Rule-based proxy clients look simple on the surface: some websites go direct, others use a proxy, and blocked domains are rejected. In practice, routing rules fail when domain matching, DNS resolution, IP matching, and final policy selection do not line up.
Quick answer
A proxy rule works only if the client can see the value the rule expects. Domain rules require a domain name, IP rules require an address, and GeoIP rules require a current database. Rule order matters because most clients stop at the first matching rule.
Common rule types
- DOMAIN: matches one exact hostname.
- DOMAIN-SUFFIX: matches a domain and its subdomains.
- DOMAIN-KEYWORD: matches a keyword, but can create false positives.
- IP-CIDR: matches IPv4 ranges.
- IP-CIDR6: matches IPv6 ranges.
- GeoIP: matches an IP address by country or region database.
- MATCH: the fallback action when nothing else matches.
Why domain rules do not match
Some apps resolve DNS internally before opening a connection. The proxy client may only see the destination IP, not the hostname. In that case a domain rule cannot match, even if it looks correct in the configuration file.
Why GeoIP can be wrong
GeoIP depends on local databases and IP allocation data. Cloud platforms, CDNs, Anycast networks, and frequently reassigned addresses can make location-based decisions unstable. GeoIP is useful for broad routing, but it should not replace precise domain rules for critical services.
Rule order design
Place specific rules before broad rules. Private domains, required business services, and explicit exceptions should come first. Keyword rules, large domain sets, GeoIP rules, and the final MATCH rule should come later. A broad early rule can prevent every later correction from running.
How to troubleshoot
- Open the client log and find the exact rule that matched the request.
- Check whether DNS resolution happens locally, remotely, or through Fake DNS.
- Verify the selected policy group and the actual outbound node.
- Test one exact domain rule at the top of the list to confirm routing control.
- Repeat the test for IPv4 and IPv6 destinations.
Relation to split tunneling
Split tunneling is only as reliable as the matching model behind it. If a browser uses one DNS path while an app uses another, they may hit different rules. If your main symptom is that the VPN is connected but the visible IP does not change, compare this guide with the VPN connected but IP address not changing guide.
FAQ
Are more rules always better?
No. More rules can increase false matches and make debugging harder. A smaller, ordered rule set is usually easier to maintain.
Should MATCH go proxy or direct?
It depends on the goal. Privacy-focused setups often proxy the fallback. Compatibility-focused setups may choose direct.
Why does the same domain match different rules on two devices?
The devices may use different DNS, IPv6 availability, client versions, rule databases, or policy group selections.