307

我今天又用wireshark看了一下具体逻辑:

  1. 开启fake-ip TUN,访问smb://gamingpc,clash会产生fake ip(即使将gamingpc加入fake-ip-filter也会产生192.18.0.1:port的fake-ip,不知道为什么)并发送DNS请求(结果当然是no such name),之后又产生了NBNS查询并得到gamingpc的响应,但是finder会提示无法连接到此服务器,并且会出现连接到fake ip的connection refused。
  2. 开启fake ip TUN,访问smb://gamingpc.local,会走mDNS逻辑得到地址,能够正常访问samba服务器。
  3. 关闭fake ip TUN,访问smb://gamingpc,会产生DNS请求发现no such name,然后产生NBNS请求,从gamingpc处得到响应获得真实ip,能够正常访问。
  4. 关闭fake ip TUN,访问smb://gamingpc.local,同理会走mDNS逻辑,正常访问。

在Windows上,此问题表现为无法在Explorer的“网络”中主动发现主机,但可以通过在Explorer中输入\\gamingpc的方式连接,因为无论如何他都会走mDNS方式找到真实IP。 我分析的Mac Finder的逻辑是:通过NBNS查询NetBIOS记录,获得目标主机的IP地址列表(因为主机上装有VMWare的数个虚拟网卡,其IP形如192.168.xxx.1)然后开始轮询,最后找到能联通的那个。正常来说这几个IP都是不通的,但是TUN开启后,这几个192.168.xxx.1均会被映射到一个fake-ip,导致他尝试连接失败。最后他也不会去尝试联通同一个路由器子网下的主机真实IP。

cyanlink avatar Sep 23 '22 11:09 cyanlink

~~@Dreamacro 我发现向fake-ip-filter中添加 “.” 过滤即可去除NetBIOS主机名请求,使得SMB可以正常访问。~~ ~~@Fndroid 能否在CFW默认的TUN Mode配置文件中的fake-ip-filter中添加上“.”以解决此问题,谢谢!~~

cyanlink avatar Sep 25 '22 08:09 cyanlink

我是foobar.local这种地址无法解析。。。。 ※已添加*.local至TUN设置的fake-ip-filter

image

dns:
  enable: true
  enhanced-mode: fake-ip
  nameserver:
    - 8.8.8.8
    - 1.1.1.1
  fallback: []
  fake-ip-filter:
    - +.stun.*.*
    - +.stun.*.*.*
    - +.stun.*.*.*.*
    - +.stun.*.*.*.*.*
    - "*.n.n.srv.nintendo.net"
    - +.stun.playstation.net
    - xbox.*.*.microsoft.com
    - "*.*.xboxlive.com"
    - "*.msftncsi.com"
    - "*.msftconnecttest.com"
    - WORKGROUP
    - *.local
tun:
  enable: true
  stack: gvisor
  auto-route: true
  auto-detect-interface: true
  dns-hijack:
    - any:53

NagaseYami avatar Oct 08 '22 11:10 NagaseYami

@NagaseYami 你这个是通过edge访问.local域名,我试了之后同样无法访问,同时log中也会出现.local泄露到常规dns查询中的现象,我通过win10文件管理器中输入\foobar.local的方式可以正常打开smb目录,log中不出现相关信息

cyanlink avatar Oct 08 '22 17:10 cyanlink

尝试添加本地 dns 到 nameserver 里,目前 dhcp 的 dns 在 windows 上会有一些小问题,不然直接添加一个 dhcp 的 dns 就行

Dreamacro avatar Oct 09 '22 11:10 Dreamacro

尝试添加本地 dns 到 nameserver 里,目前 dhcp 的 dns 在 windows 上会有一些小问题,不然直接添加一个 dhcp 的 dns 就行

并没有改善,我把nameserver设置成192.168.1.1,这次连[DNS] dns response的那一行DEBUG消息都没有了。 目前我的解决方案还是直接把域名和ip添加到hosts里(还好量不多)

NagaseYami avatar Oct 09 '22 11:10 NagaseYami