透明代理Full Cone NAT失效

[ttc0419]

完整性要求

• 我保证阅读了文档，了解所有我编写的配置文件项的含义，而不是大量堆砌看似有用的选项或默认值。
• 我提供了完整的配置文件和日志，而不是出于自己的判断只给出截取的部分。
• 我搜索了 issues, 没有发现已提出的类似问题。
• 问题在 Release 最新的版本上可以成功复现

描述

25.8.3透明代理Full Cone NAT失效

重现方式

% stunclient --mode full stun.hot-chilli.net
Binding test: success
Local address: 192.168.54.5:57726
Mapped address: server:51283
Behavior test: success
Nat behavior: Endpoint Independent Mapping
Filtering test: success
Nat filtering: Address and Port Dependent Filtering

客户端配置

Details

{
  "log": {
    "access": "none",
    "error": "/tmp/xe.log",
    "logLevel": "warning",
    "dnsLog": true
  },
  "inbounds": [
    {
      "tag": "tp",
      "port": 5419,
      "protocol": "dokodemo-door",
      "settings": {
        "network": "tcp,udp",
        "followRedirect": true
      },
      "streamSettings": {
        "sockopt": {
          "tproxy": "tproxy"
        }
      }
    }
  ],
  "routing": {
    "domainStrategy": "AsIs",
    "rules": [
      {
        "type": "field",
        "inboundTag": [
          "tp"
        ],
        "port": 53,
        "outboundTag": "dns-out"
      }
    ]
  },
  "dns": {
    "queryStrategy": "UseIPv4",
    "servers": [
      "8.8.8.8",
      {
        "address": "180.184.2.2",
        "port": 53,
        "domains": [
          "geosite:cn"
        ],
        "expectIPs": [
          "geoip:cn"
        ]
      }
    ]
  },
  "outbounds": [
    {
      "tag": "hk",
      "protocol": "vless",
      "settings": {
        "vnext": [
          {
            "address": "server",
            "port": 443,
            "users": [
              {
                "id": "uuid",
                "encryption": "none",
                "flow": "xtls-rprx-vision-udp443"
              }
            ]
          }
        ]
      },
      "streamSettings": {
        "network": "tcp",
        "security": "tls",
        "tlsSettings": {
          "fingerprint": "safari",
          "serverName": "server"
        }
      }
    },
    {
      "tag": "direct",
      "protocol": "freedom"
    },
    {
      "tag": "dns-out",
      "protocol": "dns",
      "settings": {
        "nonIPQuery": "skip"
      }
    }
  ]
}

服务端配置

Details

{
	"log": {
		"access": "none",
		"loglevel": "warning"
	},
	"policy": {
		"levels": {
			"0": {"connIdle": 75}
		}
	},
	"inbounds": [{
		"listen": "0.0.0.0",
		"port": 443,
		"protocol": "vless",
		"settings": {
			"clients": [{
				"id": "uuid",
				"flow": "xtls-rprx-vision"
			}],
			"decryption": "none",
			"fallbacks": [{"dest": "/run/nginx.sock"}]
		},
		"streamSettings": {
			"network": "tcp",
			"security": "tls",
			"tlsSettings": {
				"certificates": [{
					"certificateFile": "/usr/share/xray/cert.pem",
					"keyFile": "/usr/share/xray/key.pem"
				}]
			}
		},
		"sniffing": {
			"enabled": true,
			"destOverride": ["http", "tls"]
		}
	}],
	"outbounds": [{
		"protocol": "freedom",
		"tag": "direct"
	}, {
		"protocol": "socks",
		"tag": "proxy",
		"settings": {
			"servers": [{
				"address": "server",
				"port": 1080
			}]
		}
	}, {
		"protocol": "blackhole",
		"tag": "block"
	}]
}

客户端日志

Details

N/A

服务端日志

Details

N/A

[Fangliding]

#4816 #4942

[patterniha]

First, it doesn't use fakeDNS and my changes does not affect IP at all.

Second, in it's Reproduction method, why all tests are success !

Please send the full client/server log and describe the problem in detail.
also, test without vision-flow.

[KobeArthurScofield]

Mapping Behavor Endpoint Independent 没有问题

检查一下服务器防火墙/安全组有没有放行 UDP 高位端口入站

[ttc0419]

Mapping Behavor Endpoint Independent 没有问题

检查一下服务器防火墙/安全组有没有放行 UDP 高位端口入站

确实是这个原因，打扰了

[patterniha]

Thx @KobeArthurScofield.

[RPRX]

#4816 #4942

第二个 PR 我看过，修复后整个代码逻辑是没问题的

25.8.3透明代理Full Cone NAT失效

我不行了，这描述得好像是新版才有的问题，与在群里引用新版版本号说一句 panic 结果是旧功能有异曲同工之妙