TUN模式下，端口映射入站回包无法出站的问题

[huzheyi]

          我遇到了和你类似的问题。

我是在vyos上通过container host模式运行的mihomo 1.18.8

我的情况是vyos上配置了dnat映射，经过抓包发现
当从外部网络访问我映射的服务时

1. 数据包先从pppoe0接口进入，从pppoe0接口抓包可以看到

15:50:28.099265 IP 43.226.237.69.32153 > 123.117.170.178.4433: Flags [S], seq 2965468837, win 64240, options [mss 1448,sackOK,TS val 70108068 ecr 0,nop,wscale 7], length 0

2. 然后数据包根据dnat规则转发到内网，从br0接口抓包可以看到

15:50:28.099505 IP 43.226.237.69.32153 > 192.168.1.41.443: Flags [S], seq 2965468837, win 64240, options [mss 1448,sackOK,TS val 70108068 ecr 0,nop,wscale 7], length 0

3. 随后内网服务器响应tcp请求发送ack，从br0接口抓包可以看到

15:50:28.099613 IP 192.168.1.41.443 > 43.226.237.69.32153: Flags [S.], seq 3703792511, ack 2965468838, win 31856, options [mss 1460,sackOK,TS val 1923171828 ecr 70108068,nop,wscale 7], length 0

4.之后这个数据包就进入了Meta接口，从Meta接口抓包可以看到

15:50:28.099742 IP 123.117.170.178.4433 > 43.226.237.69.32153: Flags [S.], seq 3703792511, ack 2965468838, win 31856, options [mss 1460,sackOK,TS val 1923171828 ecr 70108068,nop,wscale 7], length 0

5. 正常此时这个数据包应该可以在pppoe0上可以看到，事实上却没有，同时外部网络的这台主机也接收不到任何回包

当我关闭mihomo时相关数据包可以在pppoe0和br0上被正常捕获，我确认这与我vyos的防火墙无关，因为关闭防火墙全通策略下也是这样的表现。

我不知道到4这一步时，正常的表现应该是：

1. 内网服务器响应的数据包不进入Meta接口，而从pppoe0直接出去
   还是：
   2.内网服务器响应的数据包进入Meta接口，然后再从pppoe0出去

我的mihomo配置如下：

#port: 7890
#socks-port: 7891
mixed-port: 7890
#redir-port: 7892
#tproxy-port: 9898

allow-lan: true
bind-address: '*'

find-process-mode: strict

mode: rule

geox-url:
  geoip: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.dat"
  geosite: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geosite.dat"
  mmdb: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.metadb"

# geodata-mode: true
geodata-loader: standard
geo-auto-update: true
geo-update-interval: 72

log-level: warning

ipv6: true

external-controller: 0.0.0.0:9090

tcp-concurrent: true

external-ui: /root/.config/mihomo/ui
external-ui-url: "https://github.com/MetaCubeX/metacubexd/archive/refs/heads/gh-pages.zip"

global-client-fingerprint: ios

profile:
  store-selected: true
  store-fake-ip: true

tun:
  enable: true
  stack: mixed
  dns-hijack:
    - 'any:53'
  auto-route: true
#  auto-redirect: true
  auto-detect-interface: true
  gso: true
  gso-max-size: 65536
  include-interface:
    - br0

sniffer:
  enable: true
  sniff:
    TLS:
      ports: [443, 8443]
    HTTP:
      ports: [80, 8080-8880]
      override-destination: true
    QUIC:
      ports: [443,8443]
  force-domain:
    - +.v2ex.com
  skip-domain:
     - Mijia Cloud

dns:
  cache-algorithm: arc
  enable: true
  prefer-h3: true
  listen: :5353
  ipv6: true

  default-nameserver:
    - 119.29.29.29
    - 223.5.5.5
    - system

  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.1/16
  # use-hosts: true

  respect-rules: false

  fake-ip-filter:
     - '*.lan'
     - '*.linksys.com'
     - '+.pool.ntp.org'
     - localhost.ptlogin2.qq.com
     - openpgpkey.kernel.org

  nameserver:
    - https://doh.pub/dns-query
    - https://dns.alidns.com/dns-query

  fallback:
    - https://1.1.1.1/dns-query
    - tls://1.0.0.1:853

  fallback-filter:
    geoip: true
    geoip-code: CN
    geosite:
      - gfw
    ipcidr:
      - 240.0.0.0/4
    domain:
      - '+.google.com'
      - '+.facebook.com'
      - '+.youtube.com'

  nameserver-policy:
    "geosite:private,cn,private,apple,microsoft@cn,category-games@cn":
      - https://doh.pub/dns-query
      - https://dns.alidns.com/dns-query

proxies:

...省略

rule-providers:
  bypass-source:
    type: file
    behavior: classical
    path: "bypass-source.yaml"

rules:

  - RULE-SET,bypass-source,DIRECT
  - GEOIP,private,DIRECT
  - GEOIP,cn,DIRECT
  - GEOSITE,private,DIRECT
  - GEOSITE,cn,DIRECT
  - GEOSITE,apple,DIRECT
  - GEOSITE,microsoft@cn,DIRECT
  - GEOSITE,category-games@cn,DIRECT
  - GEOIP,telegram,PROXY,no-resolve
  - MATCH,PROXY

内网主机192.168.1.42/32在bypass-source.yam中，但似乎在不在都不影响结果

Originally posted by @huzheyi in #1368 (comment)