mihomo icon indicating copy to clipboard operation
mihomo copied to clipboard
verified publisher icon MetaCubeX

[Bug] 上游依赖项 sing-tun 的行为导致 mihomo NAT 降级

Open TGSAN opened this issue 9 months ago • 15 comments

验证步骤

  • [x] 我已经阅读了 文档,了解所有我编写的配置文件项的含义,而不是大量堆砌看似有用的选项或默认值。
  • [x] 我仔细看过 文档 并未解决问题
  • [x] 我已在 Issue Tracker 中寻找过我要提出的问题,并且没有找到
  • [x] 我是中文用户,而非其他语言用户
  • [x] 我已经使用最新的 Alpha 分支版本测试过,问题依旧存在
  • [x] 我提供了可以在本地重现该问题的服务器、客户端配置文件与流程,而不是一个脱敏的复杂客户端配置文件。
  • [x] 我提供了可用于重现我报告的错误的最简配置,而不是依赖远程服务器或者堆砌大量对于复现无用的配置等。
  • [x] 我提供了完整的日志,而不是出于对自身智力的自信而仅提供了部分认为有用的部分。
  • [x] 我直接使用 Mihomo 命令行程序重现了错误,而不是使用其他工具或脚本。

操作系统

Windows

系统版本

Windows 11 10.0.26120.3360

Mihomo 版本

Mihomo Meta v1.19.3 windows amd64 with go1.24.0 Mon Mar 3 03:57:47 UTC 2025 Use tags: with_gvisor

配置文件

mode: rule
ipv6: true
dns:
  enable: true
  ipv6: true
  use-system-hosts: true
  use-hosts: true
  enhanced-mode: redir-host
  nameserver:
  - system
  - dhcp://system
tun:
  enable: true
  mtu: 1500
  stack: system
  endpoint-independent-nat: true
  dns-hijack:
  - any:53
  - tcp://any:53
  inet4-route-exclude-address:
  - 0.0.0.0/8
  - 10.0.0.0/8
  - 172.16.0.0/12
  - 192.168.0.0/16
  inet6-route-exclude-address:
  - fc00::/7
  auto-route: true
  auto-detect-interface: true
  strict-route: true
rules:
- MATCH,DIRECT

描述

背景:

正如之前 issue #281 所提到的,当 mihomo 开启 TUN 模式时,在不经过代理时(DIRECT),NAT 行为会从原始的 Full Cone / Address Restricted Cone 降级到 Port Restricted Cone

问题原因

最近翻阅了 mihomo 项目的代码并未发现可疑的地方,但是发现依赖的 sing-tun 代码中有一个 fixWindowsFirewall 方法,它会将当前进程加入到 sing-tun 防火墙规则里。这个规则仅是为了可以使 TUN 可以工作,但是他却影响了 mihomo 的入站行为(因为没有放行所有入站请求到 mihomo 的进程),同时由于 sing-tun 自行添加了防火墙规则,所以 Windows 防火墙不会再次弹出 。

验证

由于这个问题是 sing-tun 的行为导致的,那么是否可以在 sing-box 动手前挽救呢?
查看 sing-tun 代码可知,如果当前进程已经加入了 Windows 防火墙规则列表,那么 fixWindowsFirewall 将不会覆盖已存在的规则。

验证方法

方法一

  1. 删除 sing-tun 添加的防火墙规则
  2. 使用另一个配置文件让 mihomo 进程监听端口,下为示例配置:
mode: rule
ipv6: true
listeners:
- name: local-in
  type: shadowsocks
  port: 8888
  listen: 0.0.0.0
  cipher: none
  password: ""
  udp: true
  proxy: DIRECT
  1. 运行 mihomo 使其可以触发 Windows 防火墙提示窗口
  2. 允许所有入站连接
  3. 再次运行客户端配置
  4. 检查 NAT 类型,为 Full Cone

方法二

  1. 删除 sing-tun 添加的防火墙规则
  2. 手动添加进程放行规则(UDP+TCP)到 Windows 防火墙
  3. 再次运行客户端配置
  4. 检查 NAT 类型,为 Full Cone

可行的问题解决方法

  1. mihomo 在识别到 tun.enabled = true 时,启用 TUN 前,先进行一次端口监听,使 Windows 防火墙触发以添加放行规则(用户可以感知到)
  2. mihomo 在识别到 tun.enabled = true 时,启用 TUN 前,提前添加正确的防火墙放行规则(无感知,更加跨平台通用)

重现方式

  1. 测试原生 NAT 类型
  2. 使用管理员模式启动mihomo:sudo .\mihomo-windows-amd64.exe -f .\示例配置.yml
  3. 测试开启 TUN 后的 NAT 类型

日志

time="2025-03-03T19:45:41.076561200+08:00" level=info msg="Start initial configuration in progress"
time="2025-03-03T19:45:41.094132700+08:00" level=info msg="Geodata Loader mode: memconservative"
time="2025-03-03T19:45:41.094702700+08:00" level=info msg="Geosite Matcher implementation: succinct"
time="2025-03-03T19:45:41.113058300+08:00" level=info msg="Initial configuration complete, total time: 18ms"
time="2025-03-03T19:45:41.115204700+08:00" level=info msg="Sniffer is closed"
time="2025-03-03T19:45:42.555826600+08:00" level=info msg="[TUN] Tun adapter listening at: Meta([198.18.0.1/30],[fdfe:dcba:9876::1/126]), mtu: 1500, auto route: true, auto redir: false, ip stack: System"
time="2025-03-03T19:45:43.513909100+08:00" level=warning msg="[CacheFile] can't open cache file: timeout"
time="2025-03-03T19:45:43.514461000+08:00" level=info msg="Start initial Compatible provider default"
time="2025-03-03T19:45:43.785436300+08:00" level=info msg="[UDP] 198.18.0.1:9993 --> 223.167.203.237:27774 match Match using proxy"
time="2025-03-03T19:45:43.785436300+08:00" level=info msg="[UDP] 198.18.0.1:30600 --> 223.167.203.237:27774 match Match using proxy"
time="2025-03-03T19:45:43.785436300+08:00" level=info msg="[UDP] 198.18.0.1:47964 --> 223.167.203.237:27774 match Match using proxy"
time="2025-03-03T19:45:43.856377800+08:00" level=info msg="[TCP] 198.18.0.1:58621 --> westus-0.in.applicationinsights.azure.com:443 match Match using proxy"
time="2025-03-03T19:45:43.856377800+08:00" level=info msg="[TCP] 198.18.0.1:58619 --> www.msftconnecttest.com:80 match Match using proxy"
time="2025-03-03T19:45:43.856906300+08:00" level=info msg="[TCP] 198.18.0.1:58618 --> westus-0.in.applicationinsights.azure.com:443 match Match using proxy"
time="2025-03-03T19:45:43.856906300+08:00" level=info msg="[TCP] 198.18.0.1:58622 --> westus-0.in.applicationinsights.azure.com:443 match Match using proxy"
time="2025-03-03T19:45:43.878073500+08:00" level=info msg="[TCP] 198.18.0.1:50433 --> prod-japaneast.access-point.cloudmessaging.edge.microsoft.com:443 match Match using proxy"
time="2025-03-03T19:45:44.934217300+08:00" level=info msg="[TCP] 198.18.0.1:49980 --> 112.65.193.155:80 match Match using proxy"
time="2025-03-03T19:45:44.935801500+08:00" level=info msg="[TCP] 198.18.0.1:49983 --> 112.65.193.154:8080 match Match using proxy"
time="2025-03-03T19:45:44.953585800+08:00" level=info msg="[TCP] 198.18.0.1:49986 --> 140.207.56.26:80 match Match using proxy"
time="2025-03-03T19:45:44.981937000+08:00" level=info msg="[TCP] 198.18.0.1:49989 --> dns.weixin.qq.com:443 match Match using proxy"
time="2025-03-03T19:45:45.016312100+08:00" level=info msg="[TCP] 198.18.0.1:49996 --> 112.65.193.155:80 match Match using proxy"
time="2025-03-03T19:45:45.673467100+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:49999 --> [2001:b28:f23f:f005::a]:443 match Match using proxy"
time="2025-03-03T19:45:45.771374700+08:00" level=info msg="[TCP] 198.18.0.1:50065 --> geo.prod.do.dsp.mp.microsoft.com:443 match Match using proxy"
time="2025-03-03T19:45:46.653534900+08:00" level=info msg="[TCP] 198.18.0.1:50074 --> kv801.prod.do.dsp.mp.microsoft.com:443 match Match using proxy"
time="2025-03-03T19:45:46.670459800+08:00" level=info msg="[TCP] 198.18.0.1:50076 --> 149.154.171.5:5222 match Match using proxy"
time="2025-03-03T19:45:47.076447300+08:00" level=info msg="[TCP] 198.18.0.1:50080 --> prod-japaneast.access-point.cloudmessaging.edge.microsoft.com:443 match Match using proxy"
time="2025-03-03T19:45:48.172812400+08:00" level=info msg="[TCP] 198.18.0.1:50084 --> 112.65.193.155:80 match Match using proxy"
time="2025-03-03T19:45:48.173342600+08:00" level=info msg="[TCP] 198.18.0.1:50085 --> 111.206.148.27:443 match Match using proxy"
time="2025-03-03T19:45:48.173342600+08:00" level=info msg="[TCP] 198.18.0.1:50086 --> 112.65.193.165:8080 match Match using proxy"
time="2025-03-03T19:45:48.189150900+08:00" level=info msg="[TCP] 198.18.0.1:50093 --> 182.50.15.148:80 match Match using proxy"
time="2025-03-03T19:45:49.678982200+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:50099 --> [2001:b28:f23f:f005::a]:80 match Match using proxy"
time="2025-03-03T19:45:51.637222900+08:00" level=info msg="[TCP] 198.18.0.1:50110 --> api.github.com:443 match Match using proxy"
time="2025-03-03T19:45:51.637769400+08:00" level=info msg="[TCP] 198.18.0.1:50111 --> collector.github.com:443 match Match using proxy"
time="2025-03-03T19:45:52.909275700+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:50117 --> tools.bili.info:443 match Match using proxy"
time="2025-03-03T19:45:53.045463200+08:00" level=info msg="[UDP] 198.18.0.1:52389 --> dns.alidns.com:443 match Match using proxy"
time="2025-03-03T19:45:53.054135700+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:50119 --> dns.alidns.com:443 match Match using proxy"
time="2025-03-03T19:45:53.056880000+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:50121 --> dns.google:443 match Match using proxy"
time="2025-03-03T19:45:53.327381300+08:00" level=info msg="[UDP] 198.18.0.1:51262 --> 106.12.251.193:3478 match Match using proxy"
time="2025-03-03T19:45:53.327890100+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:51265 --> [240c:4081:ffff:fffe:0:22:0:21c]:3479 match Match using proxy"
time="2025-03-03T19:45:53.444164700+08:00" level=info msg="[UDP] 198.18.0.1:51266 --> 180.76.162.88:53007 match Match using proxy"
time="2025-03-03T19:45:53.444694600+08:00" level=info msg="[UDP] 198.18.0.1:51268 --> 106.12.251.52:53007 match Match using proxy"
time="2025-03-03T19:45:53.445225000+08:00" level=info msg="[UDP] 198.18.0.1:51270 --> 106.12.251.193:53007 match Match using proxy"
time="2025-03-03T19:45:53.445760000+08:00" level=info msg="[UDP] 198.18.0.1:51272 --> 106.13.249.54:53007 match Match using proxy"
time="2025-03-03T19:45:53.446405900+08:00" level=info msg="[UDP] 198.18.0.1:51274 --> 106.12.251.31:53007 match Match using proxy"
time="2025-03-03T19:45:53.446958300+08:00" level=info msg="[UDP] 198.18.0.1:51276 --> 106.13.248.6:53007 match Match using proxy"
time="2025-03-03T19:45:53.447504200+08:00" level=info msg="[UDP] 198.18.0.1:51278 --> 106.12.71.140:53007 match Match using proxy"
time="2025-03-03T19:45:53.448075300+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:51281 --> [240c:4084:ff00::a:0:2d3]:53007 match Match using proxy"
time="2025-03-03T19:45:53.449149000+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:51283 --> [240c:4084:ff00::a:0:393]:53007 match Match using proxy"
time="2025-03-03T19:45:53.450210300+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:51285 --> [240c:4081:ffff:fffe:0:22:0:1cc]:53007 match Match using proxy"
time="2025-03-03T19:45:53.450783700+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:51287 --> [240c:4081:ffff:fffe:0:22:0:21c]:53007 match Match using proxy"
time="2025-03-03T19:45:53.450783700+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:51289 --> [240c:4081:ffff:fffe:0:22:0:311]:53007 match Match using proxy"
time="2025-03-03T19:45:53.451323200+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:51291 --> [240c:4084:ff00::a:0:231]:53007 match Match using proxy"
time="2025-03-03T19:45:53.451860100+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:51293 --> [240c:4084:ff00::a:0:296]:53007 match Match using proxy"
time="2025-03-03T19:45:53.452391100+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:51295 --> [240c:4084:ff00::a:0:2a8]:53007 match Match using proxy"
time="2025-03-03T19:45:53.518515200+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:50130 --> dns.google:443 match Match using proxy"
time="2025-03-03T19:45:53.584508900+08:00" level=info msg="[TCP] 198.18.0.1:50135 --> functional.events.data.microsoft.com:443 match Match using proxy"
time="2025-03-03T19:45:53.585586000+08:00" level=info msg="[UDP] 198.18.0.1:51330 --> 180.76.162.88:53007 match Match using proxy"
time="2025-03-03T19:45:53.677954100+08:00" level=info msg="[TCP] 198.18.0.1:50137 --> 149.154.171.5:443 match Match using proxy"
time="2025-03-03T19:45:54.669938000+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:50143 --> main.vscode-cdn.net:443 match Match using proxy"
time="2025-03-03T19:45:58.308176100+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:50208 --> dns.google:443 match Match using proxy"
time="2025-03-03T19:45:58.521824100+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:50213 --> dns.google:443 match Match using proxy"
time="2025-03-03T19:45:58.801975800+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:50218 --> www.bing.com:443 match Match using proxy"
time="2025-03-03T19:46:00.006378200+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:50225 --> [2001:0:2851:b9f0:282d:f4f9:20b6:e785]:7680 match Match using proxy"
time="2025-03-03T19:46:00.007458200+08:00" level=info msg="[TCP] 198.18.0.1:50227 --> 60.26.203.64:7680 match Match using proxy"
time="2025-03-03T19:46:00.009060500+08:00" level=info msg="[TCP] 198.18.0.1:50230 --> 112.224.179.68:7680 match Match using proxy"
time="2025-03-03T19:46:01.250241700+08:00" level=info msg="[UDP] 198.18.0.1:65249 --> npm.iloli.tv:443 match Match using proxy"
time="2025-03-03T19:46:01.393503900+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:61154 --> dns.google:443 match Match using proxy"
time="2025-03-03T19:46:01.421179200+08:00" level=info msg="[TCP] 198.18.0.1:61159 --> 149.154.171.5:80 match Match using proxy"
time="2025-03-03T19:46:01.832665500+08:00" level=info msg="[UDP] 198.18.0.1:51331 --> 106.12.251.52:3478 match Match using proxy"
time="2025-03-03T19:46:01.832665500+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:51334 --> [240c:4081:ffff:fffe:0:22:0:21c]:3479 match Match using proxy"
time="2025-03-03T19:46:01.956712200+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:61163 --> dns.google:443 match Match using proxy"
time="2025-03-03T19:46:01.976528400+08:00" level=info msg="[UDP] 198.18.0.1:51335 --> 106.12.251.31:53007 match Match using proxy"
time="2025-03-03T19:46:01.977587300+08:00" level=info msg="[UDP] 198.18.0.1:51337 --> 106.13.248.6:53007 match Match using proxy"
time="2025-03-03T19:46:01.978111700+08:00" level=info msg="[UDP] 198.18.0.1:51339 --> 106.12.71.140:53007 match Match using proxy"
time="2025-03-03T19:46:01.978111700+08:00" level=info msg="[UDP] 198.18.0.1:51341 --> 180.76.162.88:53007 match Match using proxy"
time="2025-03-03T19:46:01.978650900+08:00" level=info msg="[UDP] 198.18.0.1:51343 --> 106.12.251.52:53007 match Match using proxy"
time="2025-03-03T19:46:01.979197200+08:00" level=info msg="[UDP] 198.18.0.1:51347 --> 106.12.251.193:53007 match Match using proxy"
time="2025-03-03T19:46:01.979197200+08:00" level=info msg="[UDP] 198.18.0.1:51349 --> 106.13.249.54:53007 match Match using proxy"
time="2025-03-03T19:46:01.979722500+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:51352 --> [240c:4081:ffff:fffe:0:22:0:1cc]:53007 match Match using proxy"
time="2025-03-03T19:46:01.980274700+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:51354 --> [240c:4081:ffff:fffe:0:22:0:21c]:53007 match Match using proxy"
time="2025-03-03T19:46:01.980803800+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:51356 --> [240c:4081:ffff:fffe:0:22:0:311]:53007 match Match using proxy"
time="2025-03-03T19:46:01.980803800+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:51358 --> [240c:4084:ff00::a:0:231]:53007 match Match using proxy"
time="2025-03-03T19:46:01.981911800+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:51360 --> [240c:4084:ff00::a:0:296]:53007 match Match using proxy"
time="2025-03-03T19:46:01.981911800+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:51362 --> [240c:4084:ff00::a:0:2a8]:53007 match Match using proxy"
time="2025-03-03T19:46:01.982444600+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:51364 --> [240c:4084:ff00::a:0:2d3]:53007 match Match using proxy"
time="2025-03-03T19:46:01.982974000+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:51366 --> [240c:4084:ff00::a:0:393]:53007 match Match using proxy"
time="2025-03-03T19:46:02.101435100+08:00" level=info msg="[UDP] 198.18.0.1:51371 --> 106.12.251.31:53007 match Match using proxy"
time="2025-03-03T19:46:06.264829600+08:00" level=info msg="[TCP] 198.18.0.1:59799 --> client.wns.windows.com:443 match Match using proxy"
time="2025-03-03T19:46:06.497972600+08:00" level=info msg="[TCP] 198.18.0.1:59801 --> self.events.data.microsoft.com:443 match Match using proxy"
time="2025-03-03T19:46:06.588614800+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:59804 --> dns.google:443 match Match using proxy"
time="2025-03-03T19:46:06.824136200+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:59812 --> rescdn.qqmail.com:443 match Match using proxy"
time="2025-03-03T19:46:06.959243700+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:59816 --> dns.google:443 match Match using proxy"
time="2025-03-03T19:46:07.959734900+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:49332 --> aegis.qq.com:443 match Match using proxy"
time="2025-03-03T19:46:08.310090800+08:00" level=info msg="[TCP] 198.18.0.1:49337 --> 58.254.165.52:443 match Match using proxy"
time="2025-03-03T19:46:11.185103300+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:49351 --> tpstelemetry.tencent.com:443 match Match using proxy"
time="2025-03-03T19:46:11.501441500+08:00" level=info msg="[TCP] 198.18.0.1:49355 --> self.events.data.microsoft.com:443 match Match using proxy"
time="2025-03-03T19:46:17.141453100+08:00" level=info msg="[UDP] 198.18.0.1:59325 --> dns.alidns.com:443 match Match using proxy"
time="2025-03-03T19:46:17.149176200+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:49406 --> dns.google:443 match Match using proxy"
time="2025-03-03T19:46:17.424176200+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:49411 --> [2001:b28:f23f:f005::a]:5222 match Match using proxy"
time="2025-03-03T19:46:18.074642300+08:00" level=info msg="[UDP] 198.18.0.1:63239 --> 106.12.251.52:3478 match Match using proxy"
time="2025-03-03T19:46:18.074642300+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:63242 --> [240c:4081:ffff:fffe:0:22:0:1cc]:3479 match Match using proxy"
time="2025-03-03T19:46:18.203943200+08:00" level=info msg="[UDP] 198.18.0.1:63243 --> 180.76.162.88:53007 match Match using proxy"
time="2025-03-03T19:46:18.204471100+08:00" level=info msg="[UDP] 198.18.0.1:63245 --> 106.12.71.140:53007 match Match using proxy"
time="2025-03-03T19:46:18.205001600+08:00" level=info msg="[UDP] 198.18.0.1:63247 --> 106.12.251.31:53007 match Match using proxy"
time="2025-03-03T19:46:18.205523200+08:00" level=info msg="[UDP] 198.18.0.1:63249 --> 106.12.251.52:53007 match Match using proxy"
time="2025-03-03T19:46:18.205523200+08:00" level=info msg="[UDP] 198.18.0.1:63251 --> 106.12.251.193:53007 match Match using proxy"
time="2025-03-03T19:46:18.206059700+08:00" level=info msg="[UDP] 198.18.0.1:63253 --> 106.13.248.6:53007 match Match using proxy"
time="2025-03-03T19:46:18.206582500+08:00" level=info msg="[UDP] 198.18.0.1:63255 --> 106.13.249.54:53007 match Match using proxy"
time="2025-03-03T19:46:18.207623900+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:63258 --> [240c:4084:ff00::a:0:393]:53007 match Match using proxy"
time="2025-03-03T19:46:18.208128600+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:63262 --> [240c:4081:ffff:fffe:0:22:0:311]:53007 match Match using proxy"
time="2025-03-03T19:46:18.208128600+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:63260 --> [240c:4084:ff00::a:0:296]:53007 match Match using proxy"
time="2025-03-03T19:46:18.208658000+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:63264 --> [240c:4084:ff00::a:0:2a8]:53007 match Match using proxy"
time="2025-03-03T19:46:18.208658000+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:63266 --> [240c:4084:ff00::a:0:2d3]:53007 match Match using proxy"
time="2025-03-03T19:46:18.209201000+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:63268 --> [240c:4081:ffff:fffe:0:22:0:1cc]:53007 match Match using proxy"
time="2025-03-03T19:46:18.209742900+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:63270 --> [240c:4081:ffff:fffe:0:22:0:21c]:53007 match Match using proxy"
time="2025-03-03T19:46:18.210272400+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:63272 --> [240c:4084:ff00::a:0:231]:53007 match Match using proxy"
time="2025-03-03T19:46:18.336214400+08:00" level=info msg="[UDP] 198.18.0.1:63565 --> 180.76.162.88:53007 match Match using proxy"
time="2025-03-03T19:46:18.497093900+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:63567 --> dns.google:443 match Match using proxy"
time="2025-03-03T19:46:22.152032500+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:63576 --> dns.google:443 match Match using proxy"
time="2025-03-03T19:46:22.434651500+08:00" level=info msg="[TCP] 198.18.0.1:63581 --> self.events.data.microsoft.com:443 match Match using proxy"
time="2025-03-03T19:46:23.500939400+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:63584 --> dns.google:443 match Match using proxy"
time="2025-03-03T19:46:25.670197400+08:00" level=info msg="[TCP] 198.18.0.1:63589 --> gateway.discord.gg:443 match Match using proxy"
time="2025-03-03T19:46:26.097171600+08:00" level=info msg="[TCP] 198.18.0.1:63592 --> gateway.discord.gg:443 match Match using proxy"
time="2025-03-03T19:46:27.436989400+08:00" level=info msg="[TCP] 198.18.0.1:63595 --> self.events.data.microsoft.com:443 match Match using proxy"
time="2025-03-03T19:46:33.417651300+08:00" level=info msg="[TCP] 198.18.0.1:63613 --> 91.108.56.138:443 match Match using proxy"
time="2025-03-03T19:46:36.541466700+08:00" level=info msg="[TCP] 198.18.0.1:51313 --> self.events.data.microsoft.com:443 match Match using proxy"
time="2025-03-03T19:46:40.227725700+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:51319 --> [2001:0:2851:b9f0:109e:7a52:82ab:99e9]:7680 match Match using proxy"
time="2025-03-03T19:46:40.227725700+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:51318 --> [2001:0:2851:b9f0:3821:b7cc:c4d5:da58]:7680 match Match using proxy"
time="2025-03-03T19:46:40.227725700+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:51317 --> [2001:0:2851:b9f0:2419:7c8f:4827:e1f9]:7680 match Match using proxy"
time="2025-03-03T19:46:41.544869700+08:00" level=info msg="[TCP] 198.18.0.1:51359 --> self.events.data.microsoft.com:443 match Match using proxy"
time="2025-03-03T19:46:45.610178100+08:00" level=info msg="[TCP] 198.18.0.1:51366 --> chn.sharepoint.cn:443 match Match using proxy"
time="2025-03-03T19:46:49.421413900+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:51386 --> [2001:b28:f23f:f005::a]:443 match Match using proxy"
time="2025-03-03T19:46:51.599282400+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:51398 --> edge.microsoft.com:443 match Match using proxy"
time="2025-03-03T19:46:53.182433000+08:00" level=info msg="[TCP] 198.18.0.1:62894 --> self.events.data.microsoft.com:443 match Match using proxy"
time="2025-03-03T19:46:53.972608400+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:9993 --> [2605:9880:400:c3:254:f2bc:a1f7:19]:9993 match Match using proxy"
time="2025-03-03T19:46:53.972608400+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:47964 --> [2605:9880:400:c3:254:f2bc:a1f7:19]:9993 match Match using proxy"
time="2025-03-03T19:46:53.972608400+08:00" level=info msg="[UDP] [fdfe:dcba:9876::1]:30600 --> [2605:9880:400:c3:254:f2bc:a1f7:19]:9993 match Match using proxy"
time="2025-03-03T19:46:58.185805600+08:00" level=info msg="[TCP] 198.18.0.1:62897 --> self.events.data.microsoft.com:443 match Match using proxy"
time="2025-03-03T19:47:04.512999600+08:00" level=info msg="[TCP] 198.18.0.1:53274 --> westus-0.in.applicationinsights.azure.com:443 match Match using proxy"
time="2025-03-03T19:47:05.420262200+08:00" level=info msg="[TCP] 198.18.0.1:53294 --> 149.154.171.5:5222 match Match using proxy"
time="2025-03-03T19:47:06.602388100+08:00" level=info msg="[TCP] 198.18.0.1:53297 --> westus-0.in.applicationinsights.azure.com:443 match Match using proxy"
time="2025-03-03T19:47:06.602951700+08:00" level=info msg="[TCP] 198.18.0.1:53298 --> westus-0.in.applicationinsights.azure.com:443 match Match using proxy"
time="2025-03-03T19:47:16.559012100+08:00" level=info msg="[TCP] 198.18.0.1:53314 --> 36.248.45.36:443 match Match using proxy"
time="2025-03-03T19:47:16.559012100+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:53315 --> [2408:873d:a00::5c]:443 match Match using proxy"
time="2025-03-03T19:47:17.903591600+08:00" level=info msg="[TCP] 198.18.0.1:53327 --> software-download.microsoft.com:443 match Match using proxy"
time="2025-03-03T19:47:20.059531800+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:53347 --> [2001:0:2851:b9f0:34ce:b5dd:848f:76a6]:7680 match Match using proxy"
time="2025-03-03T19:47:20.060602100+08:00" level=info msg="[TCP] 198.18.0.1:53349 --> 106.39.101.137:7680 match Match using proxy"
time="2025-03-03T19:47:20.061694700+08:00" level=info msg="[TCP] 198.18.0.1:53352 --> 210.21.126.5:7680 match Match using proxy"
time="2025-03-03T19:47:21.452970000+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:53367 --> tpstelemetry.tencent.com:443 match Match using proxy"
time="2025-03-03T19:47:21.452970000+08:00" level=info msg="[TCP] [fdfe:dcba:9876::1]:53368 --> [2001:b28:f23f:f005::a]:80 match Match using proxy"
time="2025-03-03T19:47:26.306259300+08:00" level=info msg="[TCP] 198.18.0.1:53385 --> gateway.discord.gg:443 match Match using proxy"
time="2025-03-03T19:47:26.383024600+08:00" level=info msg="[TCP] 198.18.0.1:53388 --> gateway.discord.gg:443 match Match using proxy"
time="2025-03-03T19:47:27.375895700+08:00" level=warning msg="[TCP] dial proxy (match Match/) 198.18.0.1:53391 --> mobile.events.data.microsoft.com:443 error: 127.0.0.1:8888 connect error: connect failed: dial tcp 127.0.0.1:8888: connectex: No connection could be made because the target machine actively refused it."
time="2025-03-03T19:47:27.386960700+08:00" level=warning msg="[TCP] dial proxy (match Match/) 198.18.0.1:53391 --> mobile.events.data.microsoft.com:443 error: 127.0.0.1:8888 connect error: connect failed: dial tcp 127.0.0.1:8888: connectex: No connection could be made because the target machine actively refused it."
time="2025-03-03T19:47:27.407464500+08:00" level=warning msg="[TCP] dial proxy (match Match/) 198.18.0.1:53391 --> mobile.events.data.microsoft.com:443 error: 127.0.0.1:8888 connect error: connect failed: dial tcp 127.0.0.1:8888: connectex: No connection could be made because the target machine actively refused it."
time="2025-03-03T19:47:27.429961600+08:00" level=warning msg="[TCP] dial proxy (match Match/) 198.18.0.1:53391 --> mobile.events.data.microsoft.com:443 error: 127.0.0.1:8888 connect error: connect failed: dial tcp 127.0.0.1:8888: connectex: No connection could be made because the target machine actively refused it."
time="2025-03-03T19:47:27.491597500+08:00" level=warning msg="[TCP] dial proxy (match Match/) 198.18.0.1:53396 --> client.wns.windows.com:443 error: 127.0.0.1:8888 connect error: connect failed: dial tcp 127.0.0.1:8888: connectex: No connection could be made because the target machine actively refused it."
time="2025-03-03T19:47:27.497388400+08:00" level=warning msg="[TCP] dial proxy (match Match/) 198.18.0.1:53391 --> mobile.events.data.microsoft.com:443 error: 127.0.0.1:8888 connect error: connect failed: dial tcp 127.0.0.1:8888: connectex: No connection could be made because the target machine actively refused it."
time="2025-03-03T19:47:27.501831200+08:00" level=warning msg="[TCP] dial proxy (match Match/) 198.18.0.1:53396 --> client.wns.windows.com:443 error: 127.0.0.1:8888 connect error: connect failed: dial tcp 127.0.0.1:8888: connectex: No connection could be made because the target machine actively refused it."
time="2025-03-03T19:47:27.521261100+08:00" level=warning msg="[TCP] dial proxy (match Match/) 198.18.0.1:53396 --> client.wns.windows.com:443 error: 127.0.0.1:8888 connect error: connect failed: dial tcp 127.0.0.1:8888: connectex: No connection could be made because the target machine actively refused it."
time="2025-03-03T19:47:27.559386100+08:00" level=warning msg="[TCP] dial proxy (match Match/) 198.18.0.1:53396 --> client.wns.windows.com:443 error: 127.0.0.1:8888 connect error: connect failed: dial tcp 127.0.0.1:8888: connectex: No connection could be made because the target machine actively refused it."
time="2025-03-03T19:47:27.616005400+08:00" level=warning msg="[TCP] dial proxy (match Match/) 198.18.0.1:53396 --> client.wns.windows.com:443 error: 127.0.0.1:8888 connect error: connect failed: dial tcp 127.0.0.1:8888: connectex: No connection could be made because the target machine actively refused it."
time="2025-03-03T19:47:27.655697400+08:00" level=warning msg="[TCP] dial proxy (match Match/) 198.18.0.1:53396 --> client.wns.windows.com:443 error: 127.0.0.1:8888 connect error: connect failed: dial tcp 127.0.0.1:8888: connectex: No connection could be made because the target machine actively refused it."
time="2025-03-03T19:47:27.657160400+08:00" level=warning msg="[TCP] dial proxy (match Match/) 198.18.0.1:53391 --> mobile.events.data.microsoft.com:443 error: 127.0.0.1:8888 connect error: connect failed: dial tcp 127.0.0.1:8888: connectex: No connection could be made because the target machine actively refused it."
time="2025-03-03T19:47:27.693480900+08:00" level=warning msg="[TCP] dial proxy (match Match/) 198.18.0.1:53391 --> mobile.events.data.microsoft.com:443 error: 127.0.0.1:8888 connect error: connect failed: dial tcp 127.0.0.1:8888: connectex: No connection could be made because the target machine actively refused it."
time="2025-03-03T19:47:27.912619500+08:00" level=warning msg="[TCP] dial proxy (match Match/) 198.18.0.1:53396 --> client.wns.windows.com:443 error: 127.0.0.1:8888 connect error: connect failed: dial tcp 127.0.0.1:8888: connectex: No connection could be made because the target machine actively refused it."
time="2025-03-03T19:47:28.103917300+08:00" level=warning msg="[TCP] dial proxy (match Match/) 198.18.0.1:53396 --> client.wns.windows.com:443 error: 127.0.0.1:8888 connect error: connect failed: dial tcp 127.0.0.1:8888: connectex: No connection could be made because the target machine actively refused it."
time="2025-03-03T19:47:28.242535500+08:00" level=warning msg="[TCP] dial proxy (match Match/) 198.18.0.1:53391 --> mobile.events.data.microsoft.com:443 error: 127.0.0.1:8888 connect error: connect failed: dial tcp 127.0.0.1:8888: connectex: No connection could be made because the target machine actively refused it."
time="2025-03-03T19:47:28.846274800+08:00" level=warning msg="[TCP] dial proxy (match Match/) 198.18.0.1:53391 --> mobile.events.data.microsoft.com:443 error: 127.0.0.1:8888 connect error: connect failed: dial tcp 127.0.0.1:8888: connectex: No connection could be made because the target machine actively refused it."
time="2025-03-03T19:47:29.007078800+08:00" level=warning msg="[TCP] dial proxy (match Match/) 198.18.0.1:53396 --> client.wns.windows.com:443 error: 127.0.0.1:8888 connect error: connect failed: dial tcp 127.0.0.1:8888: connectex: No connection could be made because the target machine actively refused it."
time="2025-03-03T19:47:29.747746000+08:00" level=info msg="[TCP] 198.18.0.1:53391 --> mobile.events.data.microsoft.com:443 match Match using proxy"
time="2025-03-03T19:47:30.008882000+08:00" level=info msg="[TCP] 198.18.0.1:53396 --> client.wns.windows.com:443 match Match using proxy"
time="2025-03-03T19:47:31.149544300+08:00" level=warning msg="Mihomo shutting down"

TGSAN avatar Mar 03 '25 12:03 TGSAN

sing-tun 添加的是“允许”的规则,与你的防火墙默认拦下了其他流量没有关系。检查 TUN 网卡是否是“专有网络”,放行 NAT 测试软件,并且检查确保没有其他防火墙规则的影响。

dyhkwong avatar Mar 03 '25 12:03 dyhkwong

sing-tun 添加的是“允许”的规则,与你的防火墙默认拦下了其他流量没有关系。检查 TUN 网卡是否是“专有网络”,放行 NAT 测试软件,并且检查确保没有其他防火墙规则的影响。

  1. TUN 网卡为 公用网络

Image

  1. NAT 测试软件是放行的,不然不会出现删除 sing-tun 规则重加就会变成 Full Cone 的情况,同时也不会出现 mihomo 全局走 proxy 是 Full Cone,而全局走 DIRECT 又是 Port Restricted Cone 的情况

TGSAN avatar Mar 03 '25 12:03 TGSAN

sing-tun 添加的是“允许”的规则,与你的防火墙默认拦下了其他流量没有关系。检查 TUN 网卡是否是“专有网络”,放行 NAT 测试软件,并且检查确保没有其他防火墙规则的影响。

另外,sing-tun 添加的是 TCP “允许”规则,而非 UDP “允许”规则,但是由于已经定义了自定义规则而非系统的进程规则,所以也不会有系统弹窗提示新增规则。

Image

在这种情况下变为了 TCP 允许入站,UDP 阻止入站

TGSAN avatar Mar 03 '25 12:03 TGSAN

TUN 网卡为 公用网络

自行更改为专有网络并添加相应规则 SagerNet/sing-tun#31,你选择启用防火墙来阻止应用的正常功能,则应当自行处理,应用也不可能帮你解决所有情况下的添加防火墙规则问题。

dyhkwong avatar Mar 03 '25 13:03 dyhkwong

TUN 网卡为 公用网络

自行更改为专有网络并添加相应规则 SagerNet/sing-tun#31,你选择启用防火墙来阻止应用的正常功能,则应当自行处理,应用也不可能帮你解决所有情况下的添加防火墙规则问题。

如果你说“你选择启用防火墙来阻止应用的正常功能”,那怎么解释sing会在防火墙里添加规则。照这个逻辑它就应该让使用者关防火墙,给关着的防火墙添加规则就是多此一举

sorayuki avatar Mar 03 '25 13:03 sorayuki

那怎么解释sing会在防火墙里添加规则

实际上应该自行添加防火墙规则,当初自动加进去的规则基本上是解决小白抱怨用的

默认创建的适配器是“公用网络”的,修改为“专用网络”需要手动进行,所以添加的规则也仅针对“公用网络”。

dyhkwong avatar Mar 03 '25 13:03 dyhkwong

默认创建的适配器是“公用网络”的,修改为“专用网络”需要手动进行,所以添加的规则也仅针对“公用网络”。

首先这个issue始终就和公用网络还是专用网络无关,TUN适配器类型只影响bind在这个适配器上的应用层行为,而mihomo是bind在物理适配器上,且物理适配器即使是专用网络,也不能改变默认入站行为。

TGSAN avatar Mar 03 '25 13:03 TGSAN

不加任何规则=需要用户自行选择
只加入TCP放行=阻止用户选择并拦截UDP。 既然目前的行为已经影响到用户自主选择了,那么“自行添加防火墙规则”本身也站不住脚

TGSAN avatar Mar 03 '25 13:03 TGSAN

据以前的报告,Windows 必须要修改为专用网络才不会“NAT 降级”。加入 TCP 放行是为了让 system 栈正常工作,与其他放行规则并不冲突。不加任何规则=默认阻止,不管加不入 TCP 放行,UDP bind any 都是被防火墙默认拦截的吧?意思是默认添加的规则阻止了进一步的弹窗的出现吗?如果是这样的话那建议是在 metacubex/sing-tun 另外加一个不操作防火墙的选项或者直接删掉这个功能让用户自行处理。

dyhkwong avatar Mar 03 '25 13:03 dyhkwong

意思是默认添加的规则阻止了进一步的弹窗的出现吗?如果是这样的话那建议是在 metacubex/sing-tun 另外加一个不操作防火墙的选项或者直接删掉这个功能让用户自行处理。

是这样的,如果添加了规则就会阻止用户选择的弹窗出现,另外由于 sing-tun 添加规则的方式比较特殊,会导致控制面板里的“允许的应用”的删除按钮变成灰色(根据文档来说如果应用接管防火墙设置,而不是追加就默认不允许用户修改),只能在高级防火墙设置才能删除。

Image

Image

TGSAN avatar Mar 03 '25 13:03 TGSAN

没有在 sing-tun 里提的原因是,因为考虑到代码同步问题,可能未来和上游同步时会变得麻烦起来。还有就是不确定 mihomo 目前依赖的是原始仓库还是 fork,另外就是 fork 仓库里关闭了 issues 功能。

TGSAN avatar Mar 03 '25 13:03 TGSAN

#281 提到是用 NatTypeTester 测试的,但是基于白名单的防火墙会使 NAT 过滤行为降级,如果没有禁用防火墙(或者把适配器改成专用网络从而允许任意传入)的话,不应该能测出 Endpoint Independent 的 NAT 过滤行为,换用 https://github.com/ccding/go-stun 测试一下 NAT Behavior Discovery 呢?放行代理软件的 UDP 似乎不是正常使用 system 栈所必须的。

dyhkwong avatar Mar 03 '25 18:03 dyhkwong

一直说的是 sing-tun 的防火墙规则影响 mihomo,与 tun 功能本身完全无关,建议先看完再说。只要这个规则被写入,那么会影响所有 mihomo 的 direct 出站。比如只要当前路径下开过 tun,那么以后这个路径下的 mihomo 作为服务端也会变成 port res 的 nat 行为。

TGSAN avatar Mar 03 '25 20:03 TGSAN

如果你认为不会造成这样的行为,你可以重置 Windows 防火墙后,按照重现方式复现。这是 issue 而不是 discussion,不要讨论无关内容,谢谢。

TGSAN avatar Mar 03 '25 20:03 TGSAN

可以确认存在这个问题。启用tun模式导致NAT的过滤模式由Endpoint independent降级为Address and port dependent. 关闭后恢复。

Rigel7 avatar Mar 06 '25 15:03 Rigel7