Symptoms: what breaks first when Fake-IP meets your LAN?
Users describe the regression in repeatable ways after enabling Clash Fake-IP (sometimes labeled enhanced-mode: fake-ip depending on core and GUI wording). Printer discovery stalls; print jobs linger in queues and then error with generic network faults. Mapped drives to a NAS host name crawl or authenticate against the wrong subnet. Plex, Jellyfin, or vendor mobile apps suddenly insist the server is unreachable even though pings from the LAN still work—because the failing path is DNS plus policy, not Ethernet.
Router administration pages reachable at literals such as 192.168.1.1 or 10.0.0.1 sometimes continue to operate while symbolic names advertised by routers (routerlogin.net or similar captive portal brands) degrade, because traffic still hits resolver indirection unless you carve those patterns out cleanly. Chromecasts, multicast discovery, AirPlay, or enterprise captive portals amplify the grief because portions of discovery remain local while outbound rule evaluation still tries to coerce everything through proxies that reject private hops.
None of that means Fake-IP is wrong for everyone; it only means Fake-IP is intolerant of misconfiguration on anything that genuinely must remain on RFC1918 space. Fixing it is narrower than rewriting an entire routing profile—you adjust DNS filtering and place a handful of deterministic rules ahead of GEOIP grabs.
Why Clash Fake-IP breaks local semantics
At a simplified level, Fake-IP hands applications immediate synthetic answers so connections can attach policy before the outbound dial completes. Clients stop waiting on full recursive resolution for domains you intend to split-route. Speed and consistency rise for large international sites. The downside: anything that depended on truthful local answers now receives placeholders until the proxy core maps them backward on connect. That is fine for public internet origins; it collapses awkwardly when the origin was already supposed to remain RFC1918: the private IPv4 allocations 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, plus link-local 169.254.0.0/16 and loopback 127.0.0.0/8 for completeness in hardening templates.
If your printer or NAS hostname accidentally passes through the Fake-IP pipeline, the operating system believes it is opening a socket to an address that only your Clash core understands. Some stacks recover; many SMB or legacy LPR channels do not. Browser tabs that mix public JS CDNs with local API calls look fine until a single XHR target resolves fake and then dead-ends through an overseas node that drops RFC1918 on policy grounds—exactly the timeout users interpret as “Wi-Fi is fine but this one device hates me.”
Separately, even when DNS is correct, a later GEOIP or broad MATCH line can still yank the flow into a remote hop if you never taught the policy engine that private destinations are sacrosanct local. Dual failure modes (bad DNS illusion plus wrong proxy selection) explain why patching only one knob leaves half the symptom behind. Treat both layers.
For the architecture of Fake-IP versus routing order, skim Clash YAML: routing rules, proxy groups, and Fake-IP—that article spans general theory while this walkthrough concentrates on unreachable LAN appliances.
Layer 1 — expand fake-ip-filter thoughtfully
The first corrective surface is fake-ip-filter under your DNS stanza (exact key spelling follows your fork; Meta-family cores converge on these semantics). Entries here exempt matching queries from synthetic answers so LAN clients receive real records again. That preserves discovery for host names you actually own on the LAN and for common multicast-DNS-ish suffix guesses.
Start with deterministic private-scope tokens rather than ad hoc domain guessing. Patterns such as *.lan, *.home.arpa (modern local naming encouragement), device-specific suffixes (*.localdomain if your DHCP hands it out), plus vendor quirks like chained NAS names all belong in conversation with what your DHCP/DNS infrastructure actually emits. Blindly cloning mega-lists from the internet slows resolver work and still misses your bespoke hostname—keep the list purposeful.
Many maintained rule bundles ship a PRIVATE or LAN-oriented geosite or rule-provider set; where your core exposes domain collections inside fake-ip-filter (rather than strictly in downstream rules), prefer curated imports over hand typing hundreds of brittle tokens. Rotate imports on the same hygiene schedule as your GEOIP datasets so stale static entries do not haunt you six months later.
dns:
enable: true
ipv6: false
enhanced-mode: fake-ip
fake-ip-range: 198.18.0.1/15
fake-ip-filter:
- '*.lan'
- '*.local'
- '+.localdomain'
- 'time.*.apple.com'Append lines that correspond to routers, NAS vendor helper domains only if telemetry proves they interfere; do not treat public vendor cloud relay domains identically—they may legitimately deserve Fake-IP for policy reasons. Separate local discovery from outbound vendor APIs mentally before you blacklist entire brand zones from Fake-IP.
Layer 2 — pin RFC1918 with IP-CIDR,DIRECT,no-resolve
DNS honesty alone fails when software connects straight to dotted quads—or when stale fake answers were cached locally before you patched YAML. Cement policy with unconditional private routing directives near the head of your rules queue (below only the narrowest prerequisites your profile already uses for QUIC or internal controller traffic). This is the heart of the “LAN CIDR rules” fix users search for alongside Clash Fake-IP keywords.
rules:
- IP-CIDR,127.0.0.0/8,DIRECT,no-resolve
- IP-CIDR,10.0.0.0/8,DIRECT,no-resolve
- IP-CIDR,172.16.0.0/12,DIRECT,no-resolve
- IP-CIDR,192.168.0.0/16,DIRECT,no-resolve
- IP-CIDR,169.254.0.0/16,DIRECT,no-resolve
- IP-CIDR,224.0.0.0/4,DIRECT,no-resolve
- IP-CIDR,240.0.0.0/4,DIRECT,no-resolveThe no-resolve flag matters: it stops the engine from performing a fresh DNS lookup solely to satisfy the rule, which side-steps circular Fake-IP interactions when you already know the packet target is literally private. If you omit it on some cores, certain edge cases reintroduce latency or odd resolver recursion while still eventually landing on DIRECT—your logs should confirm you are not thrashing.
Users on exotic lab networks or carrier-grade NAT dual-stack islands may need additional literals (for example unique site-local experiments). Keep comments in your local override file—HTML comments are invalid in YAML, so track rationale in version control commit messages or adjacent README snippets instead of pretending YAML parsers enjoy essay blocks.
If you purposely route subsets of RFC1918 through an internal corporate forward proxy, replace blanket DIRECT blocks with narrower CIDR ranges that reflect your LAN only (for example single 192.168.88.0/24) and escalate the remainder through policy intentionally. Blind global DIRECT is the home-user default—not the zero-trust office default.
Rule order discipline: GEOIP and MATCH must arrive after locality
Profiles generated from converters often splice a triumphant final MATCH line pointing at GLOBAL or a similar catch-all aggregator. Anything placed below your private CIDR safeguards effectively never runs. Audit from top downward as if evaluating a firewall: printers and NAS hops should be adjudicated within the first handful of meaningful lines—not after a continent heuristic mislabels ambiguous routes.
When you integrate RULE-SET or GEOSITE imports, insert private baseline entries before those imports unless the provider documented safe internal precedence (rare). A practical mental model: deterministic literal IP cages first, granular domain carve-outs second, GEOIP/third-party conglomerates third, terminal MATCH last.
Router pages, HTTPS admin portals, captive portals
Router GUIs confuse people because plaintext IP literals sometimes “just work” while captive DNS names spiral. Combined fixes—fake-ip-filter for whichever dynamic DNS the vendor injects plus IP-CIDR safeguards for RFC1918—restore both paths. HTTPS certificate warnings remain independent: Clash breaking trust is unrelated to Fake-IP; do not chase proxy toggles when the browser already complains about self-signed gateways.
Guest VLANs or ISP Wi-Fi hotspots add another twist: captive portals deliberately hijack DNS. Temporarily disabling system proxy overlay or carving an explicit DOMAIN rule for the portal domain often precedes YAML tuning. When in doubt on the road, isolate whether the breakage reproduces exclusively on hostile networks versus your benign home LAN before editing production profiles.
Printers, AirPrint queues, SMB, and NAS vendor stacks
Network printers routinely mix multicast advertisements (which Clash seldom governs cleanly in pure system-proxy mode) with late-stage HTTP uploads to deterministic port 9100 or IPP URIs. If IPP resolves through Fake-IP incorrectly, queues stall after the driver silently retries. Applying this article’s DNS exemptions plus deterministic private routing restores most consumer inkjets and lasers without hunting per-model quirks.
NAS devices—Synology, QNAP, TrueNAS, ASUSTOR—often expose simultaneous Web UI endpoints, AFP/SMB, iSCSI helpers, mobile relay domains, and push-notification cloud callbacks. Isolate whether your failure attaches to LAN web access (fixed by local DNS + RFC1918 cages) versus remote relay through vendor clouds (might require contradictory outbound policy). Tunnel-only users should remember TUN overlays can reshuffle binding order on some operating systems; if symptoms persist after pristine YAML edits, revisit interface binding and exclusions for local bridges.
For file shares, verifying that name resolution bypasses Fake-IP is only half of the SMB story: authenticated sessions may still stumble if outdated credentials were cached against the wrong previous IP allocation from DHCP reassignment unrelated to Clash—flush credential managers when you reshuffle subnets so you do not falsely blame YAML.
Mobile proxies that share desktop Clash via LAN HTTP proxy still inherit Fake-IP semantics from the desktop core. Patch once on the machine running the tunnel; do not mirror redundant DNS layers on the handset unless you understand split-horizon recursion.
TUN mode, interface binding, and double-NAT footguns
TUN capture widens the blast radius: everything system-wide shares the same resolver pipeline unless per-app carve-outs exist. That is why Fake-IP regressions feel harsher under TUN than under a single browser pointed at a PAC file. If you cannot stabilize quickly, a temporary fallback is switching DNS mode to redir-host for diagnostic comparison only—confirm whether the LAN suddenly resurrects. If it does, you have proven Fake-IP interaction rather than raw routing collapse, and you can return to Fake-IP after tightening filters.
Double-NAT home labs (ISP router behind your mesh) sometimes relocate NAS or printer subnets to unexpected private islands. Your CIDR include list must match the real topology, not the cartoon diagram on the box. Traceroute or simple ip route outputs on the client reveal which interface actually carries the hop; align DIRECT ranges with that interface’s destination space.
Verify without superstition: logs, nslookup, and counters
After editing YAML, restart the core deliberately—hot reload occasionally leaves DNS cache warm enough to mask improvements. On Windows, macOS, or Linux test hosts, run nslookup nas.lan (replace with your hostname) while Clash runs and confirm the answer is a real private address, not a 198.18.x.x style placeholder from your configured fake range. If it still returns synthetic space, your fake-ip-filter pattern does not match; iterate patterns instead of toggling random GUI switches.
Watch the core log for policy lines showing an unexpected proxy group on a destination you know is local. If IP-CIDR lines never trigger, you likely placed them too low or fat-fingered CIDR boundaries. If they trigger yet traffic still fails, suspect local firewalling, AP isolation, or SMB signing policy—not Clash.
When to consider redir-host or mixed-mode DNS instead
Some homelab operators run dense lists of multicast names, Plex split-DNS fantasies, and IoT blobs that fight Fake-IP constantly. Migrating resolver strategy to redir-host (or bifurcating DNS listeners between children and adults on the LAN) trades a little latency for brute simplicity. That is acceptable engineering if operational calm matters more than synthetic benchmark wins.
Enterprise teams might instead deploy a recursion server on VLAN X while clients on VLAN Y consume Fake-IP through Clash—architectural separation beats thousand-line exemptions. Household readers rarely need that; they need clean RFC cages and restrained filter growth.
Beyond YAML, grounding yourself in upstream concepts helps: RFC1918 documents private addressing intent; aligning your mental map with standards language makes searching logs and chatting with ISP support less painful even though Clash is not an ISP topic per se.
Closing thoughts
NAS, printer, and router endpoints fail under Clash Fake-IP for understandable reasons—not gremlins. Teaching fake-ip-filter which names deserve honest answers and backing that with deterministic RFC1918 IP-CIDR cages ordered ahead of GEOIP restores the ergonomics Fake-IP otherwise steals from home networks. Maintain both layers; half measures waste evenings.
For broader navigation of rule providers, GEOIP merges, or proxy chaining, revisit the comprehensive YAML routing guide and operational notes in the documentation hub. Stable cores and reproducible installers matter as much as policy text—prefer signed builds from the official download page when you consolidate fixes. Compared with brittle one-off tweaks in anonymous forum threads, a disciplined LAN baseline keeps peripherals boringly reliable again. → Download Clash for free and experience the difference.