What does GEOIP,CN,DIRECT mean?

GEOIP,CN,DIRECT means if the target IP is in mainland China, it will connect directly without using a proxy. This is a core rule for accelerating domestic access and saving proxy data.

Why won't some sites open even in Rule Mode?

It's possible the domain isn't in your rule list and is being caught by a DIRECT catch-all. Test with Global Mode; if that works, add the domain to a proxy group using DOMAIN-SUFFIX in your override config.

Deep Dive into Clash Routing Rules: Optimal Config for Direct/Proxy Traffic

Q: Difference between Rule Mode and Global Mode?

Rule Mode matches traffic against the rules list—direct for domestic, proxy for international—and is recommended for daily use. Global Mode routes all traffic (except LAN bypasses) through the proxy, best for troubleshooting or non-standard sites.

Why do you need rule-based routing?

Traditional VPNs or "Global Proxy" methods sendall trafficthrough the tunnel. The result: domestic sites take a detour, latency spikes, and proxy data is wasted. The core advantage of Clash clients (based on the Mihomo kernel) is exactly thisRule-based Routing—determining for each packet whether it goesDirect (DIRECT)or through aProxy (PROXY)。

Ideally: Chinese sites like Bilibili or bank apps go direct, while YouTube, Google, and ChatGPT go through the proxy; local NAS and printers always stay direct. This ensures overseas access is smooth while domestic experience remains at native speeds. This post builds your knowledge from syntax and types to RULE-SETs and real-world config.

Prerequisite:Your client's outbound mode must be set to "Rule," not "Global" or "Direct." If you haven't installed a client yet, see our Clash Verge Rev Installation Guide。

How Rules Match: Top-to-Bottom, First Match Wins

The rules field in Clash is anordered list. Every connection is compared starting from thevery first rule. Once a match is found, the corresponding action (direct, reject, or forward to a group) is taken, andno further rules are checked。

Therefore, order is critical: specific, high-priority rules go at the top; broad catch-alls (like GEOIP,CN,DIRECT、MATCH,PROXY) go at the end. Airport links are usually pre-sorted; advanced users useOverrides (Merge)to prepend or append custom entries.

rules:
  - DOMAIN-SUFFIX,local,DIRECT          # LAN Direct
  - IP-CIDR,192.168.0.0/16,DIRECT,no-resolve
  - IP-CIDR,10.0.0.0/8,DIRECT,no-resolve
  - RULE-SET,cn,DIRECT                  # Rule Set: Domestic Direct
  - RULE-SET,gfw,PROXY                  # Rule Set: Blocked Sites via Proxy
  - GEOIP,CN,DIRECT                     # China IP Fallback Direct
  - MATCH,PROXY                         # Catch-all: All others via Proxy

Common Rule Types Explained

Mihomo supports several rule types. Understanding their matching scope is the foundation of good routing logic.

Rule Type	Syntax Example	Matching Logic
`DOMAIN`	`DOMAIN,google.com,PROXY`	Exact full domain match
`DOMAIN-SUFFIX`	`DOMAIN-SUFFIX,google.com,PROXY`	Domain suffix match (includes all subdomains)
`DOMAIN-KEYWORD`	`DOMAIN-KEYWORD,google,PROXY`	Matches if domain contains the keyword (use with caution)
`IP-CIDR`	`IP-CIDR,192.168.0.0/16,DIRECT,no-resolve`	Matches a target IP range;`no-resolve` means skip DNS resolution
`GEOIP`	`GEOIP,CN,DIRECT`	Determines IP country/region via GeoIP database
`RULE-SET`	`RULE-SET,cn,DIRECT`	References an external rule set (batch domain/IP list)
`MATCH`	`MATCH,PROXY`	Catch-all rule, MUST be the last entry

Choosing between DOMAIN and DOMAIN-SUFFIX

When adding a single site, prefer DOMAIN-SUFFIX: for example, DOMAIN-SUFFIX,github.com,PROXY will match github.com、api.github.com、raw.githubusercontent.com and all other subdomains. Use DOMAIN。

IP-CIDR and LAN Direct

When using TUN mode, ensure your rules include private network ranges for local device access (NAS, printers):

- IP-CIDR,127.0.0.0/8,DIRECT,no-resolve
- IP-CIDR,192.168.0.0/16,DIRECT,no-resolve
- IP-CIDR,10.0.0.0/8,DIRECT,no-resolve
- IP-CIDR,172.16.0.0/12,DIRECT,no-resolve

No local access under TUN:If you can't reach your router or NAS after enabling TUN, check if these CIDR rules exist before the MATCH catch-all. Premium subscriptions usually have these; if not, add them via overrides.

GEOIP and Domestic Direct

GEOIP,CN,DIRECT is the classic "Domestic Direct" fallback: when an IP is identified as being in mainland China, it bypasses the proxy. Combined with domain rule sets, this covers almost all domestic scenarios.

Note: GeoIP is based on IP location, not domain name. Some CDNs might resolve an overseas domain to a domestic IP, causing unintended direct connection. If a specific site fails, use DOMAIN-SUFFIX to explicitly set a proxy group.

RULE-SET: Managing Large Domain Lists

Manually maintaining thousands of domains is impossible. Mihomo's RULE-SET allows referencing external files (hosted on GitHub or CDNs) to load entire lists at once. You must declare rule-providersfirst, then use them in the rules section.

rule-providers:
  reject:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/reject.txt"
    path: ./ruleset/reject.yaml
    interval: 86400

  gfw:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/gfw.txt"
    path: ./ruleset/gfw.yaml
    interval: 86400

  cn:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/cn.txt"
    path: ./ruleset/cn.yaml
    interval: 86400

rules:
  - RULE-SET,reject,REJECT
  - RULE-SET,gfw,PROXY
  - RULE-SET,cn,DIRECT
  - GEOIP,CN,DIRECT
  - MATCH,PROXY

Common community Loyalsoldier/clash-rules lists categorize domains into cn(domestic),gfw(blocked), andreject(ad-blocking) categories. These are highly compatible with Mihomo. Most airport links already include these.

interval controls the auto-update frequency (in seconds). Setting it to 86400 means once per day, keeping your GFW lists current. For offline environments, use type: file to point to a local file.

Policy Groups: The Bridge Between Rules and Nodes

The third column in a rules list (e.g., PROXY、DIRECT、REJECT) can be aBuilt-in Actionor aPolicy Group Name. Policy Groups (proxy-groups) determine "which node or nodes are used when proxying."

select: Manually select a node; ideal for your main selection group.
url-test: Auto-selects the fastest node based on latency; ideal for "Auto Select" groups.
fallback: Tries nodes in order; switches to the next if the primary fails.
load-balance: Distributes connection load across multiple nodes.

The RULE-SET,gfw,PROXY in rule PROXY usually points to a group named "PROXY" or "Select Node," not a single server. You can switch nodes within that group in the app without changing your config file.

Combining DNS with Routing

Rule matching happens after DNS resolution (or directly for IP rules). Mihomo often uses fake-ip mode: assigning a fake IP to a domain and resolving the real target at connection time. This speeds up rule checks and reduces DNS leakage. If a site fails, try changing dns.enhanced-mode to redir-host, or specify a nameserver。

Routing and DNS affect each other: for instance, GEOIP,CN,DIRECT needs the correct IP to work. If DNS is poisoned, domestic sites might be proxied. Use dns.fake-ip-filter to exclude local domains or nameserver-policy to specify DoH/DoT for certain suffixes.

Override Config: Fine-Tuning Rules Without Changing Subscriptions

Airport links are usually read-only, but Clash Verge Rev supportsOverrides (Merge): Overlay local snippets to add rules that won't be overwritten on sync.

Prepend a Single Domain to a Proxy Group

prepend-rules:
  - DOMAIN-SUFFIX,example.com,PROXY
  - DOMAIN-SUFFIX,blocked-site.org,PROXY

prepend-rules This inserts the rule at thevery topof the list, taking precedence over airport rules. Similarly, use it to force a domestic site to stay prepend-rules add DOMAIN-SUFFIX,xxx.com,DIRECT。

Add LAN and Custom Direct Bypasses

prepend-rules:
  - DOMAIN-SUFFIX,nas.home,DIRECT
  - IP-CIDR,192.168.1.0/24,DIRECT,no-resolve

Note: Syntax errors in overrides will prevent the entire config from loading. If the proxy suddenly fails after an edit, disable the override to troubleshoot. Observe "rule matched" in the "Logs" page to verify your custom domain follows the expected path.

Recommended Routing Structure (Best Practices)

Based on community experience, a speed-and-maintenance balanced rule order looks like this:

LAN and Local Domains → DIRECT
Ad/Tracking Domains → REJECT(Optional)
Dedicated groups for streaming/gaming (if provided)
Blocked sites rule set → Main proxy group
Domestic domain rule set → DIRECT
GEOIP,CN,DIRECT
MATCH,PROXY or MATCH, Auto Select

We don't recommend using MATCH,DIRECT as a default fallback—unmatched international sites will try to connect directly, which usually fails. Most templates use MATCH,PROXY for better reliability.

Debugging: How to Confirm Rules are Working

In your client, open the"Connections"oror "Logs"page, visit a target site, and watch the real-time match results.
If it shows DIRECT but you expected a proxy, check if the domain is pre-matched by a cn CN rule set or GEOIP,CN GEOIP rule.
Temporarily switch toGlobal Mode: if sites work in Global but fail in Rule, the domain is missing from your lists. Add it via DOMAIN-SUFFIX DOMAIN-SUFFIX.
Use nslookup nslookup or online DNS tools to confirm if the resolved IP matches GeoIP expectations.

FAQs

Difference between Rule Mode and Global Mode?

Rule Mode splits traffic according to the rules rules list—direct for domestic, proxy for international—and is recommended for daily use. Global Mode routes all traffic (except LAN bypasses) through the proxy, best for troubleshooting or reaching sites not in standard lists.

Why are domestic sites like Bilibili slow?

Ensure outbound mode is "Rule." Check the Connections page to see if domestic sites are using the DIRECTDIRECT rule. If they are showing PROXYPROXY, your CN rule set might not be loading, or DNS is resolving to an overseas IP. Add an explicit cn override DOMAIN-SUFFIX,bilibili.com,DIRECT to force them to direct.

What if RULE-SET updates fail?

Rule set URLs must be reachable (some CDNs are unstable in certain regions). You can change to a mirror URL, use a type: file local copy, or have rule sets "baked-in" during subscription conversion. See our upcoming "Subscription Conversion" guides.

Can I use GEOIP without RULE-SET?

Yes, but the experience is inferior: GeoIP cannot handle complex cases where an overseas domain resolves to a domestic CDN IP. The RULE-SET + GEOIP combination is far more precise and is the industry standard.

With rule-based routing, Clash truly delivers on its "on-demand routing" value: native domestic speeds, reliable international access, and controlled privacy. If you want ready-to-use templates, Client Download Page visit our Download Page to get clients with pre-integrated Mihomo rule systems, saving you the time of manual YAML editing.

Free Download Clash now and enable smart routing →