1. Why Mixed Port and LAN Sharing Matter
Many people run Clash on Windows 11 on a desktop or laptop and want the same proxy on a phone, tablet, or another computer without installing a full client on each device. The usual approach is to expose a single local port that speaks both HTTP and SOCKS traffic—a pattern commonly called a mixed port—and point other devices on your home or office LAN to that address.
That sounds simple until Windows gets in the way: the proxy may work fine on 127.0.0.1 on the host machine, yet refuse connections from 192.168.x.x. In practice the blockers are almost always a combination of bind address (listening only on loopback), LAN permission inside the Clash-based app, and Windows Defender Firewall treating the connection as unsolicited inbound traffic.
This guide walks through a coherent setup path for Clash Windows 11 users: enable the mixed port, allow access from the LAN, open the right holes in the firewall, and confirm with quick checks before you spend an hour guessing. If you need a refresher on how Clash fits into your stack, see our configuration overview; for choosing a desktop client, our Windows client comparison covers Verge versus legacy Clash for Windows.
2. What Is the Mixed Port?
In Clash-family cores, a mixed port is one TCP listener that accepts both HTTP proxy requests and SOCKS5 sessions on the same port number. That reduces confusion when you configure a browser or an operating system that expects an HTTP proxy while another app insists on SOCKS. Instead of memorizing two ports, you standardize on something like 7890 for everything that can reach the machine running Clash.
Behind the scenes the core inspects the first bytes of each incoming connection and dispatches to the correct handler. For LAN proxy sharing, the important part is not the protocol multiplexing itself but the fact that you have one well-defined TCP port to expose and to document in your firewall rules.
Your YAML typically includes entries similar to mixed-port: 7890, alongside separate port (HTTP) and socks-port if you still want discrete listeners. Many users disable the redundant listeners and rely on the mixed port alone to keep the attack surface and mental model smaller.
7890 conflicts, choose another high port (for example in the 17xxx range) and stay consistent across config, firewall rules, and device settings.
3. Network Basics on Windows 11
Before you touch Clash, confirm how Windows sees your network. Open Settings → Network & internet → Properties for your active Wi‑Fi or Ethernet connection. For home sharing you generally want the profile set to Private, not Public. A Public profile applies stricter firewall defaults and can make debugging feel random if some rules only attach to Private networks.
Write down the IPv4 address of the PC that will run Clash, for example 192.168.1.42. Other devices must use that address as their proxy host. If your router assigns addresses with DHCP, consider reserving this machine in the router admin panel so the address does not change overnight.
Ensure all participating devices sit on the same subnet. Guest Wi‑Fi networks and VLANs often isolate clients; in those cases the phone will never reach your desktop’s port even if Clash and the firewall are perfect. When in doubt, ping the PC from another device or run a quick port check after the proxy is listening.
IPv6 and link-local quirks
Some environments advertise IPv6 ULA or temporary addresses aggressively. For a stable LAN proxy, IPv4 is usually easier to explain to family members and to enter in mobile Wi‑Fi proxy fields. You can still use IPv6 later once the basic IPv4 path works.
4. Client Settings: Port and LAN Access
Graphical clients such as Clash Verge expose toggles for Allow LAN or similar wording. Turning that on tells the core to listen on 0.0.0.0 (all interfaces) rather than only 127.0.0.1. If your symptom is “works on the PC, fails from the phone,” this toggle is the first place to look.
If you edit config.yaml directly, align these ideas with keys such as mixed-port, bind-address, and allow-lan depending on your core version. The exact spelling can vary slightly between Mihomo and older cores, so after saving, restart the service and re-open the effective running config from the client to confirm what actually loaded.
Do not confuse system proxy with LAN inbound. Setting Windows to use 127.0.0.1:7890 only affects local applications. Remote devices need the host’s LAN IP and the same port, and they do not care whether you enabled system proxy on the server—they open a TCP connection to your machine.
5. Windows Firewall: Allow the App and Port
Allow an app through Windows Firewall is the user-friendly path. Open Windows Security → Firewall & network protection → Allow an app through firewall. Click Change settings, then Allow another app. Browse to your Clash client executable (for example the Clash Verge binary under Program Files or your portable folder). Ensure both Private and, if you need it, Public are checked—many users accidentally leave only one profile enabled.
Application rules are convenient but sometimes incomplete when the core is spawned as a child process or when multiple executables participate. In those situations add an explicit inbound rule for the TCP port: Windows Defender Firewall with Advanced Security → Inbound Rules → New Rule → Port → TCP → Specific local ports → enter your mixed port. Allow the connection, scope it to Private if possible, and give the rule a clear name like Clash mixed 7890 TCP.
Third-party security suites may layer their own firewall in front of Microsoft’s. If everything looks correct in Windows but remote devices still time out, temporarily pause or inspect the third-party product’s network shield. Corporate machines with Group Policy may block listening sockets altogether; that requires IT assistance rather than a Clash tweak.
Order of operations
Apply client changes first so the process is actually listening, then adjust firewall rules. Creating a rule for a port that nothing binds to yet is harmless but makes verification confusing because you might assume the service is up when it is not.
6. Verify Listening and Reachability
On the Windows machine open PowerShell and run netstat -ano | findstr :7890 (replace with your port). You want to see LISTENING on 0.0.0.0:7890 or your LAN IP, not only 127.0.0.1:7890, if LAN access is the goal.
From a second device on the same network, try a lightweight connectivity test. A browser-based check is not always reliable before proxy settings exist; using a terminal with curl or a port-scan app toward 192.168.x.x:7890 can confirm TCP reachability. If TCP connects but HTTP fails, you are at least past firewall and bind issues and can focus on authentication or protocol mismatch.
Windows itself can connect to 127.0.0.1 even when remote access fails, so always test from another host when validating LAN proxy scenarios. Document your working combination—IP, port, HTTP versus SOCKS—so you can reproduce it after updates.
| Symptom | Likely cause | First action |
|---|---|---|
| Works on PC, not on phone | Listen only on loopback or LAN off | Enable LAN / bind 0.0.0.0 |
| Immediate timeout from LAN | Firewall blocking inbound | App rule + inbound TCP rule |
| Intermittent drops | DHCP IP changed | Reserve IP in router |
| Wrong protocol errors | HTTP vs SOCKS mismatch | Use mixed port consistently |
7. Configure Other Devices
On Android, open Wi‑Fi details → Advanced → Proxy (wording varies by OEM) and set the hostname to your PC’s IPv4 address and the port to the mixed port. Choose Manual proxy configuration. For HTTP and HTTPS fields, enter the same host and port if the UI asks twice.
On iOS, Wi‑Fi Configure Proxy → Manual similarly accepts server and port. Apple separates HTTP and HTTPS; with a mixed port you can often use the same values for both. SOCKS-specific apps may still need a dedicated SOCKS endpoint if you bypass the system proxy entirely.
Another Windows or macOS machine can reuse the same host and port in its system proxy settings or in a browser extension. Remember that traffic from those machines will appear to exit through your Clash node selection on the gateway PC, so policy and bandwidth apply there.
If you prefer not to set system-wide proxy on mobile, per-app VPN or proxy tools exist, but they are outside the scope of this article. The mixed port approach keeps the moving parts on one trusted desktop.
8. Troubleshooting Checklist
When users search for Clash Windows 11 plus firewall keywords, they often already enabled the port and still see failure. Work through this ordered list before reinstalling anything.
- Confirm the process listens broadly. Re-read
netstatoutput after every config change. - Re-check Allow LAN in the GUI; some updates reset toggles when importing a new profile.
- Match firewall profile to how Windows classifies the network; flip Private versus Public intentionally.
- Test from a wired vs wireless device to rule out AP isolation on certain routers.
- Disable conflicting proxies on the client that might send traffic to the wrong host.
- Review Clash logs for accept or handshake lines when an external client connects.
DNS leakage and rule mode are separate topics: if TCP connects and you receive HTTP 502 or TLS errors, your tunnel is working and you should inspect upstream nodes or DNS settings instead of the port share itself.
Performance expectations
Forwarding an entire phone through a desktop proxy adds hop latency. For large downloads the PC should stay awake and on AC power if possible. Sleep modes suspend listeners; adjust power plans when you need overnight availability.
9. Security and Household Use
Opening a mixed port on 0.0.0.0 means any device on the LAN can attempt to use your proxy. That is acceptable on a trusted home network but risky on hotel or café Wi‑Fi. Stick to Private profiles, disable sharing when you travel, and consider MAC filtering or guest network isolation if your router supports it.
Do not port-forward the mixed port from the public internet through your router unless you fully understand authentication and abuse potential. The features described here target same-subnet LAN proxy use, not exposing Clash to the wide-area network.
Keep the client updated from a trustworthy source. Compared with ad-hoc scripts, maintained Clash Windows 11 builds integrate better with modern cores and reduce the chance of stale dependencies. When you are ready to install or upgrade, use the official site’s download page rather than random repackaged binaries.
10. Summary
Sharing Clash over Wi‑Fi is a small configuration story with three pillars: a mixed port you actually listen on, a bind that includes the LAN, and Windows Firewall rules that match how your network profile is classified. When those align, phones and secondary PCs can reuse your node selection without running a separate tunnel on each gadget.
Compared with opaque VPN apps that hide every knob, Clash’s explicit ports and logs make this workflow debuggable—you can see listen state, test from another shell, and adjust one layer at a time. That transparency is why many technical users still prefer a rule-based proxy stack on Windows 11 even as consumer VPNs simplify the onboarding at the cost of flexibility.
Once your LAN path works, snapshot your working YAML and firewall notes so the next driver or feature update does not send you back to square one. Small documentation habits save hours when IPv4 addressing or client toggles change after an upgrade.
