Network Guide Featured Tags: Clash IPv6 Mihomo split routing DNS

Clash IPv6 Causing Slow China Sites or Leaks?Interface and Rules Fix Guide

Turning on IPv6 at the operating-system or ISP level does not magically double your throughput—it adds a parallel path that modern stacks prefer under specific conditions. When you layer Clash or Mihomo on top, symptoms often split two ways: domestic mainland sites suddenly feel sluggish despite a glowing “connected” badge, or online testers claim your traffic egresses via the proxy—or appears “odd” under dual-stack—even though IPv4 rules looked airtight. Neither pattern proves a “bad subscription” immediately. Instead, reconcile interface binding, DNS/fake-ip, and rule coverage so that IPv6 prefixes are not routed like mystery meat. This workflow complements our IPv4 GEOIP-CN playbook for sluggish Chinese properties (slow Chinese sites GEOIP bypass) but targets the specifics of dual-stack.

Approx. 24 min read
Clash Editorial
Table of Contents

1. Mental model: IPv6 is parallel plumbing, not bolt-on turbo

Most users enable IPv6 because textbooks promise lower NAT pain and richer addresses. Reality on consumer links is dirtier: you may inherit SLAAC prefixes, PD (prefix delegation) subnets, temporary privacy addresses, or university-style 6in4 tunnels—each attaches to a discrete interface metric the kernel selects independently for each destination. Meanwhile Mihomo inherits whatever tun stack or dial proxy path your GUI configures. Misalignment emerges when browsers prefer AAAA answers for a CDN that surfaces both address families yet your policy engine only contains IPv4 GEOIP-style shortcuts. The fix is seldom “another node”; it is to make IPv6-visible traffic legible inside the YAML you actually run.

Think in three layers simultaneously: (A) what the NIC advertises outward, (B) what DNS returns (A versus AAAA and in which order Happy Eyeballs probes them), and (C) which rule bucket Mihomo attaches to matched flows after Sniffer or classifier metadata resolves. Failures hop between those layers—you cannot solve them only by rewriting RULESET entries if AAAA probes never touch the core.

Tip: Read the configuration primer on your fork so terminology lines up: redir-host versus fake-ip, sniff toggles, and how your build handles tun inet6 forwarding—GUI labels differ, kernels do not negotiate with marketing copy.

2. Triage: sluggish domestic sites versus “proxy egress” chatter

Use two independent questions before tweaking YAML.

  • Throughput: If domestic portals, education CDNs, or payment gateways suddenly crawl while foreign SaaS behaves “fine,” inspect whether those hosts prefer IPv6 CDN paths inside China that your policy mistakenly labels as offshore. Sometimes the converse happens: mainland sites become fast only after disabling TUN inet6 capture because the ISP’s native route is shortest but your outbound policy hairpins through a congested egress.
  • Tester feedback: Community websites that print “detected VPN” seldom distinguish between presentation DNS weirdness, WebRTC quirks, and actual TCP exit IP—see our dedicated guides on fake-ip and DNS anomalies and WebRTC leakage before you blame IPv6 outright.

Once you categorize the symptom, gather raw facts: toggle OS-level IPv6 disable temporarily (wired tests only!) to see if latency disappears, export connection traces from the Mihomo debugger, and watch whether affected domains resolve simultaneously to overlapping CNAME clusters that map to both domestic and offshore edges—common with global CDNs reused by multinational brands serving China audiences.

3. Interfaces, route metrics, and explicit binding

Binding answers the question “which NIC does this dial leave from?” Older tutorials assume a single ethernet adapter named something friendly; dual-stack rigs often shuffle multiple candidates: Wi-Fi plus USB tether, Thunderbolt bridging, or VLAN tags on corporate desktops. Mihomo forks expose fields such as interface-name or per-proxy routing-mark pairs—consult your exact schema because keyword drift breaks silently.

Operational sequence:

  1. Inventory interfaces with OS tools (ip -6 addr on Linux, ifconfig/Get-NetIPAddress -AddressFamily IPv6 on Windows/macOS equivalents). Identify which prefixes are ULA (fd00::/8), global, or link-local scoped.
  2. Inspect route priority for default gateways: if two defaults exist across families, asymmetric paths become normal—not a bug—but your rule engine must classify both unless you purposely disable inet6 traversal.
  3. Mirror any per-proxy bind-interface constraints with YAML reality—typos here send traffic out the tether interface while GEOIP guessed from the LAN stack; testers then claim “dual-stack inconsistency.”
  4. For WSL, containers, or Android tethering echoes, reconcile with bridging articles where localhost splits exist; pathologies overlap IPv4 but IPv6 multiplies multicast and neighbor-discovery weirdness.

Clients that auto-add firewall exemptions per interface occasionally deny the virtual adapter but allow physical NIC sockets—mirror the allowances symmetrically whenever you adjust stack selection.

4. Resolver behavior: Happy Eyeballs, fake-ip alignment, DHCPv6

DNS is not passive text; it steers concurrency. Chromium-class browsers initiate parallel TCP attempts once they receive overlapping AAAA/A records—“Happy Eyeballs” races whichever handshake completes sooner. When Mihomo injects staged answers (fake-ip pools) inconsistently across address families or your dhcpcd pushes an ISP resolver that ignores split queries, throughput oscillates wildly on properties that silently prefer IPv6 for certain asset URLs.

Structured checks:

  • Confirm resolver mode is unified: mismatched configs where DoH listens on port 443 while systemd still ships router-recursive queries produce split-brain diagnoses that look IPv6-exclusive but originate from mixed stacks.
  • Validate domestic domain lists feeding fake-ip-filter or direct exceptions—anything missing causes synthetic addresses that route through proxy groups unnecessarily; expansions behave differently when sniffing peels encrypted SNI but IPv6 literals bypass symbolic mapping.
  • When running tun.dns-hijack equivalents, capture whether ICMPv6 NDP chatter competes—some campus networks filter neighbor discovery oddly; clients fall back timers make pages “randomly stall.” Log correlation—not guessing—shows this.
  • Portable hotspot users: Android issues per-subscription prefix lifetimes toggling mid-session; the OS rotates privacy addresses quicker than desktops. If Mihomo binds to stale interface references, intermittent stalls appear localized to HTTPS sites that reopened connections.
Warning: Turning off IPv6 blindly on production laptops may violate corporate handset compliance; prefer targeted rule fixes or profile-specific toggles documented by your GUIs instead of nuking inet6 globally without change control.

5. Rule coverage beyond IPv4 GEOIP,CN

Many imported profiles stop at shorthand like GEOIP,CN,DIRECT. That heuristic depends on embedding databases tagging IP ranges—including IPv6—as China-resident assets. Older bundles ship outdated GeoLite-style feeds with sparse IPv6 coverage; mislabels push domestic IPv6 egress into proxies, multiplying RTT unnecessarily. Updating mmdb rule providers periodically is foundational—a theme shared with mainland slow-site guides but worth repeating lest IPv6 appear “haunted.”

Layer explicit IP-CIDR6 or provider-driven RULESET shards for hyperscale infrastructure you know participates in sovereign regions: authoritative documentation from cloud vendors enumerates aggregator prefixes albeit they shift quarterly. Maintain ordered placement: narrower prefix rules above broad MATCH catchalls; duplicate logic for counterpart IPv4 subnets when symmetrical behavior matters.

Protocol nuance matters: QUIC over UDP leverages IPv6 more aggressively once HTTP/3 negotiates—a policy that only keyed RULE-SET,PROTOCOL heuristics for TCP may inadvertently leave UDP sessions on unintended paths unless you audit PROCESS-NAME or sniff metadata coverage for those flows.

Finally, annotate policy groups thoughtfully: renaming PROXY-CHINA-TUNNEL versus DIRECT-CHINA-V6 clarifies auditing after midnight debugging sessions—you will thank older you when diffing snapshots.

6. TUN mode, system proxy mixes, Mihomo knobs

In TUN mode, the virtual adapter participates in inet6 forwarding when enabled. Common friction points:

  • STACK selection (kernel versus userspace)—some combos historically mishandled fragmentation on IPv6; upgrade cores before diagnosing remote networks.
  • Exclude packages or route exclude lists that only specify IPv4 CIDR remnants—traffic leaks around intended splits because inet6 equivalents never matched.
  • Simultaneous Mixed inbound plus TUN layering may duplicate dial attempts if leftover system proxy pointers exist—purge stale PAC entries.

Where applicable, Mihomo-derived builds expose granular inet4 vs inet6 sniff toggles—use sparingly yet deliberately during controlled tests to pinpoint whether classification breaks only on IPv6 literals. Rolling back to baseline after isolating regressions avoids permanent half-configured profiles.

Cross-reference Clash TUN routing on Windows whenever route-table injection collides—the IPv6 saga extends the same playbook with additional default-route contention across families.

7. Interpreting “leaks” testers under dual-stack thoughtfully

Public leak pages mix transport layers: some issue WebRTC canvases unrelated to Mihomo egress, others resolve DNS through whichever resolver your browser favors when testing—often not identical to Mihomo tunnels if split-DNS overlays exist.

  • Separate ICMP-based traceroute widgets from application-layer SOCKS tests; they illuminate different choke points.
  • Watch for testers that query only A records while your live session prioritized AAAA; apparent contradictions dissolve once you unify resolution paths.
  • Privacy browsers that randomize local addresses may display shifting outputs each refresh—those are cryptographic mitigations—not necessarily proxy breakage.

Document expected outcomes alongside your lawful use policy—this article presumes ethically authorized testing on networks where you administer devices.

8. Symptom cheat sheet

What you notice Check first
Domestic CDN sites lag only via browser AAAA preference, Happy Eyeballs timing, GEOIP-CN IPv6 DB freshness, QUIC UDP policy coverage
Tester shows proxy egress on IPv6 Ordered rules for IP-CIDR6; compare against updated mmdb; sniff metadata alignment
Random stalls on Wi-Fi hotspots Privacy address rotations; refresh interface bindings after reconnect; evaluate DHCP lifetime toggles
Issue vanishes disabling TUN inet6 Tunnel stack quirks; fragmentation; exclude lists missing inet6 equivalents; routing metrics
DNS-heavy symptoms Unify resolver across browser vs core; tighten fake-ip-filter lists (diagnostic checklist)

Preserve structured notes each time IPv6 regressions recur—carrier behavior mutates quarterly; spreadsheets beat chat logs.

9. Summary

Dual-stack deployments reward patience: slowing China-facing properties after enabling IPv6 usually signals misaligned GEO classification, QUIC policy holes, or binding drift—not magical interference. Online “proxy leak” panic often overlaps DNS choreography and WebRTC rather than sinister IPv6 phantoms. Walk the layered checklist—interfaces and metrics first, resolver second, granular rules third—while keeping Mihomo kernels current so stack bugs do not masquerade as configuration debt.

Compared with glossy one-click VPN brochures, disciplined Mihomo operators collect reproducible telemetry: logs annotate policy hits, traceroutes justify route choices, and YAML diffs document intent. Maintain signed installers from authoritative channels so your debugging session does not end in binary supply-chain doubt.

After you tame IPv6, snapshot the working YAML, note binder names, resolver endpoints, and mmdb timestamps so the next ISP prefix rotation becomes a scripted refresh rather than a weekend mystery.

Download Clash for free and experience the difference