Why does Rule mode not route as expected?
Rules may need review because of order, wrong policy group names, DNS resolution timing, unsupported rule types, stale GEOSITE/GEOIP data or a broader rule matching before the intended one.
Read answerRules, DNS & TUN
Detailed notes about YAML syntax, domain rules, fake-ip, redir-host, GEOIP/GEOSITE, DNS privacy notes, IPv6, TUN and local routing.
Rules, DNS & TUN Issues
Troubleshoot YAML rules, Fake-IP, DNS privacy, GEO data, IPv6, TUN permissions and custom routing behavior.
How do you fix YAML configuration status messages?
YAML status messages usually come from indentation, tabs, missing commas in rules, duplicated names or unsupported fields. Fix the first parser status message shown in the log before editing later lines.
Read answerWhat are DNS privacy notes and how can you reduce exposure?
DNS privacy checks help confirm whether domain queries use the intended resolver path. Use the client DNS feature consistently, avoid mixed system resolvers and test after enabling TUN or fake-ip.
Read answerWhat is the difference between fake-ip and redir-host?
fake-ip maps a domain to a reserved synthetic IP so Clash can recover the original domain later. redir-host resolves real addresses directly, which can be simpler but may reduce domain-aware routing accuracy in intercepted traffic.
Read answerDo GEOSITE and GEOIP data need updates?
GEOSITE and GEOIP data should be updated when rule behavior becomes stale, regional services change, or the profile depends heavily on domain and country-code matching.
Read answerHow do you force one website to use proxy or direct routing?
To force one website through proxy or direct routing, add a domain rule above broader catch-all rules and point it to the intended policy group. Rule order matters more than the visual position in a GUI.
Read answerWhat should you do when Rule Provider updates need review?
Rule Provider subscription update prompts usually come from unreachable URLs, wrong behavior type, unsupported format, file permission issues or a provider returning an HTML status message page instead of rules.
Read answerWhy does TUN mode need administrator or system permission?
TUN mode needs administrator or system permission because it creates a virtual network interface and modifies routing. Without permission, the client may start without capturing traffic.
Read answerWhat should you do when TUN causes connection settings?
If TUN causes connection settings, disable it first, confirm normal system proxy works, then check route auto-detection, DNS mode, administrator permission, IPv6 and conflicts with other VPN software.
Read answerWhat is the difference between mixed-port, HTTP port and SOCKS port?
mixed-port accepts both HTTP and SOCKS traffic on one local port, while separate HTTP and SOCKS ports split those protocols. Use the port that your browser, app or extension is configured to use.
Read answerHow do Clash rules handle IPv6?
IPv6 traffic needs rules and DNS behavior that can match IPv6 addresses. If only IPv4 ranges are covered, some traffic may use a different policy under TUN.
Read answerWhat should you know about YAML indentation and comments?
YAML depends on spaces, indentation and list markers. Use spaces instead of tabs, keep comments outside values, and validate after every manual edit.
Read answerHow do Clash DNS and Fake-IP checks work?
Separate nameserver, fallback, fake-ip, redir-host and fake-ip-filter checks.
Read guideHow do you recover when TUN mode breaks the network?
Disable TUN first, then check adapter, DNS hijack, routes and permission.
Read guideHow do you write rule set and app routing templates?
Use DOMAIN, GEOIP, Rule Provider and MATCH examples with clear order.
Read guide