Why “router Clash plus desktop Clash” confuses people
On a single PC, you have one routing table, one set of DNS resolvers, and one obvious place to look when something stalls. On a LAN, those responsibilities split across the OpenWrt box, Wi‑Fi access points, phones, printers, and the occasional laptop that still launches a local Clash GUI out of habit. The failure modes multiply: a machine can have the correct IP yet point its default gateway at the wrong hop, resolve names through a resolver that never sees your policy table, or run two different policy engines in series without realizing it.
The goal of this article is not to endorse one commercial firmware theme or fork. Whether you use OpenClash, a manual mihomo install, or another wrapper, the underlying questions stay the same. Does every device send off-subnet traffic to the router that actually performs redirection? Does every device query DNS in a way that lines up with your chosen mode—especially when Fake-IP is involved? If you can answer those two questions confidently, most “random device offline” stories collapse into a short checklist.
Mental model: gateway first, DNS second, rules third
Think of connectivity as three stacked layers. At the bottom, Ethernet or Wi‑Fi must deliver an address and a gateway via DHCP (or static planning). The gateway is simply “where non-local packets go first.” In a typical home, that should be your OpenWrt LAN address—often something like 192.168.1.1—not an upstream modem interface you cannot reach from Wi‑Fi, and not a stray value left over from an old subnet migration.
The middle layer is DNS. Even when TCP flows are redirected correctly, a resolver that bypasses Clash’s DNS pipeline can make it look like “the proxy works for IP addresses but names are chaos.” Router distributions usually chain dnsmasq with Clash’s listener; the exact hand-off differs by package, but the invariant remains: clients should query a resolver that ultimately cooperates with your chosen DNS mode. Our dedicated walkthrough on Fake-IP versus redir-host explains why that cooperation matters for intranet hostnames and captive portals.
The top layer is your YAML policy: MATCH fallbacks, policy groups, and Rule Providers. If the first two layers are wrong, no amount of clever rules will feel stable. Conversely, once gateway and DNS are coherent, desktop clients and router Clash can coexist because they are no longer fighting over contradictory assumptions about where traffic enters the policy engine.
DHCP on OpenWrt: default gateway and option consistency
OpenWrt’s DHCP server (often dnsmasq) advertises a router address and sometimes extra options such as captive-portal DNS or IPv6 RDNSS. After you enable transparent proxying, verify what clients actually learned. On Windows, ipconfig /all lists the default gateway and DNS servers per adapter. On macOS, hold Option while clicking the Wi‑Fi menu for a quick summary, or use scutil --dns for resolver order.
Common mistakes include pointing DHCP DNS at a public resolver while Clash still expects to synthesize answers locally, or duplicating gateway fields across VLANs so guest Wi‑Fi bypasses the instance you tuned. If you intentionally run multiple LAN segments, document which bridge runs Clash redirection and which does not; mixing them without labels is how “my phone works, my PC does not” tickets appear.
Static clients and mixed environments
Printers, NAS units, and lab machines with static IPv4 settings are notorious for retaining an old gateway after you replace the router image. When only static devices fail, skip Clash logs for a moment and ping the LAN router address from the device. If that fails, you are still in layer-one territory.
DNS hijack, dnsmasq forwarding, and router-level transparency
Many OpenWrt Clash setups redirect outbound UDP/TCP 53 so queries cannot silently bypass the core. That is useful when you need deterministic behavior, but it also means any local name you relied on—router.lan, printer.local, internal AD zones—must be accounted for in Clash’s dns stanza or in split forwarding rules. If you operate a small office with an internal DNS server, consider forwarding specific domains upstream while keeping the default path on the router.
When a Windows or macOS machine runs its own Clash with encrypted DNS in the browser, you temporarily have two DNS worlds. The browser may use DoH directly while the rest of the OS still follows DHCP. For debugging, align everything: disable experimental secure DNS in the browser for one session, set the OS resolver to the router, and retest. Once stable, you can reintroduce stricter client-side DNS knowing which layer caused the regression.
If you need desktop-level TUN for apps that ignore system proxy, our TUN guide for Windows 11 and macOS covers adapter behavior and DNS hijack at the workstation—useful when you deliberately keep router Clash off for that subnet.
Fake-IP on the router: who must participate
Fake-IP is powerful for rule matching because names resolve to synthetic addresses that Clash can map back to destinations. It is also the fastest way to break devices that expect real answers for local or split-horizon names. At router scale, the blast radius is wider than on one laptop: every phone, TV, and guest handset inherits the behavior.
Practical guidance for homes and small offices: start with a conservative DNS mode on the router, prove that DHCP clients can reach internal services and the ISP captive page if applicable, then enable Fake-IP with narrow exceptions (nameserver-policy / domain overrides) for the zones that need real records. If you already run Fake-IP on a desktop client, avoid mirroring the same aggressive mode on the router until you understand overlap; two independent mapping tables are difficult to reason about when troubleshooting.
| Symptom | Often means | First move |
|---|---|---|
| Router admin UI unreachable by hostname | Local A/AAAA records swallowed by synthetic DNS | Add explicit LAN domain forwarding or switch DNS mode for that domain |
| Streaming devices stall at startup | Hard-coded DNS or DoT bypass partially blocked | Confirm hijack rules and allow-list vendor domains if policy permits |
| Only Clash clients work, plain devices do not | Redirection not applied to that bridge or SSID | Map firewall zones to the correct forwarding path |
| Everything works until a laptop enables TUN | Two tunnels competing for default route | Disable one tunnel; verify route metrics and DNS order |
Coexisting with Windows and macOS Clash clients
You are not forced to choose a single global architecture. Many households keep router proxy for phones and TVs while power users run a local GUI for work profiles. The safe pattern is to make overlap explicit. If the desktop uses TUN, either pause router-level redirection for that MAC address (policy routing on OpenWrt) or turn off the local tunnel and trust the router. Half-measures—router redirect plus desktop TUN without split subnets—create the classic “it worked yesterday” bug class.
Another workable pattern is VLAN or SSID separation: HOME-TRUST exits through OpenWrt Clash, HOME-DIRECT bypasses it for lab hardware. You still need sane DHCP on each segment, but the human story becomes simpler: “this SSID is proxied, that one is not.” Document the choice on a sticky note near the rack; future you will appreciate it.
For machines that only need browsers and IDEs on proxy, local system proxy mode without TUN is often enough and interferes less with router-level DNS. When you later upgrade the Meta core on either side, keep versions loosely aligned so feature flags in YAML do not reference capabilities only half of your stack understands—see the Meta upgrade guide before you chase esoteric protocol errors.
Double NAT worries: what is real versus imaginary
People say “double NAT” when they see two private hops in traceroute or when game consoles complain about moderate NAT. Adding Clash on OpenWrt does not automatically introduce a second layer of IPv4 NAT beyond what your ISP modem already performs; the proxy is usually outbound at the transport layer inside the router’s existing masquerade rule. What does feel like double NAT is chaining two policy engines that both try to own session state, or placing another home router behind OpenWrt with conflicting DHCP.
If you must nest routers—for example, ISP equipment you cannot bridge—give the inner router a WAN on a DMZ segment and avoid overlapping DHCP pools. Then run Clash only on the outer OpenWrt instance unless you have a specific reason to tunnel twice. Measuring with traceroute from a desktop before and after enabling Clash shows whether you added a surprising private hop or simply changed the exit path.
OpenClash-style workflows: a practical enablement order
Exact menus change between releases, but a stable enablement order works across forks. First, confirm WAN connectivity without Clash—plug a laptop straight into the modem if you need isolation. Second, restore LAN DHCP defaults and verify every SSID receives the router as gateway. Third, import a known-good profile with conservative rules; avoid aggressive ad-block lists until baseline browsing works. Fourth, enable DNS components that match your chosen mode; validate local names. Fifth, turn on transparent proxy or TUN-like redirection for the interfaces you intend to cover. Sixth, add Fake-IP or advanced hijacks only after the prior steps pass.
Keep a rollback path: export the working UCI backup and store the last good YAML on disk. When a single checkbox causes mass outage, restore networking by disabling the service from serial or fail-safe rather than guessing which iptables rule stuck. The emotional cost of a five-minute rollback is lower than an overnight packet capture exercise.
Structured troubleshooting when “some devices” fail
Use the same ordering every time; it prevents circular debugging across household members’ laptops. Start with physical link and IP address acquisition. Then compare default gateway against the known-good router LAN address. Next, query a simple name (example.com) with the OS resolver and note whether answers come from the router. After DNS, test a plain HTTPS site with a browser that disables extensions. Only then open Clash logs to inspect rule hits and upstream latency.
If a single application fails while others work, examine split tunneling, browser DoH, or corporate VPNs that reinstall routes. If every application fails on one VLAN, inspect bridge membership and firewall forwarding. If every device fails simultaneously right after a Clash upgrade, suspect iptables or nftables rule generation first, then DNS listeners on port 53 colliding with dnsmasq.
Advanced readers maintaining large rule sets should keep the YAML routing tutorial handy; router deployments magnify any mistake in MATCH ordering because more devices inherit it instantly.
Closing thoughts
OpenWrt plus Clash or OpenClash can be the most maintainable router proxy story for a busy LAN—if you treat gateway and DNS as first-class citizens before you chase exotic protocols. DHCP should tell the truth about where packets leave the subnet; resolvers should cooperate with your DNS mode, especially around Fake-IP; and each workstation should run at most one tunnel you truly intend. With that frame, desktop clients become allies instead of foot-guns, and the dreaded “only one device is haunted” incidents shrink to a short, repeatable checklist.
Compared with juggling per-app SOCKS settings on every machine, a well-documented router path plus optional local GUIs for power users tends to feel calmer: guests inherit sensible defaults, consoles stay on a predictable SSID, and you still have room to experiment on your own laptop using the same Meta ecosystem you trust on the router.
For deeper DNS mode comparisons, continue with the Fake-IP versus redir-host guide and other articles in our tech column.