Help for accessing the server LAN devices

[janusn]

I have trouble configure the routes for specific users to access the LAN devices. Could a guru help me out?

My config is running inside a 3x-ui docker container. And the protocol is VLESS-TCP-XTLS-Vision-REALITY. I steal myself. Here is the cleaned up config file:

{
  "api": {
    "tag": "api",
    "services": [
      "HandlerService",
      "LoggerService",
      "StatsService"
    ]
  },
  "inbounds": [
    {
      "tag": "api",
      "listen": "127.0.0.1",
      "port": 6789,
      "protocol": "tunnel",
      "settings": {
        "address": "127.0.0.1"
      }
    },
    {
      "listen": "",
      "port": 443,
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "id": "uuid1",
            "flow": "xtls-rprx-vision",
            "email": "user1",
            "limitIp": 0,
            "totalGB": 0,
            "expiryTime": 0,
            "enable": true,
            "tgId": 0,
            "subId": "sub1",
            "comment": "",
            "reset": 0,
            "created_at": 1772739165000,
            "updated_at": 1773411910000
          },
          {
            "id": "uuid2",
            "flow": "xtls-rprx-vision",
            "email": "user2",
            "limitIp": 0,
            "totalGB": 0,
            "expiryTime": 0,
            "enable": true,
            "tgId": "",
            "subId": "sub2",
            "comment": "",
            "reset": 0,
            "created_at": 1772748654000,
            "updated_at": 1773411917000
          },
          {
            "id": "uuid3",
            "flow": "xtls-rprx-vision",
            "email": "user3",
            "limitIp": 0,
            "totalGB": 0,
            "expiryTime": 0,
            "enable": true,
            "tgId": "",
            "subId": "sub3",
            "comment": "",
            "reset": 0,
            "created_at": 1772748821000,
            "updated_at": 1773411925000
          }
        ],
        "decryption": "none",
        "encryption": "none",
        "testseed": [
          400,
          600,
          600,
          128
        ]
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls",
          "quic",
          "fakedns"
        ],
        "routeOnly": true
      },
      "tag": "inbound-443",
      "streamSettings": {
        "network": "tcp",
        "security": "reality",
        "externalProxy": [
          {
            "forceTls": "same",
            "dest": "example.com",
            "port": 443,
            "remark": ""
          }
        ],
        "realitySettings": {
          "show": false,
          "xver": 0,
          "target": "127.0.0.1:1234",
          "serverNames": [
            "example.com"
          ],
          "privateKey": "prikey",
          "minClientVer": "",
          "maxClientVer": "",
          "maxTimediff": 0,
          "shortIds": [
            "00",
            "01",
            "02"
          ],
          "mldsa65Seed": "",
          "settings": {
            "publicKey": "pubkey",
            "fingerprint": "chrome",
            "serverName": "",
            "spiderX": "/",
            "mldsa65Verify": ""
          }
        },
        "tcpSettings": {}
      }
    },
    {
      "listen": "127.0.0.1",
      "port": 1234,
      "protocol": "tunnel",
      "settings": {
        "portMap": {},
        "allowedNetwork": "tcp,udp",
        "followRedirect": false
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls",
          "quic",
          "fakedns"
        ],
        "routeOnly": true
      },
      "tag": "inbound-127.0.0.1:1234"
    }
  ],
  "log": {
    "access": "none",
    "dnsLog": false,
    "error": "",
    "loglevel": "warning",
    "maskAddress": ""
  },
  "metrics": {
    "tag": "metrics_out",
    "listen": "127.0.0.1:11111"
  },
  "outbounds": [
    {
      "tag": "direct",
      "protocol": "freedom",
      "settings": {
        "domainStrategy": "AsIs",
        "redirect": "",
        "noises": []
      }
    },
    {
      "tag": "blocked",
      "protocol": "blackhole",
      "settings": {}
    }
  ],
  "policy": {
    "levels": {
      "0": {
        "statsUserDownlink": true,
        "statsUserUplink": true
      }
    },
    "system": {
      "statsInboundDownlink": true,
      "statsInboundUplink": true,
      "statsOutboundDownlink": false,
      "statsOutboundUplink": false
    }
  },
  "routing": {
    "domainStrategy": "IPIfNonMatch",
    "rules": [
      {
        "inboundTag": [
          "api"
        ],
        "outboundTag": "api",
        "type": "field"
      },
      {
        "ip": [
          "geoip:cn",
          "ext:geoip_IR.dat:ir",
          "ext:geoip_RU.dat:ru"
        ],
        "outboundTag": "blocked",
        "type": "field"
      },
      {
        "outboundTag": "blocked",
        "protocol": [
          "bittorrent"
        ],
        "type": "field"
      },
      {
        "inboundTag": [
          "inbound-443"
        ],
        "outboundTag": "direct",
        "type": "field",
        "user": [
          "regexp:^user1\\..*"
        ]
      },
      {
        "domain": [
          "domain:example.com"
        ],
        "inboundTag": [
          "inbound-127.0.0.1:1234"
        ],
        "outboundTag": "direct",
        "type": "field"
      },
      {
        "inboundTag": [
          "inbound-127.0.0.1:1234"
        ],
        "outboundTag": "blocked",
        "type": "field"
      },
      {
        "inboundTag": [
          "inbound-443"
        ],
        "ip": [
          "geoip:private"
        ],
        "outboundTag": "blocked",
        "type": "field"
      }
    ]
  },
  "stats": {}
}

[eben-vranken]

The issue is rule ordering. Your geoip:private block rule applies to inbound-443 without any user filter, so it catches LAN-bound traffic from all users including the ones you want to allow through.

Xray evaluates routing rules top to bottom and stops at the first match. You need to add a user-specific LAN allow rule before the private IP block. Add this rule to your routing.rules array, placed before the geoip:private blocked rule:

{
  "type": "field",
  "inboundTag": ["inbound-443"],
  "user": ["user1"],
  "ip": ["geoip:private"],
  "outboundTag": "direct"
}

Then your existing geoip:private → blocked rule will only fire for users who didn't match the above.

Note: since you're running inside Docker, "LAN" from Xray's perspective is the Docker host network. Make sure the container has --network host or that the target LAN IPs are actually reachable from inside the container. If not, traffic will be routed correctly but still fail to connect.

[janusn]

Thanks a ton for the help. It works brilliantly now!

[eben-vranken]

no problem have a nice one!

[janusn]

After a few more retry, it fails again.

I have removed every rule and leaving just 2 (1 added by 3x-ui which I cannot remove.) the routing node:

  "routing": {
    "domainStrategy": "IPIfNonMatch",
    "rules": [
      {
        "inboundTag": [
          "api"
        ],
        "outboundTag": "api",
        "type": "field"
      },
      {
        "ip": [
          "geoip:private"
        ],
        "outboundTag": "direct",
        "type": "field"
      }
    ]
  },

when I try to nslookup in the client:

$ nslookup example.com
;; Got recursion not available from 10.43.0.10
;; Got recursion not available from 10.43.0.10
;; Got recursion not available from 10.43.0.10
Server:		10.43.0.10
Address:	10.43.0.10#53

** server can't find example.com: NXDOMAIN
$ nslookup google.com
;; Got recursion not available from 10.43.0.10
;; Got recursion not available from 10.43.0.10
;; Got recursion not available from 10.43.0.10
Server:		10.43.0.10
Address:	10.43.0.10#53

Non-authoritative answer:
Name:	google.com
Address: 142.251.14.100
Name:	google.com
Address: 142.251.14.113
Name:	google.com
Address: 142.251.14.101
Name:	google.com
Address: 142.251.14.138
Name:	google.com
Address: 142.251.14.102
Name:	google.com
Address: 142.251.14.139
Name:	google.com
Address: 2a00:1450:4001:c0f::64
Name:	google.com
Address: 2a00:1450:4001:c0f::8b
Name:	google.com
Address: 2a00:1450:4001:c0f::71
Name:	google.com
Address: 2a00:1450:4001:c0f::65

The same command works in the container:

$ nslookup example.com
Server:		127.0.0.11
Address:	127.0.0.11:53

Name:	example.com
Address: ::

Name:	example.com
Address: 10.27.0.202
Name:	example.com
Address: 10.27.0.194

Any pointer? Many thanks.

[eben-vranken]

nslookup doesn't test your Xray routing, it queries the client's resolver directly and never enters the tunnel. The NXDOMAIN just means your internal hostname only exists in Docker's DNS (127.0.0.11), not in the CoreDNS resolver your client uses (10.43.0.10). And since most apps resolve the name before handing off to the proxy, that NXDOMAIN kills the connection before routing ever runs.

Two things to fix:

First, the real culprit for "works then fails": your AAAA record is :: (the IPv6 "any" address). When IPv6 gets picked, it dials :: and fails instantly. Force IPv4 in the server config:

{
  "dns": {
    "servers": ["127.0.0.11"],
    "queryStrategy": "UseIPv4"
  }
}

(Use "localhost" instead of 127.0.0.11 if Xray struggles with Docker's embedded resolver.)

Second, to prove routing itself is fine, just connect by IP (10.27.0.202 / .194) DNS is irrelevant then, and your geoip:private -> direct rule dials it from inside the container. For name-based access, the client must not pre-resolve, so use fakedns/sniffing so the hostname rides the tunnel and the server resolves it.

Also worth confirming from inside the container: ping 10.27.0.202 and .194. If one's unreachable, that alone explains the intermittency.

[janusn]

Thanks for your prompt and patient reply. Unfortunately, I still cannot manage to get it working.

The following are added to the config now as your suggestion:
base

  "dns": {
    "servers": [
      "fakedns",
      "127.0.0.11"
    ],
    "queryStrategy": "UseIPv4",
    "disableCache": false,
    "disableFallback": false,
    "disableFallbackIfMatch": false,
    "enableParallelQuery": false,
    "useSystemHosts": false,
    "serveStale": false,
    "serveExpiredTTL": 0
  }

The extra settings of dns were added by 3x-ui automatically.

An extra entity is added to routing.rules

      {
        "type": "field",
        "port": 53,
        "inboundTag": [
          "xxx"
        ],
        "outboundTag": "dns-out"
      }

Another extra entity is added to outbounds:

    {
      "tag": "dns-out",
      "protocol": "dns"
    }

The inbounds were unchanged as dns sniffings have been enabled already.
Should I remove the "routeOnly" from the sniffing?

Running ping inside the container:

# ping -c 4 10.27.0.202
PING 10.27.0.202 (10.27.0.202): 56 data bytes
64 bytes from 10.27.0.202: seq=0 ttl=64 time=0.329 ms
64 bytes from 10.27.0.202: seq=1 ttl=64 time=0.369 ms
64 bytes from 10.27.0.202: seq=2 ttl=64 time=0.433 ms
64 bytes from 10.27.0.202: seq=3 ttl=64 time=0.611 ms

--- 10.27.0.202 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.329/0.435/0.611 ms

# ping -c 4 10.27.0.194
PING 10.27.0.194 (10.27.0.194): 56 data bytes
64 bytes from 10.27.0.194: seq=0 ttl=64 time=0.127 ms
64 bytes from 10.27.0.194: seq=1 ttl=64 time=0.159 ms
64 bytes from 10.27.0.194: seq=2 ttl=64 time=0.088 ms
64 bytes from 10.27.0.194: seq=3 ttl=64 time=0.161 ms

--- 10.27.0.194 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.088/0.133/0.161 ms

But running ping on client to 10.27.0.202 / .194 failed.

Visiting the rest of the world has no problem at all.