Why Firefox disagrees with “whatever Chrome does”

Most Clash graphical clients expose two friendly ideas: turn on system proxy, or turn on TUN mode. Chromium browsers on Windows and macOS generally inherit the operating system’s proxy dictionary once Clash writes loopback HTTP and SOCKS endpoints there. Firefox is not a thin wrapper around the OS network stack in the same way: it ships its own networking layer, its own certificate store, and—critically—its own browser proxy UI under Settings → General → Network Settings.

That independence is a feature until it collides with muscle memory. A user who never opened Firefox’s network dialog may still carry an old manual proxy row from a previous semester, a SOCKS experiment, or an enterprise bundle. Meanwhile Clash happily reports “system proxy on,” Chrome loads YouTube, and Firefox continues to use DIRECT because its effective preference chain never consulted the OS table during that session.

The second common split is port semantics. Many Meta-based profiles expose a mixed port that speaks both HTTP proxy and SOCKS on the same TCP listener. Some workflows advertise SOCKS5 only on the mixed listener and omit HTTP entirely. Chromium might still feel fine if another path (QUIC, extension, or cached proxy data) masks the gap, whereas Firefox’s manual HTTP fields left blank produce confusing “half proxied” symptoms on sites that bounce between HTTP and TLS origins.

Finally, remember DNS. Firefox’s DNS-over-HTTPS (DoH) controls can change which resolver answers names first, which in turn changes how Clash rules match when you rely on domain rules with fake-ip or split DNS profiles. Our fake-ip versus redir-host primer pairs well with the later steps here when hostnames stop lining up with expectations.

Map the symptom before touching TUN

Grab a notepad and classify what you see. “Broken” is not one failure mode.

  • Direct exit, no error: pages load, yet your Clash log shows no corresponding flows when you expect them. That pattern screams “Firefox bypassed the proxy layer entirely.”
  • Timeouts on first paint only: often DNS or TRR disagreement, not the upstream node.
  • TLS errors everywhere: clock skew, MITM tooling, or an exit that cannot complete modern handshakes—compare against the same site in a Chromium tab on the same machine.
  • Everything dies the moment TUN toggles on: stop blaming Firefox first; walk the TUN troubleshooting guide for adapter, route, and DNS hijack issues before returning to per-browser prefs.
One variable at a time When testing, disable VPN overlays, ad-block DNS apps, and secondary “accelerator” NIC helpers. Each of those can steal routes from Clash TUN or rewrite DNS in ways that look like a Firefox bug.

Step 1 — Write down Clash’s real ports and modes

Open your client’s home screen and record four numbers: HTTP proxy port (if any), SOCKS port, mixed port, and the controller or log port if you use it. Note whether Allow LAN is enabled—loopback-only setups still work for Firefox on the same machine, but LAN sharing changes how you reason about remote devices later.

Confirm that your subscription URL actually resolves to nodes you trust. A stale subscription can leave Clash “on” while every outbound rejects handshakes; Chromium might still show a cached PWA shell while Firefox cold-starts into failure. If you have not refreshed in a while, re-import from the provider dashboard, then hit our download page to ensure the GUI build matches the Meta (mihomo) core you expect.

If you intentionally run SOCKS5 only without HTTP listeners, say so in your notes. Step 3 depends on that fact.

Step 2 — Normalize Firefox’s Network Settings UI

In Firefox, open Settings → General, scroll to Network Settings, click Settings…, and read the radio buttons literally.

  • No proxy: Firefox will ignore both OS and manual tables. Choose this only as a temporary clean room.
  • Auto-detect proxy settings for this network: rarely what you want with Clash; WPAD surprises belong in corporate LAN articles, not home labs.
  • Use system proxy settings: the usual companion to Clash’s system-proxy toggle on personal machines.
  • Manual proxy configuration: fine when you want Firefox on a dedicated path, but it overrides the OS story unless you carefully align values.
  • Automatic proxy configuration URL: only when you maintain a PAC file; Clash users seldom need this unless they orchestrate multiple profiles.

For the canonical “match Chrome” experience, pick Use system proxy settings, press OK, fully quit Firefox (not only closing the last window on macOS), and relaunch. If the problem survives a cold start, continue—because either about:config or an extension still overrides the UI.

Extensions can replace your proxy Some privacy extensions inject their own proxy or VPN shim. Test in about:profiles with a fresh profile if the UI looks correct but traffic refuses to flow through Clash.

Step 3 — Pick one capture story: system, manual SOCKS, or TUN prep

This is the discipline step. Mixing metaphors is how people end up with triple NAT levels of confusion.

Path A — System proxy only. Clash enables OS proxy; Firefox uses system settings; no manual host rows should remain filled. If you still need a SOCKS helper for one site, use Clash rules instead of teaching Firefox a second parallel exit.

Path B — Manual SOCKS5 to the mixed port. Select manual configuration, leave HTTP empty if your mixed port is SOCKS-first, set SOCKS Host to 127.0.0.1 (or your LAN gateway IP when sharing), set the port to the mixed listener, choose SOCKS v5, and decide whether DNS should flow through the proxy using Firefox’s “Proxy DNS when using SOCKS v5” checkbox. This path is ideal when the OS proxy table is locked by policy but Firefox may still be configured by the user.

Path C — Preparing for TUN. Temporarily return Firefox to Use system proxy settings or No proxy while you validate TUN globally. Once TUN routes the machine correctly, Firefox generally “just works” for TCP web traffic because it is no longer responsible for choosing a loopback proxy at all—yet DNS settings in Firefox can still change resolution order, so do not skip Step 6.

Document which path you chose on paper. Future you will not remember why SOCKS was 7891 on Tuesday.

Step 4 — Audit about:config proxy keys

Type about:config in the address bar, accept the risk warning, and search for network.proxy. The goal is to confirm the preference tree matches the UI you set in Step 2.

network.proxy.type encodes the radio selection: 0 none, 1 manual, 2 PAC URL, 4 system proxy settings, 5 autodetect. If the UI says system but this key still reads 1, an extension or enterprise policy is fighting you.

For manual paths, verify host and port rows pair correctly:

  • network.proxy.http / network.proxy.http_port
  • network.proxy.ssl / network.proxy.ssl_port (often mirrored to HTTP for web)
  • network.proxy.socks / network.proxy.socks_port / network.proxy.socks_version

If you recently migrated from another tool, reset odd experiments: remove stale PAC URLs, clear manual hosts you no longer use, and restart Firefox. Keep in mind that enterprise deployments can lock these keys via policies—if everything is grayed out in the UI, talk to IT instead of force-resetting.

Screenshot your baseline Before editing dozens of prefs, capture a screenshot of the network.proxy.* filter view. Rolling back by eye is faster than guessing which boolean flipped during a late-night session.

Step 5 — Enable Clash TUN after Firefox is honest

Once Firefox’s proxy mode matches your intent, enable Clash TUN mode in the client. TUN creates a tunnel interface and steers eligible traffic into Meta before it leaves the machine, which is the usual cure when stubborn apps ignore the OS proxy table. The sequencing matters: if Firefox still forces manual SOCKS to an offline port, TUN cannot magically heal that mispointed loopback address.

Watch for these interactions:

  • Another VPN: two tunnel drivers often fight over routes. Pause the commercial VPN, apply TUN, confirm Firefox, then decide whether you truly need both layers.
  • Strict DNS modes in Clash: when hijack is on, Firefox’s traditional resolver path may differ from Chromium’s. Align Clash DNS mode with your subscription’s expectations using the TUN setup article as the authoritative desktop baseline.
  • Local development hosts: if localhost must bypass the tunnel for work, add explicit DIRECT rules rather than toggling TUN off and on all day.

Verify with a simple HTTPS site first, then a DNS-heavy portal (news homepages are convenient canaries). If only Firefox fails while Edge works, return to Step 6 instead of reinstalling Clash.

Step 6 — Align DNS-over-HTTPS and resolver order

Open about:preferences#privacy and inspect DNS over HTTPS. When TRR is enabled, Firefox may resolve certain names outside the resolver path your Clash profile assumed, which looks like “rules do nothing” even though TUN is on.

For controlled experiments, mirror the DNS-over-HTTPS dropdown with network.trr.mode in about:config only while checking Mozilla’s documentation for your exact Firefox channel—numeric defaults shifted across Rapid and ESR releases. Broadly, “TRR first” races encrypted resolution ahead of the OS resolver, while “TRR only” removes that fallback and can expose split-DNS assumptions your Clash profile never claimed to support. The important part is consistency: pick a mode, reload, retest, and correlate with Clash’s connection log timestamps.

If you rely on split intranet hostnames, aggressive TRR-only modes can strand corporate wikis. That is not a Clash defect; it is resolver policy. Document the mode that keeps both public and internal names stable, then leave it alone across Firefox upgrades.

Quick verification matrix

Use the table as a compass when two symptoms look alike in prose but behave differently on the wire.

Observation Likely layer First move
Clash log empty for Firefox only Browser proxy prefs Steps 2–4, then new profile test
Firefox works on manual SOCKS, not on system OS proxy mismatch or policy Compare OS proxy pane with Clash port numbers
All apps break when TUN enables Routes / adapter / DNS hijack TUN guide, then driver update
Intermittent name failures TRR vs Clash DNS Step 6, then fake-ip review

Numbers beat vibes: keep Clash’s log panel open while you click once in Firefox. A single ignored connection tells you which section to reread.

Open source, upgrades, and where to file bugs

Behavioral fixes in the Meta core land in the mihomo repository first. Use GitHub for parser regressions and transparency. For installer hygiene—matching drivers, helper services, and signed builds—prefer refreshing from our download center rather than random mirrors.

When Firefox itself misbehaves after an ESR jump, Mozilla’s release notes may document networking changes. Clash cannot patch those; you adapt prefs or policy. Keeping the Meta upgrade guide in your rotation prevents chasing browser ghosts that were actually outdated TLS stacks on the exit side.

Frequently asked questions

Should I use Firefox manual proxy or “Use system proxy settings” with Clash? Default to system settings for parity with Chromium. Move to manual SOCKS when policy or experimentation requires isolation, and keep only one active story per debugging session.

Why does Chrome work but Firefox still connects direct? Firefox stores independent proxy selections; Chromium leans on the OS dictionary Clash populates. Clear manual rows, verify network.proxy.type, and retest.

Does Clash TUN fix Firefox if system proxy fails? Often, because TUN captures traffic earlier. Fix obvious Firefox overrides first so you are not debugging two contradictions.

Which about:config keys matter most? Start with network.proxy.type and the network.proxy.* host/port rows, then inspect network.trr.mode when DNS-sensitive sites disagree with Clash logs.

Closing thoughts

Firefox rewards explicit configuration. Treat system proxy, manual SOCKS5, and Clash TUN as three cooperating dials—not one mystery knob labeled “make it work.” When you sequence the six steps calmly—ports, UI, capture path, about:config, TUN, DNS—the classic “Chrome yes, Firefox no” story collapses into a short list of prefs you can screenshot and share.

Compared with bouncing between random forum snippets, a repeatable checklist ages well across Meta releases: your subscription URL may rotate, but the decision tree stays stable. Pair this discipline with current builds and honest logging, and most “browser does not respect Clash” threads become afternoon fixes instead of weekend rabbit holes.

Download Clash for free and experience the difference — refresh your subscription URL, align Firefox’s browser proxy mode with either system settings or SOCKS5, then layer Clash TUN when you need IP-level capture beyond what the OS table alone can promise.

For desktop-wide context, continue with the TUN versus system proxy guide; for policy-heavy rule stacks, read the YAML policy group tutorial; browse the full tech column for adjacent DNS and developer-proxy articles.