Clash Proxy and Meituan Intranet Coexistence

Problem

After enabling Clash system proxy, Meituan intranet sites (*.sankuai.com, *.meituan.com) and internal IPs (33.x.x.x, 11.x.x.x) become inaccessible.

Root Cause Analysis

Fake-IP mode interference — Clash’s fake-ip mode assigns fake IPs (198.18.x.x) to all domains, which means intranet traffic that should match IP-CIDR,10.0.0.0/8,DIRECT rules can never match because the domain was mapped to a fake IP instead of the real internal IP.
Missing domain DIRECT rules — DIRECT rules for intranet domains are positioned too far down in the rule list, so higher-priority rules match first and route traffic through the proxy.
Incomplete system proxy bypass list — macOS’s default proxy bypass list only includes 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, but not 33.0.0.0/8 or other Meituan internal IP ranges.

Solution (Clash Verge Rev)

Config directory: ~/Library/Application Support/io.github.clash-verge-rev.clash-verge-rev/

1. Merge Profile — DNS Configuration

File: profiles/mABDKTQm1PKP.yaml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
dns:
  enable: true
  ipv6: false
  default-nameserver: [223.5.5.5, 119.29.29.29]
  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.1/16
  fake-ip-filter:
    - '*.sankuai.com'
    - '*.meituan.com'
    - '*.meituan.net'
    - '*.dianping.com'
    - '*.dpfile.com'
    - '*.lan'
    - '*.local'
    - '*.arpa'
    - 'dns.msftnsci.com'
    - 'www.msftnsci.com'
    - 'www.msftconnecttest.com'
  use-hosts: true
  nameserver:
    - '11.11.11.11'
    - '11.11.11.12'
    - '114.114.114.114'
    - '223.5.5.5'
    - 'https://dns.alidns.com/dns-query'

Key points:

enable: true — The DNS module must be enabled.
The first two entries in nameserver are Meituan’s internal DNS servers, ensuring intranet domains can be resolved.
fake-ip-filter excludes intranet domains so they receive real IPs instead of fake ones.

2. Rules Profile — DIRECT Rules

File: profiles/rT6dGpzIwfqb.yaml

1
2
3
4
5
6
7
8
prepend:
  - DOMAIN-SUFFIX,sankuai.com,DIRECT
  - DOMAIN-SUFFIX,meituan.com,DIRECT
  - DOMAIN-SUFFIX,meituan.net,DIRECT
  - DOMAIN-SUFFIX,dianping.com,DIRECT
  - DOMAIN-SUFFIX,dpfile.com,DIRECT
  - IP-CIDR,33.0.0.0/8,DIRECT
  - IP-CIDR,11.0.0.0/8,DIRECT

prepend means these rules are inserted at the very top of the rule list, giving them highest priority.

3. System Proxy Bypass — verge.yaml

1
2
use_default_bypass: false
system_proxy_bypass: 127.0.0.1;192.168.0.0/16;10.0.0.0/8;172.16.0.0/12;33.0.0.0/8;11.0.0.0/8;localhost;*.local;*.crashlytics.com;<local>

This is the most critical step — for intranet services accessed directly via IP (e.g., http://33.32.16.31:8420/), the corresponding IP ranges must be in the system proxy bypass list. Otherwise the browser sends the request to Clash, and even if Clash has a DIRECT rule, it may still fail for various reasons.

Summary

Layer	Purpose	What it solves
fake-ip-filter	Intranet domains get real IPs	Correct domain → IP mapping
DIRECT rules	Intranet traffic goes direct	Traffic routed to the right exit
System bypass list	Intranet IPs skip the proxy entirely	Raw IP access works

Meituan Intranet Key Information

Internal DNS: 11.11.11.11, 11.11.11.12
Internal IP ranges: 10.0.0.0/8, 33.0.0.0/8, 11.0.0.0/8
Intranet domains: *.sankuai.com, *.meituan.com, *.meituan.net, *.dianping.com

Notes

Clash Verge overwrites macOS’s proxy bypass list every time the system proxy toggle is flipped, so you must configure it in verge.yaml’s system_proxy_bypass rather than using the networksetup command directly.
Remote subscription updates do not overwrite Merge and Rules profile content, so your customizations are safe.
If using FlClash instead, you need to modify the actual profile files under profiles/ directory, not config.yaml (FlClash’s config.yaml is auto-generated).

← Freeing Root Disk Space in a Container -- Without using rm