Why Split Routing Beats Full-Tunnel for Daily Use

If you live in or frequently access the Chinese mainland network ecosystem, sending every packet through an overseas relay is rarely optimal. Domestic CDNs, banking portals, university VPNs, and video apps expect low round-trip time on local paths. A blunt full-tunnel profile may still work, but you pay in latency, unnecessary hop count, and occasional breakage when a foreign IP triggers geo-fencing the wrong way.

Split routing (often called smart routing in community configs) means: classify each flow, send obvious mainland destinations to DIRECT, send everything else to a proxy policy group that picks a healthy node. Clash expresses that with ordered rules, optional rule providers (remote lists you refresh on a schedule), and GEOIP matches backed by a local MMDB database. The art is not memorizing keywords; it is building a chain that is both correct and cheap to evaluate on every new connection.

This article assumes a Meta-class core (Mihomo) behind a modern GUI such as Clash Verge Rev on Windows or ClashX Pro on macOS. If you are still migrating from legacy clients, skim our Clash Meta upgrade guide first so your feature flags and YAML layout match what follows.

Rule Order: The First Match Wins

Clash evaluates rules top to bottom. The moment a rule matches, routing stops for that flow. That single fact explains half of the misroutes people blame on “bad nodes.” If your catch-all proxy line sits above GEOIP, you will never see DIRECT for domestic IPs. If your LAN bypass is missing, multicast discovery may wander into a tunnel you never intended.

A pragmatic skeleton for China-oriented split configs usually looks like this at a conceptual level: (1) reject or short-circuit truly unwanted destinations if you maintain such a list; (2) force DIRECT for private IPv4/IPv6 ranges and loopback; (3) match explicit domains or suffixes you always want local—payment APIs on the mainland, campus portals, or government sites; (4) match curated foreign domain lists via rule providers when you subscribe to them; (5) apply GEOIP,CN or equivalent for addresses registered inside China; (6) fall back to your main proxy selector or automatic group; (7) end with a conservative MATCH rule that mirrors the same fallback.

Notice what is not here: dumping ten thousand single-line DOMAIN rules inline. Large lists belong in rule providers so the core can load them incrementally, update them on an interval, and keep your hand-edited YAML readable. Inline rules are best reserved for personal exceptions you tweak weekly.

GEOIP CN and Its Limits

GEOIP,CN is the blunt instrument that saves you from enumerating every Chinese IP block. When the destination resolves to an address tagged as China in the MaxMind-style database bundled with your client, the rule fires. It is fast and easy to reason about, which is why baseline profiles rely on it.

However, GEOIP is only as good as the database revision and the registration semantics of the address. Some global CDNs announce Anycast prefixes that may not look “Chinese” to a naive lookup even when the user-facing service behaves domestically. Conversely, a SaaS API might resolve to an overseas POP while still being part of a Chinese product workflow. That is why experienced users pair GEOIP with a thin layer of explicit DOMAIN-SUFFIX overrides both above and below the GEOIP line depending on observed behavior.

When debugging, read the live log: Clash prints which rule name matched. If a domestic banking site accidentally rides the proxy, add a surgical domain rule above GEOIP. If a foreign developer site incorrectly goes DIRECT, add a suffix rule or refresh your provider list rather than flipping GEOIP blindly.

Rule Providers: Curated Lists Without YAML Bloat

Rule providers fetch remote text or binary rule bundles on a timer and mount them under a logical name. Community-maintained sets often include categories such as advertising filters, privacy trackers, Apple services, Google services, Telegram, Netflix regions, and more. For split routing, the highest leverage providers are those that enumerate services you consistently want on proxy while keeping mainstream Chinese properties off the list.

Operational hygiene matters. Pin URLs to maintainers you trust, set sane interval values (hourly is not always better than daily if you dislike churn), and verify checksum behavior if your distribution supports it. When a provider author pushes a bad commit, you want a narrow blast radius: roll back one provider file instead of hand-editing hundreds of lines.

Combine providers with behavior metadata when available. Some cores support faster lookups for large domain sets; keep an eye on release notes for the exact build bundled in your GUI. If CPU spikes on every new TCP session, you may be over-classifying with redundant overlapping lists.

Policy Groups: Speed, Fallback, and “Fastest” Semantics

Routing rules point to outbound names, which are often policy groups rather than raw servers. A typical pattern is: PROXY as a select group for manual choice, AUTO as a url-test or fallback group that periodically measures latency to a health URL, and maybe a dedicated AI or STREAM group if certain nodes differ in throughput caps.

For overseas acceleration, automatic groups shine when your airport publishes dozens of similarly named relays. Let the client measure which answers a lightweight HTTPS probe fastest, then stick to it until health degrades. Be mindful of what you test: a 204 endpoint hosted on a global CDN may not reflect the path quality toward GitHub or npm. Some users maintain two automatic groups with different probe targets to approximate “general web” versus “developer tooling.”

Never point health checks at domains you route only through proxy if the probe itself needs bootstrap connectivity—avoid circular dependencies. DIRECT exceptions for probe hosts are common in advanced templates.

DNS: fake-ip, redir-host, and Why Mis-DNS Breaks Rules

Split routing is a marriage of IP rules and name resolution. If DNS answers are wrong, your DOMAIN rules never get a chance to run because the core already sees an unexpected IP. fake-ip mode maps domain queries to synthetic addresses locally, then recovers the real name during sniffing for TLS or uses metadata from the handshake. It is powerful for reducing leaks and keeping rule evaluation crisp, but it interacts with captive portals, split intranet zones, and some enterprise SSO flows.

A conservative mainland profile often sets domestic resolvers for names you intend to classify as CN, while still allowing Clash to hijack queries for foreign stacks. The exact YAML varies by core version; align your snippet with the documentation for the build you ship. When something “works in the browser but fails in Terminal,” compare resolver paths: Chrome may be using DNS-over-HTTPS independently of the OS stack.

If you enable TUN, DNS hijack becomes part of the same trust boundary as packet capture. Our Clash TUN mode guide expands on how virtual NIC mode and DNS interact for developer workloads; read it before you merge aggressive hijack settings with corporate VPNs.

TUN Mode and DIRECT Exceptions

TUN raises fidelity: more applications traverse Clash, fewer bypass the policy. It also raises responsibility: you must exempt local subnets, multicast, and the proxy server itself from being re-entrant into the tunnel. Quality templates always include DIRECT lines for RFC1918 ranges, link-local addresses, and the airport hostname before broad GEOIP or MATCH rules.

On Windows, driver elevation prompts are normal the first time. Follow a GUI checklist such as the Clash Verge Rev Windows setup guide so you do not end up with half-installed adapters after an interrupted update.

Latency, Privacy, and Compliance Boundaries

Split routing optimizes experience, not anonymity. Domestic DIRECT traffic uses your ISP path in the ordinary way. Overseas proxy traffic is visible to the node operator to the same extent as any encrypted tunnel. If your threat model requires uniform egress, you intentionally choose full-tunnel and accept the performance trade-off.

From a compliance perspective, organizational networks may forbid split tunneling altogether. Home labs differ. This article is written for lawful personal network optimization: respect local regulations, subscription terms, and workplace policies.

Testing and Observability

After editing rules, validate with small experiments instead of anecdotal browsing. Open the log, initiate a connection to a known domestic host, confirm the matched rule is GEOIP or your explicit CN domain line, then repeat for a blocked overseas sample and confirm it hits the proxy group. Use traceroute and TLS client tools sparingly; remember ICMP may be filtered differently from TCP.

Automated tests are rare in consumer setups, but you can still keep a markdown checklist: banking site DIRECT, Git fetch via proxy, streaming domain in the right group, LAN printer untouched. Regression-test after every provider bulk update.

Common Pitfalls and Quick Fixes

Circular routing to the proxy server produces periodic stalls; add DIRECT for the server IP and domain. Stale provider files cause sudden mass misroutes; confirm download intervals and disk permissions. Mixed-case or IDN domains need consistent suffix entries; punycode matters for internationalized domains. IPv6 paths may bypass assumptions you built only for IPv4; either disable IPv6 at the OS level intentionally or extend rules symmetrically.

Process-level rules can help when a single binary must always go proxy, but they are less portable across machines; prefer domain rules unless you have a stubborn edge case.

Closing Thoughts

An optimal split profile is boring on purpose: domestic traffic stays on the shortest path, overseas traffic rides a measured outbound, and your YAML stays short because providers carry the weight of long tail domains. Invest once in ordering, DNS alignment, and health-check hygiene, then iterate with log-driven tweaks instead of superstition.

Compared with ad hoc per-app toggles, Clash gives you a single policy surface that scales from a laptop to a household router downstream—provided you treat configuration like code: review diffs, pin trusted sources, and upgrade cores deliberately.

When you are ready to install a maintained client and drop in a split template that matches your region, use our hub so builds, signatures, and update cadence stay consistent with what these guides assume. → Download Clash for free and experience the difference between brittle full-tunnel defaults and a tuned routing plan you can explain line by line.