Routing Rules Guide

Routing rules are the core of Xray's traffic control system. They determine which outbound connection (outbound proxy (vless/vmess/xhttp etc), direct(freedom), or block(blackhole)) should handle specific traffic based on various criteria like domains, IPs, ports, and protocols.

Traffic Flow Architecture

Before diving into routing rules, it's crucial to understand that not all traffic automatically goes through Xray. The XRAYUI module implements a multi-layer traffic control system:

Layer 1: System-Level Interception

First, the router decides what traffic to intercept based on your basic configuration:

Bypass/Redirect Policies determine which devices and ports are handled
DNS Bypass Mode affects how domain-based decisions are made
Only intercepted traffic reaches Xray for processing

Layer 2: DNS Resolution & Bypass

Before Xray routing rules are evaluated, the DNS Bypass/Redirect feature can make routing decisions.

Initially, the module intercepts any traffic (well, almost any, but that's not important in this case) and redirects it to Xray's dokodemo inbound port. As it turned out, under heavy loads, Xray struggles to handle such traffic flow on weak routers.

DNS Bypass Modes

OFF: All intercepted traffic goes to Xray for rule-based routing
BYPASS: Extracts all rules from the config that are specified with FREEDOM outbound type, and essentially any traffic to these domains won't be sent to Xray. For example, if you made a rule domain:ru to FREEDOM - this way any traffic to .ru domains won't be thrown to Xray, but will flow as if there's no Xray on the router at all. Other traffic goes through Xray.
REDIRECT: Works opposite to bypass - extracts all rules where the outbound type is NOT FREEDOM and sends them to Xray. So if you made a rule geosite:youtube to proxy outbound, this way all traffic except YouTube domains will bypass Xray, and YouTube will be thrown to the Xray process.

Important

DNS Bypass/Redirect happens BEFORE Xray routing rules! This is traffic routing even before it gets into the Xray process. It's important to remember that how and where your traffic goes inside Xray depends on your rules in Xray, but that's another story entirely.

Note

Important point: in geodata categories, you may occasionally (very rarely, but it happens) encounter regexp: prefixes for domains. Such "domains" are ignored by the "enable DNS bypass" option and won't work, but this is, let's say, a minor issue.

Layer 3: Xray Routing Rules

Only traffic that passes through the previous layers reaches Xray's routing engine, where your rules are evaluated sequentially.

Understanding Domain Prefixes

Domain routing in Xray provides flexible traffic management through various matching approaches. Understanding these prefixes is essential for effective rule creation.

Basic Domain Matching

The domain: prefix is the foundation of domain-based routing:

domain:com — Matches ALL .com top-level domains and their subdomains
- ✅ Matches: dmn.com, example.com, sub.example.com
- ❌ Doesn't match: us.com, us-server.net
domain:dmn.com — Matches the domain and all its subdomains
- ✅ Matches: dmn.com, www.dmn.com, some.sub.domain.dmn.com
- ❌ Doesn't match: domains.com, notdmn.com
domain:www.dmn.com — Matches only this specific subdomain and its sub-subdomains
- ✅ Matches: www.dmn.com, api.www.dmn.com
- ❌ Doesn't match: dmn.com, m.dmn.com

Full Domain Matching

Use full: when you need exact domain matching without subdomains:

full:google.com — Matches ONLY google.com
- ✅ Matches: google.com
- ❌ Doesn't match: www.google.com, maps.google.com

Pattern Matching

For more flexible matching, use keyword and regex patterns:

keyword:google — Matches any domain containing "google"
- ✅ Matches: google.com, googleusercontent.com, mygooglesite.net
regexp:.*\.edu$ — Matches domains ending with .edu using regular expressions
- ✅ Matches: harvard.edu, mit.edu
- ❌ Doesn't match: education.com

Working with Geosite Databases

For managing large collections of domains efficiently, Xray supports geosite files. These are community-maintained databases that group hundreds or thousands of related domains under single tags.

Why Use Geosite?

Instead of manually listing dozens of domains for a service like YouTube:

domain:youtube.com
domain:youtube.ru
domain:youtu.be
domain:youtubeeducation.com
domain:youtube-nocookie.com
domain:googleapis.com
# ... and many more

You can simply use:

geosite:youtube

This automatically includes ALL YouTube-related domains from the community database, including CDNs, API endpoints, and regional variants.

Available Geosite Categories

The community maintains extensive domain lists. You can find all available categories at: GitHub: v2fly/domain-list-community

Common categories include:

geosite:google — All Google services
geosite:youtube — YouTube and related domains
geosite:netflix — Netflix streaming service
geosite:telegram — Telegram messenger
geosite:facebook — Facebook and Instagram
geosite:twitter — Twitter/X platform
geosite:cn — Chinese websites
geosite:category-media-ru - All banned media in Russia
geosite:category-ads-all — Advertisement networks
geosite:geolocation-!cn — Non-Chinese sites

Understanding Category Contents

Let's examine how categories work with a simple example:

The geosite:actalis category contains just two domains:

domain:actalis.com
domain:actalis.it

When you use geosite:actalis, it's equivalent to adding both domains manually. However, the key advantage is automatic updates — if the community adds new Actalis domains in the future, your rules automatically include them when you update the geosite database.

Community Contributions

The geosite database is community-driven. For example, the category-media-ru category was recently added:

geosite:category-media-ru

This now automatically includes all category-media-ru-related domains without needing to list them individually.

Creating Custom Geosite Categories

You can create your own domain lists using xrayui's custom geosite feature: Read more about custom geosite dat files.

Updating Geosite Databases

The community geosite databases are regularly updated with new domains and categories. To keep your routing accurate:

Manual Update

Go to Routing section
Click Update community files button
Wait for the update to complete
Apply configuration

Automatic Updates

Go to General Options → Geodata tab
Enable Auto-update geodata files
Updates will occur nightly at 03:00

Tips

Regular updates ensure your rules catch newly added domains for services like streaming platforms that frequently add new CDN endpoints.

Verifying Geosite Contents

To see what domains are included in a geosite category:

Check the official repository
Search for the category file (e.g., youtube)
Review the included domains and patterns

This helps you understand exactly what traffic your rules will match.

Understanding Routing Rules

In XRAYUI, routing rules work as a sequential decision tree. When traffic arrives, Xray evaluates rules from top to bottom and applies the first matching rule. If no rules match, traffic uses the default behavior.

Important

Rule order matters! Rules are evaluated sequentially, so more specific rules should generally come before broader ones.

The Rules Interface

To manage routing rules in XRAYUI:

Navigate to the Routing section on the main page
Click the Manage button next to Rules
The Rules Manager window will open

Adding a New Rule

Step 1: Open the Rule Editor

Click Add new rule at the bottom of the Rules Manager window.

Step 2: Configure Basic Settings

Field	Description	Example
Friendly Name	Optional descriptive name for your rule	"Netflix to Proxy"
Outbound connection	Which outbound to use when rule matches	proxy, direct, block
Enabled	Toggle rule on/off without deleting	✓ (checked)

Step 3: Define Matching Criteria

Rules can match traffic based on multiple criteria:

Domains

Enter domains to match, one per line. Supports multiple formats:

# Exact domain and subdomains
domain:google.com

# Only exact match
full:www.google.com

# Keyword matching
keyword:facebook

# Regular expression
regexp:.*\.gov$

# Geosite databases
geosite:netflix
geosite:category-ads
ext:xrayui:streaming

Tips

Use the geosite: and ext:xrayui: buttons above the domain field for quick prefix insertion. The autocomplete feature will help you find available tags.

IP Addresses

Specify IP addresses or ranges:

# Single IP
1.1.1.1

# CIDR notation
192.168.1.0/24

# IP range
10.0.0.1-10.0.0.100

# GeoIP database
geoip:cn
geoip:ru
geoip:private

Ports

Define specific ports or ranges:

# Single port
443

# Port range (use colon)
8080:8090

# Multiple ports
80,443,8080

Source IPs

Match traffic from specific source IPs (useful for device-specific rules):

192.168.1.100
192.168.1.0/24

Protocols

Select protocols to match:

HTTP
TLS (HTTPS)
BitTorrent

Network Type

Choose the transport protocol:

TCP
UDP
TCP,UDP (both)

Inbound Tags

Match traffic from specific inbounds (useful when you have multiple entry points).

Tips

Remember the Golden Rule: If nothing is selected - everything is selected. it means you dont need to select everything to cover all. Just leave ithe field blank.

Step 4: Save the Rule

Click Save to add the rule to your configuration.

Practical Examples: DNS Bypass + Routing Rules

Understanding how DNS Bypass and routing rules interact is crucial for proper configuration. Here are real-world scenarios:

Scenario 1: Performance Optimization

Goal: Proxy only blocked services, everything else direct

Configuration:

DNS B/R Option: REDIRECT mode
B/R Policy: Redirect ports 80,443

Routing Rules:
1. YouTube → geosite:youtube → proxy
2. Netflix → geosite:netflix → proxy

Result: Only YouTube and Netflix go through Xray. All other traffic bypasses Xray entirely at the DNS/IPSET level, reducing CPU load.

Scenario 2: Maximum Control

Goal: Complex routing with different proxies for different services

Configuration:

DNS Bypass: OFF
B/R Policy: all to xray

Routing Rules:
1. Work traffic → domain:company.com → work-proxy
2. Streaming → geosite:netflix → us-proxy
3. Social Media → geosite:twitter → europe-proxy
4. Gaming → ports:27000-27100 → direct
5. Default → * → smart-proxy

Result: All traffic goes through Xray for evaluation, allowing sophisticated routing decisions.

Scenario 3: Device-Specific with Bypass

Goal: Smart TV direct, other devices proxied

Configuration:

DNS Bypass: BYPASS mode
B/R Policy:
  - Bypass MAC:AA:BB:CC:DD:EE:FF (Smart TV)
  - Redirect others on ports 80,443

Routing Rules:
1. Local network → geoip:private → direct
2. Blocked sites → geosite:netflix → proxy
3. Default → * → proxy

Result: Smart TV never reaches Xray. Other devices have Netflix proxied, rest goes direct via DNS bypass.

Rule Priority and Ordering

Rules are processed in order from top to bottom. Here's the recommended priority order:

System rules (xrayui auto-generated, usually at the top, start with prefix sys:)
Blocking rules (ads, malware, trackers)
Device-specific rules (by source IP/MAC)
Service-specific rules (streaming, gaming)
Port-based rules (specific applications)
Geographic rules (country-based routing)
Catch-all rules (default behavior)

Tips

Use the drag handle (⋮⋮) on the left of each rule to reorder them. The visual order in the list represents the actual evaluation order.

Interaction with DNS Bypass

Remember that DNS Bypass mode affects which traffic reaches your rules:

In BYPASS mode:

Domains matching rules with FREEDOM outbound never reach Xray
Only non-FREEDOM domains are evaluated by routing rules
This improves performance but reduces control

In REDIRECT mode:

Only domains NOT matching FREEDOM rules go through Xray
Inverse logic of BYPASS mode
Useful when most traffic should be direct

With DNS Bypass OFF:

All intercepted traffic reaches Xray routing rules
Maximum control but higher resource usage
Recommended for complex routing scenarios

Warning

If using DNS Bypass, ensure your FREEDOM rules in Xray align with your bypass intentions. Misalignment can cause unexpected routing behavior.

Working with Geosite/GeoIP

Using Built-in Databases

XRAYUI includes community-maintained geographic databases:

Common Geosite Tags:

geosite:google - All Google services
geosite:facebook - Facebook and subsidiaries
geosite:netflix - Netflix domains
geosite:telegram - Telegram messenger
geosite:cn - Chinese websites
geosite:category-ads-all - Advertisement domains

Common GeoIP Tags:

geoip:cn - Chinese IP addresses
geoip:us - US IP addresses
geoip:private - Private/LAN addresses
geoip:cloudflare - Cloudflare IPs

Custom Geosite Files

You can create custom domain lists. See Custom Geosite Files for details.

Advanced Features

Domain Matching Strategies

Set the Domain Matcher to optimize performance:

hybrid (default): Balanced performance and accuracy
linear: Sequential matching, more accurate but slower

Using Multiple Criteria

Rules with multiple criteria use AND logic. The rule matches only when ALL specified conditions are met:

# This rule matches HTTPS traffic from 192.168.1.100
Domains: domain:example.com
Source IPs: 192.168.1.100
Ports: 443
# ALL three conditions must be true for a match

Temporary Rule Disabling

Instead of deleting rules, you can temporarily disable them:

Uncheck the checkbox next to the rule name
The rule moves to the "disabled" section but retains its configuration
Re-enable when needed without reconfiguration

Best Practices

1. Start Specific, Then Generalize

Begin with specific rules for critical services, then add broader catch-all rules.

2. Use Descriptive Names

Give rules meaningful names that describe their purpose:

✅ "Netflix to Proxy"
❌ "Rule 1"

Keep similar rules together for easier management:

Group all streaming rules
Group all blocking rules
Group all device-specific rules

4. Test Before Deploying

Add new rules as disabled
Enable and test individually
Monitor logs for unexpected behavior
Adjust as needed

5. Regular Maintenance

Review rules periodically
Remove obsolete rules
Update geosite/geoip databases regularly
Consolidate similar rules when possible

Check DNS Bypass mode - Your rules might not be reached due to DNS bypass
- If using BYPASS/REDIRECT, verify domains aren't being handled before Xray
- Try temporarily disabling DNS bypass to isolate the issue
Verify B/R Policies - Traffic might not be intercepted at all
- Check if the device/port is set to redirect to Xray
- Verify MAC addresses and port ranges
Check rule order - More specific rules must come before general ones
Verify outbound tags - Ensure the specified outbound exists
Check syntax - Validate domain/IP formats
- Remember: domain: not domain.
- Use geosite: not geosite.
Review logs - Enable logs to see which rules are matching

Traffic Not Going Through Proxy

Symptom: Sites load but aren't proxied despite having rules

Common causes:

DNS Bypass is ON with REDIRECT mode and domain matches FREEDOM
B/R Policy doesn't include the ports being used
DNS resolution happening before proxy (check DNS leak prevention)
QUIC/HTTP3 traffic on UDP 443 not being intercepted

Solution steps:

1. Set DNS Bypass to OFF temporarily
2. Ensure B/R Policy includes both TCP and UDP
3. Add UDP port 443 to your redirect policy
4. Check logs to verify traffic reaches Xray

Unexpected Direct Connections

Symptom: Some traffic bypasses proxy without matching any direct rule

Check:

ipset rules from DNS bypass creating kernel-level bypasses
System DNS queries not being intercepted
IPv6 traffic if not properly handled
Cached DNS responses from before configuration change

Performance Issues

If routing is slow:

Reduce regex usage (most resource-intensive)
Consolidate similar rules
Use geosite tags instead of listing many domains
Switch domain matcher to "linear" if accuracy is more important than speed

Debugging Rules

Enable logging to see rule matches:

Go to General Options → Logs
Enable Access logs
Set Log level to "info" or "debug"
Check logs to see which rules are triggered

Common Mistakes to Avoid

Wrong prefix format: Use domain: not domain.
Port format confusion: Use : for ranges (8080:8090), not -
Missing network type: Specify tcp, udp, or both
Incorrect rule order: Catch-all rules placed too early
Conflicting rules: Multiple rules matching the same traffic

Quick Reference

Domain Prefixes

Prefix	Matches	Example
`domain:`	Domain and all subdomains	`domain:google.com` matches `maps.google.com`
`full:`	Exact domain only	`full:google.com` matches only `google.com`
`keyword:`	Contains keyword	`keyword:google` matches `googleplex.com`
`regexp:`	Regular expression	`regexp:.*\.edu$` matches `.edu` domains
`geosite:`	Geosite database	`geosite:netflix`
`ext:xrayui:`	Custom xrayui lists	`ext:xrayui:mylist`

Configuration Decision Tree

When setting up routing in xrayui, follow this decision tree:

1. How much traffic needs proxying?
   ├─ Most traffic → DNS Bypass OFF
   └─ Selective → DNS Bypass ON
       ├─ Proxy specific sites → REDIRECT mode
       └─ Bypass specific sites → BYPASS mode

2. Which devices need proxying?
   ├─ All devices → B/R Policy: Redirect all
   └─ Specific devices → B/R Policy: By MAC/IP

3. What ports to intercept?
   ├─ Web only → TCP/UDP 80,443
   ├─ All traffic → All ports
   └─ Custom apps → Specific port ranges

4. How complex is routing?
   ├─ Simple (proxy/direct) → Basic rules
   ├─ By service → Use geosite categories
   └─ Complex logic → Multiple rule layers

Not all traffic automatically goes through Xray
DNS Bypass can prevent rules from being evaluated
Rule order matters (first match wins)
Geosite categories simplify domain management
Different domain prefixes serve different purposes
Performance and control are often trade-offs

Best practices:

Start with DNS Bypass OFF to understand traffic flow
Use geosite categories instead of listing individual domains
Test rules incrementally
Monitor logs during initial setup
Optimize with DNS Bypass once routing works correctly
Document complex configurations

Note

Remember to click Apply on the main page after making any configuration changes to activate your new routing setup.