Clash Rule-Based Routing Explained: Custom Rules for Precise Domestic and Foreign Traffic Split

Why Rule-Based Splitting Still Matters

Many users start with a single outbound: everything goes through a remote node because it is simple and predictable. That convenience hides a real cost. Domestic content, local APIs, campus portals, banking apps, and CDN nodes inside your country often perform worse or break outright when you force them through an overseas hop. Latency climbs, TCP handshakes multiply, and some services reject logins that originate from the wrong region.

Rule-based routing is how Clash (and the modern Mihomo kernel most GUIs ship today) lets you say, in order: this domain goes DIRECT, that IP range stays local, foreign sites use PROXY, and whatever remains follows a sensible default. The goal is not perfection on the first attempt; it is a maintainable policy that matches how you actually use the network.

This article focuses on the mechanics you need to customize that policy: how rules are evaluated, which rule types exist, how proxy-groups participate in the decision, and how DNS quietly determines whether your domain rules can fire. When you finish, you should be able to read a provider profile, know where to insert overrides, and avoid the classic “everything is direct” or “everything is proxy” traps.

The Rule Pipeline: First Match Wins

Clash walks the rules: array from top to bottom. The first line that matches the current flow decides the outbound (or a proxy-group name that will then pick a concrete node). There is no scoring phase and no second guess. That single property explains more support threads than any exotic protocol.

Implications are immediate. If you place a broad GEOIP,CN,DIRECT high in the list, you may accidentally steer traffic you intended to proxy because the IP geolocation database said “China.” If you place a catch-all MATCH,PROXY at the top, nothing below it runs. Providers usually ship a long tail of DOMAIN-SUFFIX and IP-CIDR lines followed by GEOIP and MATCH; your personal tweaks belong above the provider block when you want to override, or in a dedicated rule-providers section if you manage lists externally.

Modern cores also support rule-providers that download text lists and behave like expanded rule entries at a defined position. The same first-match logic applies; only the maintenance story changes. Whether you inline YAML or fetch lists, think in terms of priority, not just correctness.

Rule Types You Will Actually Use

DOMAIN matches an exact hostname. It is precise and fast for single endpoints you care about, such as a university SSO host or a corporate API gateway.

DOMAIN-SUFFIX matches a suffix, so DOMAIN-SUFFIX,example.com,DIRECT covers www.example.com and a.b.example.com. This is the workhorse for site classes. Be careful with short or shared suffixes: a sloppy suffix can pull far more traffic than you expected into DIRECT or PROXY.

DOMAIN-KEYWORD performs a substring match on the domain name. It is convenient but blunt; use it sparingly because false positives are common when a keyword appears inside unrelated domains.

IP-CIDR and IP-CIDR6 match destination prefixes after resolution. They are essential for targets that skip DNS in your view, or when you want to pin certain CDNs or carrier ranges. Remember that some flows may not have a stable IP at rule time depending on mode and timing; domain rules still matter.

GEOIP tags traffic using an offline country database bundled with the distribution. GEOIP,CN is the textbook line for sending Chinese IPs direct. Accuracy is good enough for day-to-day splits but not forensic-grade; occasional mislabels happen, which is why power users keep a short list of domain overrides above GEOIP.

PROCESS-NAME and related selectors appear on some platforms when the core can see the originating binary. They are powerful for per-application splits on desktop, but portability drops on mobile where sandboxing differs.

MATCH is the final net. It should appear once, at the end, expressing your default stance: usually PROXY for a privacy-oriented profile or DIRECT for a minimal-touch corporate mix. If you omit MATCH, the behavior falls back to core defaults—do not rely on that implicitly.

Proxy-Groups Are Part of the Decision

Rules do not have to point to a bare proxy name. They frequently point to proxy-groups such as PROXY, Auto, or Fallback. A select group lets you choose manually; url-test periodically measures latency and picks a winner; fallback walks an ordered list until one node answers; load-balance spreads sessions across members.

When you tune split routing, separate concerns. Use DIRECT and a single well-named PROXY group in rules for clarity, then nest complexity inside the group definition. If your rule sends a flow to Auto, the rule engine is done; the group logic takes over. Misconfigured health-check URLs or unrealistic intervals cause flapping that looks like “rules are random.”

If you are new to grouping models, walk through the subscription import guide first so proxies actually exist before you optimize routing.

A Practical Domestic / Foreign Pattern

A common user goal: browse foreign sites through a tunnel, hit domestic services directly, and keep LAN and private ranges untouched. A readable skeleton looks like this conceptual order: (1) block or handle special cases if any; (2) IP-CIDR for 192.168.0.0/16, 10.0.0.0/8, and 127.0.0.0/8 as DIRECT; (3) explicit DOMAIN or DOMAIN-SUFFIX lines for sites you know must stay local or must always use proxy; (4) GEOIP,CN,DIRECT or equivalent; (5) MATCH,PROXY as default.

Tweak the middle layer to reflect reality. Streamers often add large DOMAIN-SUFFIX sets for domestic video; developers add Git registry domains to PROXY even if GEOIP would have sent them direct, because corporate mirrors and DNS splitting interact oddly. Your list should grow from measured frustration, not from copying ten thousand lines you cannot explain.

# Conceptual excerpt — adapt names to your profile
rules:
  - IP-CIDR,127.0.0.0/8,DIRECT
  - IP-CIDR,10.0.0.0/8,DIRECT
  - IP-CIDR,172.16.0.0/12,DIRECT
  - IP-CIDR,192.168.0.0/16,DIRECT
  - DOMAIN-SUFFIX,cn,DIRECT
  - DOMAIN,your-bank.example,DIRECT
  - GEOIP,CN,DIRECT
  - MATCH,PROXY

The tiny DOMAIN-SUFFIX,cn illustration is controversial in real life because it matches any hostname ending in .cn, which is usually what you want for many PRC sites but can surprise you if a global brand uses a .cn marketing domain you intended to proxy. Swap in your own curated lines; treat the snippet as structural, not gospel.

DNS and Fake-IP: What Rules “See”

Under fake-ip mode, the client may answer DNS queries with synthetic addresses so it can recover the original domain when a connection arrives and apply DOMAIN rules reliably. That design is elegant but confuses newcomers who expect IP-based rules to fire immediately on every path.

If DNS queries bypass Clash, domain rules weaken and you may leak resolver traffic or get results your policy never anticipated. Align Clash DNS listeners, hijack options (especially with TUN), and operating-system resolver settings. For a full-device picture, read the TUN mode guide after you stabilize basic rules.

When debugging, temporarily compare redir-host versus fake-ip behavior in a test profile. Never paste production subscriptions into public forums; logs contain domains, policies, and provider fingerprints.

Rule-Providers and Overrides Without Forking the World

Large community lists of advertising or tracker domains illustrate rule-providers: you reference a URL, set a behavior (classical versus domain set types depending on core features), and insert one line in rules: that expands to thousands. For domestic/foreign splits, some users maintain a small private provider that only contains their employer or campus domains.

Keep your override provider short and version-controlled. When a remote list goes stale or switches license, you can swap the URL without touching the rest of the profile. Remember that provider order still interacts with first-match semantics: if your override must win, place it earlier than the imported block it contradicts.

Mistakes That Look Like “Clash Is Broken”

Wrong default. A MATCH,DIRECT profile with no preceding proxy rules makes overseas sites crawl while you blame the node. Conversely, MATCH,PROXY with no domestic exceptions saturates your tunnel with local video traffic.

GEOIP as religion. CDNs and anycast make IP-based locality imperfect. Pair GEOIP with a handful of domain overrides for services you use daily.

Ignoring IPv6. If your OS prefers IPv6 and your rules only consider IPv4 paths, you can see split behavior that appears inconsistent. Either align IPv6 policy or disable IPv6 at the OS level temporarily while testing.

Editing the wrong file. GUIs copy the active profile to an internal path; your hand edit on disk may not be what the running core loaded. After changes, use the GUI reload button and confirm timestamps.

How Modes Interact With Rules

Clients expose Rule mode, Global, and Direct (names vary). In pure Direct, rules are largely bypassed for the practical outcome “everything local.” In Global, everything follows the selected outbound, which is useful for a quick test but teaches you nothing about your YAML. Sustainable day-to-day use sits in Rule mode, where the file you curated actually executes.

When someone says “rules do not work,” the first question is which mode was active. The second is whether the flow was DNS-over-HTTPS outside Clash. The third is whether a corporate policy killed split tunneling entirely.

Iterate With Measurement, Not Superstition

After you deploy a split policy, verify three flows: a domestic news site (should be direct under GEOIP CN assumptions), a foreign reference site (should show the proxy egress IP), and a local NAS or printer target (should remain on RFC1918 paths). If any case fails, move one rule, reload, and retest. Batch-changing twenty lines at once makes regression hunting miserable.

Latency-sensitive users should also watch upload paths; asymmetric routing through a distant node can hurt cloud sync even when download browsing feels fine. Your rule list is a living document—expect to revisit it quarterly as sites change CDNs.

Where to Go Next

For deeper field references and keyword tables, open the documentation hub from the same navigation tree as the rest of the site. Pair that with your client log pane; it remains the honest source of which rule matched a flow.

Closing Thoughts

Rule-based splitting is less about memorizing every keyword and more about respecting order, understanding DNS, and expressing a policy that matches your geography and apps. Compared with one-size-fits-all global proxying, a tuned profile usually feels faster for local errands and calmer for everything else—fewer captchas, less buffering on domestic CDNs, and a tunnel that only runs when it truly adds value.

Compared with ad hoc per-app SOCKS injectors, a maintained Clash GUI with the Mihomo core gives you one structured place to evolve those rules as your subscriptions and daily sites change.

→ Download Clash for free and experience the difference.