Network Guide Featured Tags: GeoIP DIRECT Clash

Clash Slow for Chinese Sites?GEOIP Bypass and DIRECT Rules, Step by Step

You turned on Clash to reach overseas services faster—then domestic pages (e-commerce, banking, tax portals, university SSO) suddenly feel sluggish, time out, or show odd certificate behavior. That pattern often means mainland-bound traffic is still matched to a proxy policy and is exiting through a remote node, not that “the whole internet is broken.” This article explains how to confirm the mis-route, how GeoIP and DIRECT fit into split routing, where rules must sit relative to MATCH, how to keep geodata current, and how DNS (including fake-ip) should line up with what the tunnel does—without throwing away your foreign proxy path.

Approx. 24 min read
Clash Editorial
Table of Contents

1. Symptoms that suggest domestic mis-routing

Most people describe the problem the same way: foreign sites feel fine or better, while a subset of Chinese destinations regresses. Typical complaints include product search pages that never finish painting, bank transfers that stall at “security verification,” government sites that loop on login, or campus portals that suddenly report TLS errors. Latency to those hosts may jump from tens of milliseconds to hundreds because packets detour through an overseas relay, and some domestic anti-fraud stacks treat that path as suspicious.

The underlying mechanism is simple to state even when the YAML looks intimidating: Clash routes each flow to a policy (for example DIRECT, a subscription selector, or a url-test group) based on the first rule that matches. If your profile was written for “everything goes to PROXY unless I list a few exceptions,” domestic destinations inherit the same outbound as YouTube unless you carve them out explicitly. Subscription bundles from providers sometimes ship that pattern because they assume users only care about unblocking; they are a poor default when you still live and work on the mainland network daily.

Before you edit rules, separate this scenario from the fake-ip compatibility class—blank tabs and certificate warnings on isolated domains—covered in our fake-ip and DNS troubleshooting guide. Here the pain is usually geography and policy: the connection succeeds but takes the wrong exit. Both issues can coexist; if symptoms narrow to a handful of hostnames across many networks, peek at fake-ip first. If most .cn or mainland CDNs feel slow whenever the tunnel is active, keep reading.

2. Confirm traffic is hitting a proxy

Do not guess from “it feels laggy.” Spend five minutes collecting evidence so the next edits target the real failure mode.

Use connection logs and rule hit indicators

Modern Clash-family cores (including Mihomo / Meta-class builds) expose a live connection list or log lines that show which rule matched and which outbound was chosen. Open the panel, reproduce the slow page load, and read the row for the tab’s destination IP or hostname. If the outbound is a remote node name while you intended local breakout, you have confirmed a policy bug, not an ISP outage.

Compare public IP seen by domestic checkers

Another quick signal: in a browser tab that should stay domestic, visit a mainland “what is my IP” style page while Clash is on. If the address belongs to your residential ISP or campus NAT, DIRECT is probably winning. If it mirrors your proxy exit geography, traffic is still encapsulated. This test is coarse—some sites use split domains—but it is fast and helps justify deeper YAML work.

Watch for global modes and catch-all groups

GUI presets labeled Global or profiles that map MATCH straight to a single PROXY group override subtle split rules unless your client enforces a different mode. Verify you are actually in rule-based routing before blaming GeoIP databases.

Tip: Capture one failing hostname, the matched rule type (DOMAIN, GEOIP, etc.), and the outbound name. That triple makes forum posts and self-notes far more useful than screenshots alone.

3. Rule order, MATCH, and policy groups

Order is not cosmetic. Clash walks your rules: array from top to bottom and stops at the first hit. Patterns that look “obviously correct” never execute if an earlier line already sends traffic to a proxy. This trips newcomers who append GEOIP,CN,DIRECT at the end of a thousand-line subscription file while a broad DOMAIN-SUFFIX,google.com,PROXY or a premature MATCH,PROXY sits above it.

Where MATCH belongs

The MATCH rule is the unconditional terminator. Anything listed after MATCH is dead code. Your China bypass lines must appear before the final MATCH that sends “everything else” to your proxy group. A common clean layout is: explicit LAN / private exceptions, explicit block or direct domains you trust, GEOIP or geosite-based country rules, subscription-supplied domain lists for foreign services, then MATCH to the default policy.

Policy groups vs. DIRECT

DIRECT means the core lets the connection follow the normal OS routing table without tunneling through a remote SOCKS or HTTP proxy node. It does not magically fix DNS or TUN conflicts by itself. If you route TCP to DIRECT but DNS still resolves through an offshore resolver with aggressive filtering, you can see odd edge behavior. Think of DIRECT as “use my real uplink for this flow’s TCP/UDP,” and pair it with sane DNS policy.

What you observe Likely cause to check first
Domestic sites slow; logs show a foreign node A broad DOMAIN or IP rule above your CN bypass; MATCH placed too early; “global” mode enabled in the GUI
GEOIP line never appears in hit logs Earlier rule already matched; stale geodata; flow is domain-sniffed to a non-CN CDN edge
Only one bank site fails Hostname sits on an anycast IP mis-tagged in mmdb; needs a DOMAIN-SUFFIX exception or updated geodata

4. GEOIP for China → DIRECT

The GEOIP rule type looks up the destination IP against an on-disk database (commonly GeoLite2 Country or commercial equivalents) and branches when the country code matches. For mainland breakout, CN is the tag people reach for first. A minimal pattern is “if the resolved endpoint is registered as China, use DIRECT; otherwise continue down the list.”

Illustrative rules snippet

Adapt field names to your core version; verify against current Mihomo documentation when mixing features like no-resolve:

rules:
  - GEOIP,private,DIRECT,no-resolve
  - GEOIP,CN,DIRECT
  - MATCH,PROXY

The private line (or equivalent RFC1918 handling) keeps LAN and carrier-grade NAT space from being misclassified when you rely on IP geography. Some templates add no-resolve on certain GEOIP lines to avoid forcing resolution in contexts where only IPs are available; your build may expose slightly different keywords. After editing, reload the profile and re-check the connection list for a known domestic IP.

Keep Country.mmdb fresh

GeoIP mistakes are not theoretical. CDNs re-announce prefixes, databases ship corrections quarterly, and a year-old Country.mmdb quietly mis-labels swaths of address space. If only one stubborn hostname misbehaves while others work, update geodata before writing fifty DOMAIN rules. Most clients let you replace the file or trigger a download from settings; command-line users can swap the path referenced in geodata-mode configuration.

Note: Licensing for MaxMind and similar databases matters for redistribution. Use legitimate sources bundled with your client or files you are entitled to deploy; do not hot-link unknown mirrors in production profiles.

5. geosite lists, LAN, and DNS alignment

GEOIP works on IPs after resolution. Some workflows prefer geosite category lists (for example a curated cn domain set) so that matching happens on names, which can be easier to reason about when traffic hits shared anycast fronts. Trade-off: lists must be maintained, and domains move between providers. Many real-world profiles combine both: geosite for obvious domestic suffixes, GEOIP as a safety net for whatever the lists miss.

PRIVATE and loopback

Corporate intranets, home NAS pages, and printer GUIs should bypass the tunnel entirely. Beyond GEOIP private ranges, explicit DOMAIN-SUFFIX entries for internal DNS zones save hours of mystery timeouts. If you run TUN mode, revisit exclusions together with Windows TUN routing and firewall so local subnets are not captured by mistake.

DNS must agree with routing

Split routing is a two-handed problem: where packets go and how names resolve. With fake-ip enabled, domestic apex domains sometimes need to appear in fake-ip-filter so picky TLS clients see coherent answers—see the dedicated fake-ip-filter walkthrough. With redir-host or classical DNS forwarding, consider nameserver-policy so .cn queries hit resolvers that return mainland-optimal CDN edges while offshore names use DoH you trust.

When Windows, WSL2, and Clash share DNS duties, loopbacks and order of operation matter; the WSL2 and localhost DNS article walks through a typical stack. The short version for this topic: if you fix GEOIP but DNS still points a domestic hostname at an anycast node abroad, page load may remain mediocre until resolver policy matches the routing split.

6. When GeoIP alone is not enough

GeoIP CN → DIRECT covers the 80% case for users who simply forgot a bypass. Remaining cases usually fall into a few buckets.

  • Shared anycast IPs—A handful of finance and anti-bot fronts announce addresses that geolocate oddly or span regions. A surgical DOMAIN-SUFFIX or DOMAIN-KEYWORD rule (placed high, documented) beats fighting the database.
  • Application-specific proxy overrides—Browsers with per-extension VPNs, corporate agents, or chat apps that ignore system proxy can appear “immune” to YAML changes. Reduce to one forwarding layer while testing.
  • QUIC or HTTP/3 paths—If UDP egress behaves differently from TCP in your TUN setup, symptoms may look geographic but are actually protocol-specific. Compare disabling QUIC temporarily in the browser against tightening TUN UDP rules.
  • IPv6 vs IPv4—If only one address family routes through Clash, you might resolve AAAA records that bypass the intended policy. Inspect whether IPv6 should be tunneled, blocked, or left native on your network.

Each exception should be documented in your personal fork of the config: comment the hostname, the observed symptom, and the date. Subscription merges will otherwise wipe your careful inserts without warning.

7. Summary

Clash shines when split routing reflects how you actually live on the network: foreign destinations ride the encrypted path to quality exits, while mainland destinations break out via DIRECT to preserve latency, compliance, and sanity. When domestic tabs degrade, assume nothing: verify in logs that flows are mis-assigned, move GEOIP,CN (and private ranges) above your catch-all MATCH, refresh Country.mmdb, and align DNS with the mode you run—especially under fake-ip or TUN.

For a structured baseline before layering bypass rules, read our configuration documentation, import a profile you can diff cleanly, then add GEOIP and DNS policies deliberately rather than pasting opaque megabytes from forums.

Compared with all-or-nothing VPN clients, Clash-family cores reward users who invest once in readable rules: you keep overseas reach without surrendering the snappy mainland web your bank and government portals expect. The difference is not magic; it is correct GeoIP placement, current geodata, and resolver choices that respect the same boundaries.

Download Clash for free and experience the difference