diff --git a/filebrowser/Makefile b/filebrowser/Makefile
index 51eb59849..47d398b15 100644
--- a/filebrowser/Makefile
+++ b/filebrowser/Makefile
@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=filebrowser
-PKG_VERSION:=2.24.2
+PKG_VERSION:=2.25.0
 PKG_RELEASE:=$(AUTORELEASE)
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_VERSION:=02db83c72ef3e14bac8df085a49f873261c6fb69
 PKG_SOURCE_URL:=https://github.com/filebrowser/filebrowser
-PKG_HASH:=4889c0efd1abfdb3a717c5c906db4fa36dd6a2b01754e4124c9d870147df2682
+PKG_HASH:=e6d83a869454a1b90768917809f76673acc9752999faf2d6ba50766d7d8a7d38
 
 PKG_LICENSE:=Apache-2.0
 PKG_LICENSE_FILES:=LICENSE
diff --git a/luci-app-passwall2/Makefile b/luci-app-passwall2/Makefile
index 32c5404da..62d0a7b90 100644
--- a/luci-app-passwall2/Makefile
+++ b/luci-app-passwall2/Makefile
@@ -5,7 +5,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=luci-app-passwall2
-PKG_VERSION:=1.20-10
+PKG_VERSION:=1.20-11
 PKG_RELEASE:=
 
 PKG_CONFIG_DEPENDS:= \
diff --git a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/type/hysteria.lua b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/type/hysteria2.lua
similarity index 67%
rename from luci-app-passwall2/luasrc/model/cbi/passwall2/client/type/hysteria.lua
rename to luci-app-passwall2/luasrc/model/cbi/passwall2/client/type/hysteria2.lua
index 4f28e3ba7..a8fc17d66 100644
--- a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/type/hysteria.lua
+++ b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/type/hysteria2.lua
@@ -6,22 +6,20 @@ if not api.finded_com("hysteria") then
 	return
 end
 
-local type_name = "Hysteria"
+local type_name = "Hysteria2"
 
-local option_prefix = "hysteria_"
+local option_prefix = "hysteria2_"
 
 local function option_name(name)
 	return option_prefix .. name
 end
 
--- [[ Hysteria ]]
+-- [[ Hysteria2 ]]
 
-s.fields["type"]:value(type_name, translate("Hysteria"))
+s.fields["type"]:value(type_name, "Hysteria2")
 
 o = s:option(ListValue, option_name("protocol"), translate("Protocol"))
 o:value("udp", "UDP")
-o:value("faketcp", "faketcp")
-o:value("wechat-video", "wechat-video")
 
 o = s:option(Value, option_name("address"), translate("Address (Support Domain Name)"))
 
@@ -34,19 +32,8 @@ o.rewrite_option = o.option
 o = s:option(Value, option_name("obfs"), translate("Obfs Password"))
 o.rewrite_option = o.option
 
-o = s:option(ListValue, option_name("auth_type"), translate("Auth Type"))
-o:value("disable", translate("Disable"))
-o:value("string", translate("STRING"))
-o:value("base64", translate("BASE64"))
-o.rewrite_option = o.option
-
 o = s:option(Value, option_name("auth_password"), translate("Auth Password"))
 o.password = true
-o:depends({ [option_name("auth_type")] = "string"})
-o:depends({ [option_name("auth_type")] = "base64"})
-o.rewrite_option = o.option
-
-o = s:option(Value, option_name("alpn"), translate("QUIC TLS ALPN"))
 o.rewrite_option = o.option
 
 o = s:option(Flag, option_name("fast_open"), translate("Fast Open"))
@@ -58,11 +45,14 @@ o = s:option(Flag, option_name("tls_allowInsecure"), translate("allowInsecure"),
 o.default = "0"
 
 o = s:option(Value, option_name("up_mbps"), translate("Max upload Mbps"))
-o.default = "10"
+o.default = "100"
 o.rewrite_option = o.option
 
 o = s:option(Value, option_name("down_mbps"), translate("Max download Mbps"))
-o.default = "50"
+o.default = "100"
+o.rewrite_option = o.option
+
+o = s:option(Value, option_name("hop_interval"), translate("Hop Interval"))
 o.rewrite_option = o.option
 
 o = s:option(Value, option_name("recv_window_conn"), translate("QUIC stream receive window"))
@@ -71,19 +61,11 @@ o.rewrite_option = o.option
 o = s:option(Value, option_name("recv_window"), translate("QUIC connection receive window"))
 o.rewrite_option = o.option
 
-o = s:option(Value, option_name("handshake_timeout"), translate("Handshake Timeout"))
-o.rewrite_option = o.option
-
 o = s:option(Value, option_name("idle_timeout"), translate("Idle Timeout"))
 o.rewrite_option = o.option
 
-o = s:option(Value, option_name("hop_interval"), translate("Hop Interval"))
-o.rewrite_option = o.option
-
 o = s:option(Flag, option_name("disable_mtu_discovery"), translate("Disable MTU detection"))
-o.rewrite_option = o.option
-
-o = s:option(Flag, option_name("lazy_start"), translate("Lazy Start"))
+o.default = "0"
 o.rewrite_option = o.option
 
 api.luci_types(arg[1], m, s, type_name, option_prefix)
diff --git a/luci-app-passwall2/luasrc/model/cbi/passwall2/server/type/hysteria.lua b/luci-app-passwall2/luasrc/model/cbi/passwall2/server/type/hysteria2.lua
similarity index 52%
rename from luci-app-passwall2/luasrc/model/cbi/passwall2/server/type/hysteria.lua
rename to luci-app-passwall2/luasrc/model/cbi/passwall2/server/type/hysteria2.lua
index ced902a29..ea4556a71 100644
--- a/luci-app-passwall2/luasrc/model/cbi/passwall2/server/type/hysteria.lua
+++ b/luci-app-passwall2/luasrc/model/cbi/passwall2/server/type/hysteria2.lua
@@ -6,40 +6,26 @@ if not api.finded_com("hysteria") then
 	return
 end
 
-local type_name = "Hysteria"
+local type_name = "Hysteria2"
 
-local option_prefix = "hysteria_"
+local option_prefix = "hysteria2_"
 
 local function option_name(name)
 	return option_prefix .. name
 end
 
--- [[ Hysteria ]]
+-- [[ Hysteria2 ]]
 
-s.fields["type"]:value(type_name, translate("Hysteria"))
+s.fields["type"]:value(type_name, "Hysteria2")
 
 o = s:option(Value, option_name("port"), translate("Listen Port"))
 o.datatype = "port"
 
-o = s:option(ListValue, option_name("protocol"), translate("Protocol"))
-o:value("udp", "UDP")
-o:value("faketcp", "faketcp")
-o:value("wechat-video", "wechat-video")
-
 o = s:option(Value, option_name("obfs"), translate("Obfs Password"))
 o.rewrite_option = o.option
 
-o = s:option(ListValue, option_name("auth_type"), translate("Auth Type"))
-o:value("disable", translate("Disable"))
-o:value("string", translate("STRING"))
-o.rewrite_option = o.option
-
 o = s:option(Value, option_name("auth_password"), translate("Auth Password"))
 o.password = true
-o:depends({ [option_name("auth_type")] = "string" })
-o.rewrite_option = o.option
-
-o = s:option(Value, option_name("alpn"), translate("QUIC TLS ALPN"))
 o.rewrite_option = o.option
 
 o = s:option(Flag, option_name("udp"), translate("UDP"))
@@ -47,40 +33,19 @@ o.default = "1"
 o.rewrite_option = o.option
 
 o = s:option(Value, option_name("up_mbps"), translate("Max upload Mbps"))
-o.default = "10"
+o.default = "100"
 o.rewrite_option = o.option
 
 o = s:option(Value, option_name("down_mbps"), translate("Max download Mbps"))
-o.default = "50"
+o.default = "100"
 o.rewrite_option = o.option
 
-o = s:option(Value, option_name("recv_window_conn"), translate("QUIC stream receive window"))
+o = s:option(Flag, option_name("ignoreClientBandwidth"), translate("ignoreClientBandwidth"))
+o.default = "0"
 o.rewrite_option = o.option
 
-o = s:option(Value, option_name("recv_window"), translate("QUIC connection receive window"))
-o.rewrite_option = o.option
-
-o = s:option(Flag, option_name("disable_mtu_discovery"), translate("Disable MTU detection"))
-o.rewrite_option = o.option
-
-o = s:option(Flag, option_name("tls"), translate("TLS"))
-o.default = 0
-o.validate = function(self, value, t)
-	if value then
-		if value == "1" then
-			local ca = s.fields[option_name("tls_certificateFile")]:formvalue(t) or ""
-			local key = s.fields[option_name("tls_keyFile")]:formvalue(t) or ""
-			if ca == "" or key == "" then
-				return nil, translate("Public key and Private key path can not be empty!")
-			end
-		end
-		return value
-	end
-end
-
 o = s:option(FileUpload, option_name("tls_certificateFile"), translate("Public key absolute path"), translate("as:") .. "/etc/ssl/fullchain.pem")
 o.default = m:get(s.section, "tls_certificateFile") or "/etc/config/ssl/" .. arg[1] .. ".pem"
-o:depends({ [option_name("tls")] = true })
 o.validate = function(self, value, t)
 	if value and value ~= "" then
 		if not nixio.fs.access(value) then
@@ -94,7 +59,6 @@ end
 
 o = s:option(FileUpload, option_name("tls_keyFile"), translate("Private key absolute path"), translate("as:") .. "/etc/ssl/private.key")
 o.default = m:get(s.section, "tls_keyFile") or "/etc/config/ssl/" .. arg[1] .. ".key"
-o:depends({ [option_name("tls")] = true })
 o.validate = function(self, value, t)
 	if value and value ~= "" then
 		if not nixio.fs.access(value) then
diff --git a/luci-app-passwall2/luasrc/passwall2/api.lua b/luci-app-passwall2/luasrc/passwall2/api.lua
index f74f6770d..b5af55ac4 100644
--- a/luci-app-passwall2/luasrc/passwall2/api.lua
+++ b/luci-app-passwall2/luasrc/passwall2/api.lua
@@ -719,6 +719,9 @@ function to_check(arch, app_name)
 	end
 
 	local remote_version = json.tag_name
+	if com[app_name].remote_version_str_replace then
+		remote_version = remote_version:gsub(com[app_name].remote_version_str_replace, "")
+	end
 	local has_update = compare_versions(local_version:match("[^v]+"), "<", remote_version:match("[^v]+"))
 
 	if not has_update then
diff --git a/luci-app-passwall2/luasrc/passwall2/com.lua b/luci-app-passwall2/luasrc/passwall2/com.lua
index 61366cc38..e12b6ab00 100644
--- a/luci-app-passwall2/luasrc/passwall2/com.lua
+++ b/luci-app-passwall2/luasrc/passwall2/com.lua
@@ -23,7 +23,8 @@ _M.hysteria = {
 	name = "Hysteria",
 	repo = "HyNetwork/hysteria",
 	get_url = gh_release_url,
-	cmd_version = "-v | awk '{print $3}'",
+	cmd_version = "version | awk '/^Version:/ {print $2}'",
+	remote_version_str_replace = "app/",
 	zipped = false,
 	default_path = "/usr/bin/hysteria",
 	match_fmt_str = "linux%%-%s$",
diff --git a/luci-app-passwall2/luasrc/passwall2/server_app.lua b/luci-app-passwall2/luasrc/passwall2/server_app.lua
index 476cb1bad..d77a65d7a 100644
--- a/luci-app-passwall2/luasrc/passwall2/server_app.lua
+++ b/luci-app-passwall2/luasrc/passwall2/server_app.lua
@@ -159,8 +159,8 @@ local function start()
 					brook_path_arg = " --path " .. brook_path
 				end
 				bin = ln_run(api.get_app_path("brook"), "brook_" .. id, string.format("--debug %s -l :%s -p %s%s", brook_protocol, port, brook_password, brook_path_arg), log_path)
-			elseif type == "Hysteria" then
-				config = require(require_dir .. "util_hysteria").gen_config_server(user)
+			elseif type == "Hysteria2" then
+				config = require(require_dir .. "util_hysteria2").gen_config_server(user)
 				bin = ln_run(api.get_app_path("hysteria"), "hysteria", "-c " .. config_file .. " server", log_path)
 			end
 
diff --git a/luci-app-passwall2/luasrc/passwall2/util_hysteria.lua b/luci-app-passwall2/luasrc/passwall2/util_hysteria.lua
deleted file mode 100644
index e55586427..000000000
--- a/luci-app-passwall2/luasrc/passwall2/util_hysteria.lua
+++ /dev/null
@@ -1,104 +0,0 @@
-module("luci.passwall2.util_hysteria", package.seeall)
-local api = require "luci.passwall2.api"
-local uci = api.uci
-local jsonc = api.jsonc
-
-function gen_config_server(node)
-	local config = {
-		listen = ":" .. node.port,
-		protocol = node.protocol or "udp",
-		obfs = node.hysteria_obfs,
-		cert = node.tls_certificateFile,
-		key = node.tls_keyFile,
-		auth = (node.hysteria_auth_type == "string") and {
-			mode = "password",
-			config = {
-				password = node.hysteria_auth_password
-			}
-		} or nil,
-		disable_udp = (node.hysteria_udp == "0") and true or false,
-		alpn = node.hysteria_alpn or nil,
-		up_mbps = tonumber(node.hysteria_up_mbps) or 10,
-		down_mbps = tonumber(node.hysteria_down_mbps) or 50,
-		recv_window_conn = (node.hysteria_recv_window_conn) and tonumber(node.hysteria_recv_window_conn) or nil,
-		recv_window = (node.hysteria_recv_window) and tonumber(node.hysteria_recv_window) or nil,
-		disable_mtu_discovery = (node.hysteria_disable_mtu_discovery) and true or false
-	}
-	return config
-end
-
-function gen_config(var)
-	local node_id = var["-node"]
-	if not node_id then
-		print("-node 不能为空")
-		return
-	end
-	local node = uci:get_all("passwall2", node_id)
-	local local_socks_address = var["-local_socks_address"] or "0.0.0.0"
-	local local_socks_port = var["-local_socks_port"]
-	local local_socks_username = var["-local_socks_username"]
-	local local_socks_password = var["-local_socks_password"]
-	local local_http_address = var["-local_http_address"] or "0.0.0.0"
-	local local_http_port = var["-local_http_port"]
-	local local_http_username = var["-local_http_username"]
-	local local_http_password = var["-local_http_password"]
-	local server_host = var["-server_host"] or node.address
-	local server_port = var["-server_port"] or node.port
-
-	if api.is_ipv6(server_host) then
-		server_host = api.get_ipv6_full(server_host)
-	end
-	local server = server_host .. ":" .. server_port
-
-	if (node.hysteria_hop) then
-		server = server .. "," .. node.hysteria_hop
-	end
-
-	local config = {
-		server = server,
-		protocol = node.protocol or "udp",
-		obfs = node.hysteria_obfs,
-		auth = (node.hysteria_auth_type == "base64") and node.hysteria_auth_password or nil,
-		auth_str = (node.hysteria_auth_type == "string") and node.hysteria_auth_password or nil,
-		alpn = node.hysteria_alpn or nil,
-		server_name = node.tls_serverName,
-		insecure = (node.tls_allowInsecure == "1") and true or false,
-		up_mbps = tonumber(node.hysteria_up_mbps) or 10,
-		down_mbps = tonumber(node.hysteria_down_mbps) or 50,
-		retry = -1,
-		retry_interval = 5,
-		recv_window_conn = (node.hysteria_recv_window_conn) and tonumber(node.hysteria_recv_window_conn) or nil,
-		recv_window = (node.hysteria_recv_window) and tonumber(node.hysteria_recv_window) or nil,
-		handshake_timeout = (node.hysteria_handshake_timeout) and tonumber(node.hysteria_handshake_timeout) or nil,
-		idle_timeout = (node.hysteria_idle_timeout) and tonumber(node.hysteria_idle_timeout) or nil,
-		hop_interval = (node.hysteria_hop_interval) and tonumber(node.hysteria_hop_interval) or nil,
-		disable_mtu_discovery = (node.hysteria_disable_mtu_discovery) and true or false,
-		fast_open = (node.fast_open == "1") and true or false,
-		lazy_start = (node.hysteria_lazy_start) and true or false,
-		socks5 = (local_socks_address and local_socks_port) and {
-			listen = local_socks_address .. ":" .. local_socks_port,
-			timeout = 300,
-			disable_udp = false,
-			user = (local_socks_username and local_socks_password) and local_socks_username,
-			password = (local_socks_username and local_socks_password) and local_socks_password,
-		} or nil,
-		http = (local_http_address and local_http_port) and {
-			listen = local_http_address .. ":" .. local_http_port,
-			timeout = 300,
-			disable_udp = false,
-			user = (local_http_username and local_http_password) and local_http_username,
-			password = (local_http_username and local_http_password) and local_http_password,
-		} or nil
-	}
-
-	return jsonc.stringify(config, 1)
-end
-
-_G.gen_config = gen_config
-
-if arg[1] then
-	local func =_G[arg[1]]
-	if func then
-		print(func(api.get_function_args(arg)))
-	end
-end
diff --git a/luci-app-passwall2/luasrc/passwall2/util_hysteria2.lua b/luci-app-passwall2/luasrc/passwall2/util_hysteria2.lua
new file mode 100644
index 000000000..8ae9b25f8
--- /dev/null
+++ b/luci-app-passwall2/luasrc/passwall2/util_hysteria2.lua
@@ -0,0 +1,115 @@
+module("luci.passwall2.util_hysteria2", package.seeall)
+local api = require "luci.passwall2.api"
+local uci = api.uci
+local jsonc = api.jsonc
+
+function gen_config_server(node)
+	local config = {
+		listen = ":" .. node.port,
+		tls = {
+			cert = node.tls_certificateFile,
+			key = node.tls_keyFile,
+		},
+		obfs = {
+			type = "salamander",
+			salamander = {
+				password = node.hysteria2_obfs
+			}
+		},
+		auth = {
+			type = "password",
+			password = node.hysteria2_auth_password
+		},
+		bandwidth = {
+			up = node.hysteria2_up_mbps and node.hysteria2_up_mbps .. " mbps" or "1 gbps",
+			down = node.hysteria2_down_mbps and node.hysteria2_down_mbps .. " mbps" or "1 gbps",
+		},
+		ignoreClientBandwidth = (node.hysteria2_ignoreClientBandwidth == "1") and true or false,
+		disable_udp = (node.hysteria2_udp == "0") and true or false,
+	}
+	return config
+end
+
+function gen_config(var)
+	local node_id = var["-node"]
+	if not node_id then
+		print("-node 不能为空")
+		return
+	end
+	local node = uci:get_all("passwall2", node_id)
+	local local_socks_address = var["-local_socks_address"] or "0.0.0.0"
+	local local_socks_port = var["-local_socks_port"]
+	local local_socks_username = var["-local_socks_username"]
+	local local_socks_password = var["-local_socks_password"]
+	local local_http_address = var["-local_http_address"] or "0.0.0.0"
+	local local_http_port = var["-local_http_port"]
+	local local_http_username = var["-local_http_username"]
+	local local_http_password = var["-local_http_password"]
+	local server_host = var["-server_host"] or node.address
+	local server_port = var["-server_port"] or node.port
+
+	if api.is_ipv6(server_host) then
+		server_host = api.get_ipv6_full(server_host)
+	end
+	local server = server_host .. ":" .. server_port
+
+	if (node.hysteria2_hop) then
+		server = server .. "," .. node.hysteria2_hop
+	end
+
+	local config = {
+		server = server,
+		transport = {
+			type = node.protocol or "udp",
+			udp = {
+				hopInterval = node.hysteria2_hop_interval and node.hysteria2_hop_interval .. "s" or "30s"
+			}
+		},
+		obfs = {
+			type = "salamander",
+			salamander = {
+				password = node.hysteria2_obfs
+			}
+		},
+		auth = node.hysteria2_auth_password,
+		tls = {
+			sni = node.tls_serverName,
+			insecure = (node.tls_allowInsecure == "1") and true or false
+		},
+		quic = {
+			initStreamReceiveWindow = (node.hysteria2_recv_window) and tonumber(node.hysteria2_recv_window) or nil,
+			initConnReceiveWindow = (node.hysteria2_recv_window_conn) and tonumber(node.hysteria2_recv_window_conn) or nil,
+			maxIdleTimeout = (node.hysteria2_idle_timeout) and tonumber(node.hysteria2_idle_timeout) or nil,
+			disablePathMTUDiscovery = (node.hysteria2_disable_mtu_discovery) and true or false,
+		},
+		bandwidth = {
+			up = node.hysteria2_up_mbps and node.hysteria2_up_mbps .. " mbps" or "100 mbps",
+			down = node.hysteria2_down_mbps and node.hysteria2_down_mbps .. " mbps" or "100 mbps"
+		},
+		fast_open = (node.fast_open == "1") and true or false,
+		lazy = true,
+		socks5 = (local_socks_address and local_socks_port) and {
+			listen = local_socks_address .. ":" .. local_socks_port,
+			username = (local_socks_username and local_socks_password) and local_socks_username or nil,
+			password = (local_socks_username and local_socks_password) and local_socks_password or nil,
+			disable_udp = false,
+		} or nil,
+		http = (local_http_address and local_http_port) and {
+			listen = local_http_address .. ":" .. local_http_port,
+			username = (local_http_username and local_http_password) and local_http_username or nil,
+			password = (local_http_username and local_http_password) and local_http_password or nil,
+			disable_udp = false,
+		} or nil
+	}
+
+	return jsonc.stringify(config, 1)
+end
+
+_G.gen_config = gen_config
+
+if arg[1] then
+	local func =_G[arg[1]]
+	if func then
+		print(func(api.get_function_args(arg)))
+	end
+end
diff --git a/luci-app-passwall2/luasrc/passwall2/util_sing-box.lua b/luci-app-passwall2/luasrc/passwall2/util_sing-box.lua
index 808b0e0b0..bb775ec39 100644
--- a/luci-app-passwall2/luasrc/passwall2/util_sing-box.lua
+++ b/luci-app-passwall2/luasrc/passwall2/util_sing-box.lua
@@ -150,7 +150,7 @@ function gen_outbound(flag, node, tag, proxy_table)
 		if node.transport == "grpc" then
 			v2ray_transport = {
 				type = "grpc",
-				serviceName = node.grpc_serviceName,
+				service_name = node.grpc_serviceName,
 				idle_timeout = tonumber(node.grpc_idle_timeout) or nil,
 				ping_timeout = tonumber(node.grpc_health_check_timeout) or nil,
 				permit_without_stream = (node.grpc_permit_without_stream == "1") and true or nil,
@@ -676,14 +676,17 @@ function gen_config(var)
 	local local_http_username = var["-local_http_username"]
 	local local_http_password = var["-local_http_password"]
 	local dns_listen_port = var["-dns_listen_port"]
-	local direct_dns_port = var["-direct_dns_port"]
 	local direct_dns_udp_server = var["-direct_dns_udp_server"]
+	local direct_dns_udp_port = var["-direct_dns_udp_port"]
 	local direct_dns_query_strategy = var["-direct_dns_query_strategy"]
-	local remote_dns_port = var["-remote_dns_port"]
 	local remote_dns_udp_server = var["-remote_dns_udp_server"]
+	local remote_dns_udp_port = var["-remote_dns_udp_port"]
 	local remote_dns_tcp_server = var["-remote_dns_tcp_server"]
+	local remote_dns_tcp_port = var["-remote_dns_tcp_port"]
 	local remote_dns_doh_url = var["-remote_dns_doh_url"]
 	local remote_dns_doh_host = var["-remote_dns_doh_host"]
+	local remote_dns_doh_ip = var["-remote_dns_doh_ip"]
+	local remote_dns_doh_port = var["-remote_dns_doh_port"]
 	local remote_dns_query_strategy = var["-remote_dns_query_strategy"]
 	local remote_dns_fake = var["-remote_dns_fake"]
 	local dns_cache = var["-dns_cache"]
@@ -1088,109 +1091,105 @@ function gen_config(var)
 			reverse_mapping = true, --在响应 DNS 查询后存储 IP 地址的反向映射以为路由目的提供域名。
 			fakeip = nil,
 		}
-	
-		if true then
-			local dns_tag = "remote"
-	
-			local domain = {}
-			local domain_suffix = {}
-			local domain_keyword = {}
-			local domain_regex = {}
-			local geosite = {}
-			for index, value in ipairs(dns_remote_domains) do
-				if value:find("geosite:") == 1 then
-					table.insert(geosite, value:sub(1 + #"geosite:"))
-				elseif value:find("regexp:") == 1 then
-					table.insert(domain_regex, value:sub(1 + #"regexp:"))
-				elseif value:find("full:") == 1 then
-					table.insert(domain, value:sub(1 + #"full:"))
-				elseif value:find("domain:") == 1 then
-					table.insert(domain_keyword, value:sub(1 + #"domain:"))
-				else
-					table.insert(domain, value)
-				end
+
+		local dns_tag = "remote"
+
+		local domain = {}
+		local domain_suffix = {}
+		local domain_keyword = {}
+		local domain_regex = {}
+		local geosite = {}
+		for index, value in ipairs(dns_remote_domains) do
+			if value:find("geosite:") == 1 then
+				table.insert(geosite, value:sub(1 + #"geosite:"))
+			elseif value:find("regexp:") == 1 then
+				table.insert(domain_regex, value:sub(1 + #"regexp:"))
+			elseif value:find("full:") == 1 then
+				table.insert(domain, value:sub(1 + #"full:"))
+			elseif value:find("domain:") == 1 then
+				table.insert(domain_keyword, value:sub(1 + #"domain:"))
+			else
+				table.insert(domain, value)
 			end
-			local remote_rule = {
-				server = dns_tag,
-				domain = #domain > 0 and domain or nil,
-				domain_suffix = #domain_suffix > 0 and domain_suffix or nil,
-				domain_keyword = #domain_keyword > 0 and domain_keyword or nil,
-				domain_regex = #domain_regex > 0 and domain_regex or nil,
-				geosite = #geosite > 0 and geosite or nil,
-				disable_cache = true,
+		end
+		local remote_rule = {
+			server = dns_tag,
+			domain = #domain > 0 and domain or nil,
+			domain_suffix = #domain_suffix > 0 and domain_suffix or nil,
+			domain_keyword = #domain_keyword > 0 and domain_keyword or nil,
+			domain_regex = #domain_regex > 0 and domain_regex or nil,
+			geosite = #geosite > 0 and geosite or nil,
+			disable_cache = true,
+		}
+
+		local remote_strategy = "prefer_ipv6"
+		if remote_dns_query_strategy == "UseIPv4" then
+			remote_strategy = "ipv4_only"
+		elseif remote_dns_query_strategy == "UseIPv6" then
+			remote_strategy = "ipv6_only"
+		end
+
+		local server = {
+			tag = dns_tag,
+			address_strategy = "prefer_ipv4",
+			strategy = remote_strategy,
+			address_resolver = "direct",
+			detour = dns_outTag,
+		}
+
+		if remote_dns_udp_server then
+			local server_port = tonumber(remote_dns_udp_port) or 53
+			server.address = "udp://" .. remote_dns_udp_server .. ":" .. server_port
+		end
+
+		if remote_dns_tcp_server then
+			local server_port = tonumber(remote_dns_tcp_port) or 53
+			server.address = "tcp://" .. remote_dns_tcp_server .. ":" .. server_port
+		end
+
+		if remote_dns_doh_url then
+			server.address = remote_dns_doh_url
+		end
+
+		if server.address then
+			table.insert(dns.servers, server)
+		end
+
+		local fakedns_tag = dns_tag .. "_fakeip"
+		if remote_dns_fake then
+			dns.fakeip = {
+				enabled = true,
+				inet4_range = "198.18.0.0/16",
+				inet6_range = "fc00::/18",
 			}
-	
-			local remote_strategy = "prefer_ipv6"
-			if remote_dns_query_strategy == "UseIPv4" then
-				remote_strategy = "ipv4_only"
-			elseif remote_dns_query_strategy == "UseIPv6" then
-				remote_strategy = "ipv6_only"
-			end
-	
-			local server = {
-				tag = dns_tag,
-				address_strategy = "prefer_ipv4",
+
+			table.insert(dns.servers, {
+				tag = fakedns_tag,
+				address = "fakeip",
 				strategy = remote_strategy,
-				address_resolver = "direct",
-				detour = dns_outTag,
-			}
-	
-			local rule_server = dns_tag
-	
-			if remote_dns_udp_server then
-				local server_port = tonumber(remote_dns_port) or 53
-				server.address = "udp://" .. remote_dns_udp_server .. ":" .. server_port
-			end
-	
-			if remote_dns_tcp_server then
-				server.address = remote_dns_tcp_server
-			end
-	
-			if remote_dns_doh_url and remote_dns_doh_host then
-				server.address = remote_dns_doh_url
-			end
-	
-			if server.address then
-				table.insert(dns.servers, server)
-			end
-	
-			if remote_dns_fake then
-				dns.fakeip = {
-					enabled = true,
-					inet4_range = "198.18.0.0/16",
-					inet6_range = "fc00::/18",
+			})
+
+			if tags and tags:find("with_clash_api") then
+				if not experimental then
+					experimental = {}
+				end
+				experimental.clash_api = {
+					store_fakeip = true,
+					cache_file = "/tmp/singbox_passwall2_" .. flag .. ".db"
 				}
-
-				local fakedns_tag = dns_tag .. "_fakeip"
-
-				if not server.address then
-					fakedns_tag = dns_tag
-				end
-
-				table.insert(dns.servers, {
-					tag = fakedns_tag,
-					address = "fakeip",
-					strategy = remote_strategy,
-				})
-	
-				rule_server = fakedns_tag
-
-				if tags and tags:find("with_clash_api") then
-					if not experimental then
-						experimental = {}
-					end
-					experimental.clash_api = {
-						store_fakeip = true,
-						cache_file = "/tmp/singbox_passwall2_" .. flag .. ".db"
-					}
-				end
 			end
-	
-			if remote_rule.domain or remote_rule.domain_suffix or remote_rule.domain_keyword or remote_rule.domain_regex or remote_rule.geosite then
-				local rule = api.clone(remote_rule)
-				rule.server = rule_server
-				table.insert(dns.rules, rule)
+		end
+
+		if remote_rule.domain or remote_rule.domain_suffix or remote_rule.domain_keyword or remote_rule.domain_regex or remote_rule.geosite then
+			local rule = api.clone(remote_rule)
+			rule.server = dns_tag
+			if remote_dns_fake then
+				rule.query_type = {
+					"A", "AAAA"
+				}
+				rule.server = fakedns_tag
 			end
+			table.insert(dns.rules, rule)
 		end
 	
 		if direct_dns_udp_server then
@@ -1221,14 +1220,16 @@ function gen_config(var)
 			end
 			local direct_rule = {
 				server = dns_tag,
-				domain = domain,
+				domain = #domain > 0 and domain or nil,
 				domain_suffix = #domain_suffix > 0 and domain_suffix or nil,
 				domain_keyword = #domain_keyword > 0 and domain_keyword or nil,
 				domain_regex = #domain_regex > 0 and domain_regex or nil,
 				geosite = #geosite > 0 and geosite or nil,
 				disable_cache = false,
 			}
-			table.insert(dns.rules, direct_rule)
+			if direct_rule.domain or direct_rule.domain_suffix or direct_rule.domain_keyword or direct_rule.domain_regex or direct_rule.geosite then
+				table.insert(dns.rules, direct_rule)
+			end
 	
 			local direct_strategy = "prefer_ipv6"
 			if direct_dns_query_strategy == "UseIPv4" then
@@ -1237,7 +1238,7 @@ function gen_config(var)
 				direct_strategy = "ipv6_only"
 			end
 	
-			local port = tonumber(direct_dns_port) or 53
+			local port = tonumber(direct_dns_udp_port) or 53
 	
 			table.insert(dns.servers, {
 				tag = dns_tag,
@@ -1252,6 +1253,18 @@ function gen_config(var)
 			tag = "block",
 			address = "rcode://refused",
 		})
+
+		local default_dns_flag = "remote"
+		if node_id and redir_port then
+			local node = uci:get_all(appname, node_id)
+			if node.protocol == "_shunt" then
+				if node.default_node == "_direct" then
+					default_dns_flag = "direct"
+				end
+			end
+		else default_dns_flag = "direct"
+		end
+		dns.final = default_dns_flag
 	
 		table.insert(inbounds, {
 			type = "direct",
@@ -1271,18 +1284,6 @@ function gen_config(var)
 			},
 			outbound = "dns-out"
 		})
-	
-		local default_dns_flag = "remote"
-		if node_id and redir_port then
-			local node = uci:get_all(appname, node_id)
-			if node.protocol == "_shunt" then
-				if node.default_node == "_direct" then
-					default_dns_flag = "direct"
-				end
-			end
-		else default_dns_flag = "direct"
-		end
-		dns.final = default_dns_flag
 	end
 	
 	if inbounds or outbounds then
@@ -1408,22 +1409,24 @@ function gen_dns_config(var)
 	local dns_listen_port = var["-dns_listen_port"]
 	local dns_query_strategy = var["-dns_query_strategy"]
 	local dns_out_tag = var["-dns_out_tag"]
-	local dns_client_ip = var["-dns_client_ip"]
-	local direct_dns_server = var["-direct_dns_server"]
-	local direct_dns_port = var["-direct_dns_port"]
 	local direct_dns_udp_server = var["-direct_dns_udp_server"]
+	local direct_dns_udp_port = var["-direct_dns_udp_port"]
 	local direct_dns_tcp_server = var["-direct_dns_tcp_server"]
+	local direct_dns_tcp_port = var["-direct_dns_tcp_port"]
 	local direct_dns_doh_url = var["-direct_dns_doh_url"]
 	local direct_dns_doh_host = var["-direct_dns_doh_host"]
-	local remote_dns_server = var["-remote_dns_server"]
-	local remote_dns_port = var["-remote_dns_port"]
+	local direct_dns_doh_ip = var["-direct_dns_doh_ip"]
+	local direct_dns_doh_port = var["-direct_dns_doh_port"]
 	local remote_dns_udp_server = var["-remote_dns_udp_server"]
+	local remote_dns_udp_port = var["-remote_dns_udp_port"]
 	local remote_dns_tcp_server = var["-remote_dns_tcp_server"]
+	local remote_dns_tcp_port = var["-remote_dns_tcp_port"]
 	local remote_dns_doh_url = var["-remote_dns_doh_url"]
 	local remote_dns_doh_host = var["-remote_dns_doh_host"]
+	local remote_dns_doh_ip = var["-remote_dns_doh_ip"]
+	local remote_dns_doh_port = var["-remote_dns_doh_port"]
 	local remote_dns_outbound_socks_address = var["-remote_dns_outbound_socks_address"]
 	local remote_dns_outbound_socks_port = var["-remote_dns_outbound_socks_port"]
-	local remote_dns_fake = var["-remote_dns_fake"]
 	local dns_cache = var["-dns_cache"]
 	local log = var["-log"] or "0"
 	local loglevel = var["-loglevel"] or "warn"
@@ -1446,7 +1449,6 @@ function gen_dns_config(var)
 			disable_expire = false, --禁用 DNS 缓存过期。
 			independent_cache = false, --使每个 DNS 服务器的缓存独立，以满足特殊目的。如果启用，将轻微降低性能。
 			reverse_mapping = true, --在响应 DNS 查询后存储 IP 地址的反向映射以为路由目的提供域名。
-			fakeip = nil,
 		}
 	
 		if dns_out_tag == "remote" then
@@ -1456,26 +1458,18 @@ function gen_dns_config(var)
 				strategy = (dns_query_strategy and dns_query_strategy ~= "UseIP") and "ipv4_only" or "prefer_ipv6",
 				detour = "remote-out",
 			}
-
-			if remote_dns_fake then
-				server.address = "fakeip"
-				dns.fakeip = {
-					enabled = true,
-					inet4_range = "198.18.0.0/16",
-					inet6_range = "fc00::/18",
-				}
-			end
 	
 			if remote_dns_udp_server then
-				local server_port = tonumber(remote_dns_port) or 53
+				local server_port = tonumber(remote_dns_udp_port) or 53
 				server.address = "udp://" .. remote_dns_udp_server .. ":" .. server_port
 			end
 	
 			if remote_dns_tcp_server then
-				server.address = remote_dns_tcp_server
+				local server_port = tonumber(remote_dns_tcp_port) or 53
+				server.address = "tcp://" .. remote_dns_tcp_server .. ":" .. server_port
 			end
 	
-			if remote_dns_doh_url and remote_dns_doh_host then
+			if remote_dns_doh_url then
 				server.address = remote_dns_doh_url
 			end
 	
@@ -1488,10 +1482,8 @@ function gen_dns_config(var)
 				server_port = tonumber(remote_dns_outbound_socks_port),
 			})
 
-			table.insert(route.rules, {
-				network = {"tcp", "udp"},
-				outbound = "remote-out"
-			})
+			route.final = "remote-out"
+
 		elseif dns_out_tag == "direct" then
 			local server = {
 				tag = dns_out_tag,
@@ -1501,17 +1493,16 @@ function gen_dns_config(var)
 			}
 	
 			if direct_dns_udp_server then
-				local server_port = tonumber(direct_dns_port) or 53
+				local server_port = tonumber(direct_dns_udp_port) or 53
 				server.address = "udp://" .. direct_dns_udp_server .. ":" .. server_port
 			end
 	
 			if direct_dns_tcp_server then
-				local server_port = tonumber(direct_dns_port) or 53
-				server.address = direct_dns_tcp_server .. ":" .. server_port
+				local server_port = tonumber(direct_dns_tcp_port) or 53
+				server.address = "tcp://" .. direct_dns_tcp_server .. ":" .. server_port
 			end
 	
-			if direct_dns_doh_url and direct_dns_doh_host then
-				local server_port = tonumber(direct_dns_port) or 443
+			if direct_dns_doh_url then
 				server.address = direct_dns_doh_url
 			end
 	
diff --git a/luci-app-passwall2/luasrc/passwall2/util_xray.lua b/luci-app-passwall2/luasrc/passwall2/util_xray.lua
index e8e8e6a51..dafe89290 100644
--- a/luci-app-passwall2/luasrc/passwall2/util_xray.lua
+++ b/luci-app-passwall2/luasrc/passwall2/util_xray.lua
@@ -521,10 +521,10 @@ function gen_config(var)
 	local local_http_password = var["-local_http_password"]
 	local dns_listen_port = var["-dns_listen_port"]
 	local dns_query_strategy = var["-dns_query_strategy"]
-	local direct_dns_port = var["-direct_dns_port"]
 	local direct_dns_udp_server = var["-direct_dns_udp_server"]
-	local remote_dns_port = var["-remote_dns_port"]
+	local direct_dns_udp_port = var["-direct_dns_udp_port"]
 	local remote_dns_udp_server = var["-remote_dns_udp_server"]
+	local remote_dns_udp_port = var["-remote_dns_udp_port"]
 	local remote_dns_fake = var["-remote_dns_fake"]
 	local remote_dns_fake_strategy = var["-remote_dns_fake_strategy"]
 	local dns_cache = var["-dns_cache"]
@@ -1034,56 +1034,54 @@ function gen_config(var)
 			end)
 		end
 	
-		if true then
-			if remote_dns_udp_server then
-				local _remote_dns = {
-					_flag = "remote",
-					address = remote_dns_udp_server,
-					port = tonumber(remote_dns_port) or 53
-				}
-				if not remote_dns_fake then
-					_remote_dns.domains = #dns_remote_domains > 0 and dns_remote_domains or nil
-					--_remote_dns.expectIPs = #dns_remote_expectIPs > 0 and dns_remote_expectIPs or nil
-				end
-				_remote_dns_proto = "udp"
-				table.insert(dns.servers, _remote_dns)
-	
-				table.insert(routing.rules, 1, {
-					type = "field",
-					ip = {
-						remote_dns_udp_server
-					},
-					port = tonumber(remote_dns_port) or 53,
-					network = "udp",
-					outboundTag = "direct"
-				})
+		if remote_dns_udp_server then
+			local _remote_dns = {
+				_flag = "remote",
+				address = remote_dns_udp_server,
+				port = tonumber(remote_dns_udp_port) or 53
+			}
+			if not remote_dns_fake then
+				_remote_dns.domains = #dns_remote_domains > 0 and dns_remote_domains or nil
+				--_remote_dns.expectIPs = #dns_remote_expectIPs > 0 and dns_remote_expectIPs or nil
 			end
-			if remote_dns_fake then
-				fakedns = {}
-				local fakedns4 = {
-					ipPool = "198.18.0.0/16",
-					poolSize = 65535
-				}
-				local fakedns6 = {
-					ipPool = "fc00::/18",
-					poolSize = 65535
-				}
-				if remote_dns_fake_strategy == "UseIP" then
-					table.insert(fakedns, fakedns4)
-					table.insert(fakedns, fakedns6)
-				elseif remote_dns_fake_strategy == "UseIPv4" then
-					table.insert(fakedns, fakedns4)
-				elseif remote_dns_fake_strategy == "UseIPv6" then
-					table.insert(fakedns, fakedns6)
-				end
-				local _remote_dns = {
-					_flag = "remote_fakedns",
-					address = "fakedns",
-					domains = #dns_remote_domains > 0 and dns_remote_domains or nil
-					--expectIPs = #dns_remote_expectIPs > 0 and dns_remote_expectIPs or nil
-				}
-				table.insert(dns.servers, _remote_dns)
+			_remote_dns_proto = "udp"
+			table.insert(dns.servers, _remote_dns)
+
+			table.insert(routing.rules, 1, {
+				type = "field",
+				ip = {
+					remote_dns_udp_server
+				},
+				port = tonumber(remote_dns_udp_port) or 53,
+				network = "udp",
+				outboundTag = "direct"
+			})
+		end
+		if remote_dns_fake then
+			fakedns = {}
+			local fakedns4 = {
+				ipPool = "198.18.0.0/16",
+				poolSize = 65535
+			}
+			local fakedns6 = {
+				ipPool = "fc00::/18",
+				poolSize = 65535
+			}
+			if remote_dns_fake_strategy == "UseIP" then
+				table.insert(fakedns, fakedns4)
+				table.insert(fakedns, fakedns6)
+			elseif remote_dns_fake_strategy == "UseIPv4" then
+				table.insert(fakedns, fakedns4)
+			elseif remote_dns_fake_strategy == "UseIPv6" then
+				table.insert(fakedns, fakedns6)
 			end
+			local _remote_dns = {
+				_flag = "remote_fakedns",
+				address = "fakedns",
+				domains = #dns_remote_domains > 0 and dns_remote_domains or nil
+				--expectIPs = #dns_remote_expectIPs > 0 and dns_remote_expectIPs or nil
+			}
+			table.insert(dns.servers, _remote_dns)
 		end
 	
 		if true then
@@ -1100,13 +1098,13 @@ function gen_config(var)
 	
 			if direct_dns_udp_server then
 				_direct_dns.address = direct_dns_udp_server
-				_direct_dns.port = tonumber(direct_dns_port) or 53
+				_direct_dns.port = tonumber(direct_dns_udp_port) or 53
 				table.insert(routing.rules, 1, {
 					type = "field",
 					ip = {
 						direct_dns_udp_server
 					},
-					port = tonumber(direct_dns_port) or 53,
+					port = tonumber(direct_dns_udp_port) or 53,
 					network = "udp",
 					outboundTag = "direct"
 				})
@@ -1130,8 +1128,9 @@ function gen_config(var)
 			local direct_type_dns = {
 				settings = {
 					address = direct_dns_udp_server,
-					port = tonumber(direct_dns_port) or 53,
-					network = "udp"
+					port = tonumber(direct_dns_udp_port) or 53,
+					network = "udp",
+					nonIPQuery = "skip"
 				},
 				proxySettings = {
 					tag = "direct"
@@ -1140,20 +1139,14 @@ function gen_config(var)
 			local remote_type_dns = {
 				settings = {
 					address = remote_dns_udp_server,
-					port = tonumber(remote_dns_port) or 53,
-					network = _remote_dns_proto or "tcp"
+					port = tonumber(remote_dns_udp_port) or 53,
+					network = _remote_dns_proto or "tcp",
+					nonIPQuery = "skip"
 				},
 				proxySettings = {
 					tag = "direct"
 				}
 			}
-			local custom_type_dns = {
-				settings = {
-					address = "1.1.1.1",
-					port = 53,
-					network = "tcp",
-				}
-			}
 			local type_dns = remote_type_dns
 			table.insert(outbounds, {
 				tag = "dns-out",
@@ -1400,28 +1393,30 @@ function gen_dns_config(var)
 	local dns_query_strategy = var["-dns_query_strategy"]
 	local dns_out_tag = var["-dns_out_tag"]
 	local dns_client_ip = var["-dns_client_ip"]
-	local direct_dns_server = var["-direct_dns_server"]
-	local direct_dns_port = var["-direct_dns_port"]
 	local direct_dns_udp_server = var["-direct_dns_udp_server"]
+	local direct_dns_udp_port = var["-direct_dns_udp_port"]
 	local direct_dns_tcp_server = var["-direct_dns_tcp_server"]
+	local direct_dns_tcp_port = var["-direct_dns_tcp_port"]
 	local direct_dns_doh_url = var["-direct_dns_doh_url"]
 	local direct_dns_doh_host = var["-direct_dns_doh_host"]
-	local remote_dns_server = var["-remote_dns_server"]
-	local remote_dns_port = var["-remote_dns_port"]
+	local direct_dns_doh_ip = var["-direct_dns_doh_ip"]
+	local direct_dns_doh_port = var["-direct_dns_doh_port"]
 	local remote_dns_udp_server = var["-remote_dns_udp_server"]
+	local remote_dns_udp_port = var["-remote_dns_udp_port"]
 	local remote_dns_tcp_server = var["-remote_dns_tcp_server"]
+	local remote_dns_tcp_port = var["-remote_dns_tcp_port"]
 	local remote_dns_doh_url = var["-remote_dns_doh_url"]
 	local remote_dns_doh_host = var["-remote_dns_doh_host"]
+	local remote_dns_doh_ip = var["-remote_dns_doh_ip"]
+	local remote_dns_doh_port = var["-remote_dns_doh_port"]
 	local remote_dns_outbound_socks_address = var["-remote_dns_outbound_socks_address"]
 	local remote_dns_outbound_socks_port = var["-remote_dns_outbound_socks_port"]
-	local remote_dns_fake = var["-remote_dns_fake"]
 	local dns_cache = var["-dns_cache"]
 	local loglevel = var["-loglevel"] or "warning"
 	
 	local inbounds = {}
 	local outbounds = {}
 	local dns = nil
-	local fakedns = nil
 	local routing = nil
 
 	if dns_listen_port then
@@ -1447,46 +1442,31 @@ function gen_dns_config(var)
 			local _remote_dns = {
 				_flag = "remote"
 			}
-
-			if remote_dns_fake then
-				remote_dns_server = "1.1.1.1"
-				fakedns = {}
-				fakedns[#fakedns + 1] = {
-					ipPool = "198.18.0.0/16",
-					poolSize = 65535
-				}
-				if dns_query_strategy == "UseIP" then
-					fakedns[#fakedns + 1] = {
-						ipPool = "fc00::/18",
-						poolSize = 65535
-					}
-				end
-				_remote_dns.address = "fakedns"
-			end
-
-			other_type_dns_port = tonumber(remote_dns_port) or 53
-			other_type_dns_server = remote_dns_server
 	
 			if remote_dns_udp_server then
 				_remote_dns.address = remote_dns_udp_server
-				_remote_dns.port = tonumber(remote_dns_port) or 53
+				_remote_dns.port = tonumber(remote_dns_udp_port) or 53
+				
 				other_type_dns_proto = "udp"
+				other_type_dns_server = remote_dns_udp_server
+				other_type_dns_port = _remote_dns.port
 			end
 	
 			if remote_dns_tcp_server then
-				_remote_dns.address = remote_dns_tcp_server
-				_remote_dns.port = tonumber(remote_dns_port) or 53
+				_remote_dns.address = "tcp://" .. remote_dns_tcp_server
+				_remote_dns.port = tonumber(remote_dns_tcp_port) or 53
+				
 				other_type_dns_proto = "tcp"
+				other_type_dns_server = remote_dns_tcp_server
+				other_type_dns_port = _remote_dns.port
 			end
 	
 			if remote_dns_doh_url and remote_dns_doh_host then
-				if remote_dns_server and remote_dns_doh_host ~= remote_dns_server and not api.is_ip(remote_dns_doh_host) then
-					dns.hosts[remote_dns_doh_host] = remote_dns_server
+				if remote_dns_doh_ip and remote_dns_doh_host ~= remote_dns_doh_ip and not api.is_ip(remote_dns_doh_host) then
+					dns.hosts[remote_dns_doh_host] = remote_dns_doh_ip
 				end
 				_remote_dns.address = remote_dns_doh_url
-				_remote_dns.port = tonumber(remote_dns_port) or 443
-				other_type_dns_proto = "tcp"
-				other_type_dns_port = 53
+				_remote_dns.port = tonumber(remote_dns_doh_port) or 443
 			end
 	
 			table.insert(dns.servers, _remote_dns)
@@ -1510,44 +1490,40 @@ function gen_dns_config(var)
 			local _direct_dns = {
 				_flag = "direct"
 			}
-
-			other_type_dns_proto = tonumber(direct_dns_port) or 53
-			other_type_dns_server = direct_dns_server
 	
 			if direct_dns_udp_server then
 				_direct_dns.address = direct_dns_udp_server
-				_direct_dns.port = tonumber(direct_dns_port) or 53
+				_direct_dns.port = tonumber(direct_dns_udp_port) or 53
 				table.insert(routing.rules, 1, {
 					type = "field",
 					ip = {
 						direct_dns_udp_server
 					},
-					port = tonumber(direct_dns_port) or 53,
+					port = tonumber(direct_dns_udp_port) or 53,
 					network = "udp",
 					outboundTag = "direct"
 				})
-			end
 
-			if direct_dns_udp_server then
-				_direct_dns.address = direct_dns_udp_server
-				_direct_dns.port = tonumber(direct_dns_port) or 53
 				other_type_dns_proto = "udp"
+				other_type_dns_server = direct_dns_udp_server
+				other_type_dns_port = _direct_dns.port
 			end
 	
 			if direct_dns_tcp_server then
-				_direct_dns.address = direct_dns_tcp_server:gsub("tcp://", "tcp+local://")
-				_direct_dns.port = tonumber(direct_dns_port) or 53
+				_direct_dns.address = "tcp+local://" .. direct_dns_tcp_server
+				_direct_dns.port = tonumber(direct_dns_tcp_port) or 53
+				
 				other_type_dns_proto = "tcp"
+				other_type_dns_server = direct_dns_tcp_server
+				other_type_dns_port = _direct_dns.port
 			end
 	
 			if direct_dns_doh_url and direct_dns_doh_host then
-				if direct_dns_server and direct_dns_doh_host ~= direct_dns_server and not api.is_ip(direct_dns_doh_host) then
-					dns.hosts[direct_dns_doh_host] = direct_dns_server
+				if direct_dns_doh_ip and direct_dns_doh_host ~= direct_dns_doh_ip and not api.is_ip(direct_dns_doh_host) then
+					dns.hosts[direct_dns_doh_host] = direct_dns_doh_ip
 				end
 				_direct_dns.address = direct_dns_doh_url:gsub("https://", "https+local://")
-				_direct_dns.port = tonumber(direct_dns_port) or 443
-				other_type_dns_proto = "tcp"
-				other_type_dns_port = 53
+				_direct_dns.port = tonumber(direct_dns_doh_port) or 443
 			end
 	
 			table.insert(dns.servers, _direct_dns)
@@ -1597,6 +1573,7 @@ function gen_dns_config(var)
 				address = other_type_dns_server or "1.1.1.1",
 				port = other_type_dns_port or 53,
 				network = other_type_dns_proto or "tcp",
+				nonIPQuery = "skip"
 			}
 		})
 	
@@ -1625,7 +1602,6 @@ function gen_dns_config(var)
 			},
 			-- DNS
 			dns = dns,
-			fakedns = fakedns,
 			-- 传入连接
 			inbounds = inbounds,
 			-- 传出连接
diff --git a/luci-app-passwall2/luasrc/view/passwall2/node_list/link_share_man.htm b/luci-app-passwall2/luasrc/view/passwall2/node_list/link_share_man.htm
index a6224ddc8..2ca0dbf13 100644
--- a/luci-app-passwall2/luasrc/view/passwall2/node_list/link_share_man.htm
+++ b/luci-app-passwall2/luasrc/view/passwall2/node_list/link_share_man.htm
@@ -139,9 +139,9 @@ local api = require "luci.passwall2.api"
 		} else if (v_type === "Brook") {
 			dom_prefix = "brook_"
 			protocol = "brook"
-		} else if (v_type === "Hysteria") {
-			dom_prefix = "hysteria_"
-			protocol = "hysteria"
+		} else if (v_type === "Hysteria2") {
+			dom_prefix = "hysteria2_"
+			protocol = "hysteria2"
 		} else if (v_type === "Xray") {
 			dom_prefix = "xray_"
 		} else if (v_type === "sing-box") {
@@ -390,17 +390,14 @@ local api = require "luci.passwall2.api"
 			}
 			url += url_protocol;
 			url += params;
-		} else if (v_type === "Hysteria") {
+		} else if (v_type === "Hysteria2") {
 			var v_port = opt.get(dom_prefix + "port");
 			var params = "";
-			params += opt.query("protocol", dom_prefix + "protocol");
 			params += opt.query("auth", dom_prefix + "auth_password");
-			params += opt.query("peer", dom_prefix + "tls_serverName");
+			params += opt.query("sni", dom_prefix + "tls_serverName");
 			params += opt.query("insecure", dom_prefix + "tls_allowInsecure");
-			params += opt.query("upmbps", dom_prefix + "up_mbps", 1000);
-			params += opt.query("downmbps", dom_prefix + "down_mbps", 1000);
-			params += opt.query("alpn", dom_prefix + "alpn");
-			params += opt.query("obfsParam", dom_prefix + "obfs");
+			params += opt.query("obfs", "salamander");
+			params += opt.query("obfs-password", dom_prefix + "obfs");
 			var url =
 				_address + ":" +
 				v_port.value + "?" +
@@ -875,9 +872,9 @@ local api = require "luci.passwall2.api"
 				opt.set('remarks', decodeURI(m.hash.substr(1)));
 			}
 		}
-		if (ssu[0] === "hysteria") {
-			dom_prefix = "hysteria_"
-			var stype = "Hysteria";
+		if (ssu[0] === "hysteria2") {
+			dom_prefix = "hysteria2_"
+			var stype = "Hysteria2";
 			var m = parseNodeUrl(ssrurl);
 			var queryParam = {};
 			if (m.search.length > 1) {
@@ -893,17 +890,12 @@ local api = require "luci.passwall2.api"
 			opt.set('type', stype);
 			opt.set(dom_prefix + 'address', m.hostname);
 			opt.set(dom_prefix + 'port', m.port || "443");
-			opt.set(dom_prefix + 'protocol', queryParam.protocol);
-			opt.set(dom_prefix + 'obfs', queryParam.obfsParam);
-			opt.set(dom_prefix + 'auth_type', "string");
-			opt.set(dom_prefix + 'auth_password', queryParam.auth);
-			opt.set(dom_prefix + 'tls_serverName', queryParam.peer);
+			opt.set(dom_prefix + 'obfs', queryParam["obfs-password"]);
+			opt.set(dom_prefix + 'auth', queryParam.auth);
+			opt.set(dom_prefix + 'tls_serverName', queryParam.sni);
 			if (queryParam.insecure && queryParam.insecure == "1") {
 				opt.set(dom_prefix + 'tls_allowInsecure', true);
 			}
-			opt.set(dom_prefix + 'alpn', queryParam.alpn);
-			opt.set(dom_prefix + 'up_mbps', queryParam.upmbps);
-			opt.set(dom_prefix + 'down_mbps', queryParam.downmbps);
 			if (m.hash) {
 				opt.set('remarks', decodeURI(m.hash.substr(1)));
 			}
diff --git a/luci-app-passwall2/po/zh-cn/passwall2.po b/luci-app-passwall2/po/zh-cn/passwall2.po
index ed621f777..eb6713cf4 100644
--- a/luci-app-passwall2/po/zh-cn/passwall2.po
+++ b/luci-app-passwall2/po/zh-cn/passwall2.po
@@ -478,6 +478,9 @@ msgstr "QUIC 并发双向流的最大数量"
 msgid "Disable MTU detection"
 msgstr "禁用 MTU 检测"
 
+msgid "ignoreClientBandwidth"
+msgstr "忽略客户端带宽设置"
+
 msgid "Lazy Start"
 msgstr "延迟启动"
 
diff --git a/luci-app-passwall2/root/usr/share/passwall2/app.sh b/luci-app-passwall2/root/usr/share/passwall2/app.sh
index 4a86eb4b8..3ecf40beb 100755
--- a/luci-app-passwall2/root/usr/share/passwall2/app.sh
+++ b/luci-app-passwall2/root/usr/share/passwall2/app.sh
@@ -31,7 +31,7 @@ UTIL_SINGBOX=$LUA_UTIL_PATH/util_sing-box.lua
 UTIL_SS=$LUA_UTIL_PATH/util_shadowsocks.lua
 UTIL_XRAY=$LUA_UTIL_PATH/util_xray.lua
 UTIL_NAIVE=$LUA_UTIL_PATH/util_naiveproxy.lua
-UTIL_HYSTERIA=$LUA_UTIL_PATH/util_hysteria.lua
+UTIL_HYSTERIA2=$LUA_UTIL_PATH/util_hysteria2.lua
 UTIL_TUIC=$LUA_UTIL_PATH/util_tuic.lua
 V2RAY_ARGS=""
 V2RAY_CONFIG=""
@@ -332,7 +332,7 @@ run_xray() {
 				local _dns=$(get_first_dns direct_dns_udp_server 53 | sed 's/#/:/g')
 				local _dns_address=$(echo ${_dns} | awk -F ':' '{print $1}')
 				local _dns_port=$(echo ${_dns} | awk -F ':' '{print $2}')
-				V2RAY_DNS_DIRECT_ARGS="${V2RAY_DNS_DIRECT_ARGS} -direct_dns_server ${_dns_address} -direct_dns_port ${_dns_port} -direct_dns_udp_server ${_dns_address}"
+				V2RAY_DNS_DIRECT_ARGS="${V2RAY_DNS_DIRECT_ARGS} -direct_dns_udp_port ${_dns_port} -direct_dns_udp_server ${_dns_address}"
 			;;
 		esac
 		[ -n "$direct_dns_query_strategy" ] && V2RAY_DNS_DIRECT_ARGS="${V2RAY_DNS_DIRECT_ARGS} -dns_query_strategy ${direct_dns_query_strategy}"
@@ -366,13 +366,13 @@ run_xray() {
 				local _dns=$(get_first_dns remote_dns_udp_server 53 | sed 's/#/:/g')
 				local _dns_address=$(echo ${_dns} | awk -F ':' '{print $1}')
 				local _dns_port=$(echo ${_dns} | awk -F ':' '{print $2}')
-				V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_server ${_dns_address} -remote_dns_port ${_dns_port} -remote_dns_udp_server ${_dns_address}"
+				V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_udp_port ${_dns_port} -remote_dns_udp_server ${_dns_address}"
 			;;
 			tcp)
 				local _dns=$(get_first_dns remote_dns_tcp_server 53 | sed 's/#/:/g')
 				local _dns_address=$(echo ${_dns} | awk -F ':' '{print $1}')
 				local _dns_port=$(echo ${_dns} | awk -F ':' '{print $2}')
-				V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_server ${_dns_address} -remote_dns_port ${_dns_port} -remote_dns_tcp_server tcp://${_dns}"
+				V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_tcp_port ${_dns_port} -remote_dns_tcp_server ${_dns_address}"
 			;;
 			doh)
 				local _doh_url=$(echo $remote_dns_doh | awk -F ',' '{print $1}')
@@ -384,8 +384,8 @@ run_xray() {
 				[ -z "${_doh_port}" ] && _doh_port=443
 				local _doh_bootstrap=$(echo $remote_dns_doh | cut -d ',' -sf 2-)
 				[ "${is_ip}" = "true" ] && _doh_bootstrap=${_doh_host}
-				[ -n "$_doh_bootstrap" ] && V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_server ${_doh_bootstrap}"
-				V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_port ${_doh_port} -remote_dns_doh_url ${_doh_url} -remote_dns_doh_host ${_doh_host}"
+				[ -n "$_doh_bootstrap" ] && V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_doh_ip ${_doh_bootstrap}"
+				V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_doh_port ${_doh_port} -remote_dns_doh_url ${_doh_url} -remote_dns_doh_host ${_doh_host}"
 			;;
 		esac
 
@@ -399,8 +399,8 @@ run_xray() {
 		[ -n "$dns_listen_port" ] && _extra_param="${_extra_param} -dns_listen_port ${dns_listen_port}"
 		[ -n "$dns_cache" ] && _extra_param="${_extra_param} -dns_cache ${dns_cache}"
 		_extra_param="${_extra_param} -dns_query_strategy UseIP"
-		_extra_param="${_extra_param} -direct_dns_port ${direct_dnsmasq_listen_port} -direct_dns_udp_server 127.0.0.1"
-		_extra_param="${_extra_param} -remote_dns_port ${dns_remote_listen_port} -remote_dns_udp_server 127.0.0.1"
+		_extra_param="${_extra_param} -direct_dns_udp_port ${direct_dnsmasq_listen_port} -direct_dns_udp_server 127.0.0.1"
+		_extra_param="${_extra_param} -remote_dns_udp_port ${dns_remote_listen_port} -remote_dns_udp_server 127.0.0.1"
 		[ "$remote_fakedns" = "1" ] && _extra_param="${_extra_param} -remote_dns_fake 1 -remote_dns_fake_strategy ${remote_dns_query_strategy}"
 	}
 
@@ -455,7 +455,7 @@ run_singbox() {
 				local _dns=$(get_first_dns direct_dns_udp_server 53 | sed 's/#/:/g')
 				local _dns_address=$(echo ${_dns} | awk -F ':' '{print $1}')
 				local _dns_port=$(echo ${_dns} | awk -F ':' '{print $2}')
-				V2RAY_DNS_DIRECT_ARGS="${V2RAY_DNS_DIRECT_ARGS} -direct_dns_server ${_dns_address} -direct_dns_port ${_dns_port} -direct_dns_udp_server ${_dns_address}"
+				V2RAY_DNS_DIRECT_ARGS="${V2RAY_DNS_DIRECT_ARGS} -direct_dns_udp_port ${_dns_port} -direct_dns_udp_server ${_dns_address}"
 			;;
 		esac
 		[ -n "$direct_dns_query_strategy" ] && V2RAY_DNS_DIRECT_ARGS="${V2RAY_DNS_DIRECT_ARGS} -dns_query_strategy ${direct_dns_query_strategy}"
@@ -478,7 +478,7 @@ run_singbox() {
 		fi
 		run_ipset_dnsmasq listen_port=${direct_dnsmasq_listen_port} server_dns=127.0.0.1#${dns_direct_listen_port} ipset="${direct_ipset}" nftset="${direct_nftset}" config_file=${direct_ipset_conf}
 		
-		_extra_param="${_extra_param} -direct_dns_port ${direct_dnsmasq_listen_port} -direct_dns_udp_server 127.0.0.1 -direct_dns_query_strategy ${direct_dns_query_strategy}"
+		_extra_param="${_extra_param} -direct_dns_udp_port ${direct_dnsmasq_listen_port} -direct_dns_udp_server 127.0.0.1 -direct_dns_query_strategy ${direct_dns_query_strategy}"
 
 :<<eof 
 		V2RAY_DNS_REMOTE_ARGS="-dns_out_tag remote"
@@ -492,13 +492,13 @@ run_singbox() {
 				local _dns=$(get_first_dns remote_dns_udp_server 53 | sed 's/#/:/g')
 				local _dns_address=$(echo ${_dns} | awk -F ':' '{print $1}')
 				local _dns_port=$(echo ${_dns} | awk -F ':' '{print $2}')
-				V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_server ${_dns_address} -remote_dns_port ${_dns_port} -remote_dns_udp_server ${_dns_address}"
+				V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_udp_port ${_dns_port} -remote_dns_udp_server ${_dns_address}"
 			;;
 			tcp)
 				local _dns=$(get_first_dns remote_dns_tcp_server 53 | sed 's/#/:/g')
 				local _dns_address=$(echo ${_dns} | awk -F ':' '{print $1}')
 				local _dns_port=$(echo ${_dns} | awk -F ':' '{print $2}')
-				V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_server ${_dns_address} -remote_dns_port ${_dns_port} -remote_dns_tcp_server tcp://${_dns}"
+				V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_tcp_port ${_dns_port} -remote_dns_tcp_server ${_dns_address}"
 			;;
 			doh)
 				local _doh_url=$(echo $remote_dns_doh | awk -F ',' '{print $1}')
@@ -510,8 +510,8 @@ run_singbox() {
 				[ -z "${_doh_port}" ] && _doh_port=443
 				local _doh_bootstrap=$(echo $remote_dns_doh | cut -d ',' -sf 2-)
 				[ "${is_ip}" = "true" ] && _doh_bootstrap=${_doh_host}
-				[ -n "$_doh_bootstrap" ] && V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_server ${_doh_bootstrap}"
-				V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_port ${_doh_port} -remote_dns_doh_url ${_doh_url} -remote_dns_doh_host ${_doh_host}"
+				[ -n "$_doh_bootstrap" ] && V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_doh_ip ${_doh_bootstrap}"
+				V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_doh_port ${_doh_port} -remote_dns_doh_url ${_doh_url} -remote_dns_doh_host ${_doh_host}"
 			;;
 		esac
 
@@ -522,7 +522,7 @@ run_singbox() {
 		lua $UTIL_SINGBOX gen_dns_config ${V2RAY_DNS_REMOTE_ARGS} > $V2RAY_DNS_REMOTE_CONFIG
 		ln_run "$(first_type $(config_t_get global_app singbox_file) sing-box)" "sing-box" "/dev/null" run -c "$V2RAY_DNS_REMOTE_CONFIG"
 		
-		_extra_param="${_extra_param} -remote_dns_port ${dns_remote_listen_port} -remote_dns_udp_server 127.0.0.1"
+		_extra_param="${_extra_param} -remote_dns_udp_port ${dns_remote_listen_port} -remote_dns_udp_server 127.0.0.1"
 eof
 
 		case "$remote_dns_protocol" in
@@ -530,13 +530,13 @@ eof
 				local _dns=$(get_first_dns remote_dns_udp_server 53 | sed 's/#/:/g')
 				local _dns_address=$(echo ${_dns} | awk -F ':' '{print $1}')
 				local _dns_port=$(echo ${_dns} | awk -F ':' '{print $2}')
-				_extra_param="${_extra_param} -remote_dns_port ${_dns_port} -remote_dns_udp_server ${_dns_address}"
+				_extra_param="${_extra_param} -remote_dns_udp_port ${_dns_port} -remote_dns_udp_server ${_dns_address}"
 			;;
 			tcp)
 				local _dns=$(get_first_dns remote_dns_tcp_server 53 | sed 's/#/:/g')
 				local _dns_address=$(echo ${_dns} | awk -F ':' '{print $1}')
 				local _dns_port=$(echo ${_dns} | awk -F ':' '{print $2}')
-				_extra_param="${_extra_param} -remote_dns_server ${_dns_address} -remote_dns_port ${_dns_port} -remote_dns_tcp_server tcp://${_dns}"
+				_extra_param="${_extra_param} -remote_dns_tcp_port ${_dns_port} -remote_dns_tcp_server ${_dns_address}"
 			;;
 			doh)
 				local _doh_url=$(echo $remote_dns_doh | awk -F ',' '{print $1}')
@@ -548,8 +548,8 @@ eof
 				[ -z "${_doh_port}" ] && _doh_port=443
 				local _doh_bootstrap=$(echo $remote_dns_doh | cut -d ',' -sf 2-)
 				[ "${is_ip}" = "true" ] && _doh_bootstrap=${_doh_host}
-				[ -n "$_doh_bootstrap" ] && _extra_param="${_extra_param} -remote_dns_server ${_doh_bootstrap}"
-				_extra_param="${_extra_param} -remote_dns_port ${_doh_port} -remote_dns_doh_url ${_doh_url} -remote_dns_doh_host ${_doh_host}"
+				[ -n "$_doh_bootstrap" ] && _extra_param="${_extra_param} -remote_dns_doh_ip ${_doh_bootstrap}"
+				_extra_param="${_extra_param} -remote_dns_doh_port ${_doh_port} -remote_dns_doh_url ${_doh_url} -remote_dns_doh_host ${_doh_host}"
 			;;
 		esac
 
@@ -664,13 +664,13 @@ run_socks() {
 		lua $UTIL_SS gen_config -node $node -local_socks_port $socks_port -server_host $server_host -server_port $port ${_extra_param} > $config_file
 		ln_run "$(first_type sslocal)" "sslocal" $log_file -c "$config_file" -v
 	;;
-	hysteria)
+	hysteria2)
 		[ "$http_port" != "0" ] && {
 			http_flag=1
 			config_file=$(echo $config_file | sed "s/SOCKS/HTTP_SOCKS/g")
 			local _extra_param="-local_http_port $http_port"
 		}
-		lua $UTIL_HYSTERIA gen_config -node $node -local_socks_port $socks_port -server_host $server_host -server_port $port ${_extra_param} > $config_file
+		lua $UTIL_HYSTERIA2 gen_config -node $node -local_socks_port $socks_port -server_host $server_host -server_port $port ${_extra_param} > $config_file
 		ln_run "$(first_type $(config_t_get global_app hysteria_file))" "hysteria" $log_file -c "$config_file" client
 	;;
 	tuic)
diff --git a/luci-app-passwall2/root/usr/share/passwall2/iptables.sh b/luci-app-passwall2/root/usr/share/passwall2/iptables.sh
index d3bb5770b..855d073e2 100755
--- a/luci-app-passwall2/root/usr/share/passwall2/iptables.sh
+++ b/luci-app-passwall2/root/usr/share/passwall2/iptables.sh
@@ -249,8 +249,7 @@ load_acl() {
 							msg2="${msg2}(REDIRECT:${redir_port})代理"
 						fi
 
-						$ipt_n -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN
-						$ipt_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN
+						$ipt_tmp -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN
 
 						[ "$accept_icmp" = "1" ] && {
 							$ipt_n -A PSW2 $(comment "$remarks") -p icmp ${_ipt_source} -d $FAKE_IP $(REDIRECT)
@@ -278,7 +277,6 @@ load_acl() {
 							$ipt_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY)
 						fi
 						[ "$PROXY_IPV6" == "1" ] && {
-							$ip6t_n -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist6) ! -d $FAKE_IP_6 -j RETURN
 							$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist6) ! -d $FAKE_IP_6 -j RETURN
 							$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null
 							$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null
@@ -350,8 +348,7 @@ load_acl() {
 				[ "$TCP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${TCP_NO_REDIR_PORTS}外的"
 				msg="${msg}所有端口"
 
-				$ipt_n -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN
-				$ipt_m -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN
+				$ipt_tmp -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN
 
 				[ "$accept_icmp" = "1" ] && {
 					$ipt_n -A PSW2 $(comment "默认") -p icmp -d $FAKE_IP $(REDIRECT)
@@ -373,7 +370,6 @@ load_acl() {
 				fi
 
 				[ "$PROXY_IPV6" == "1" ] && {
-					$ip6t_n -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN
 					$ip6t_m -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN
 					$ip6t_m -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP_6 -j PSW2_RULE
 					$ip6t_m -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
diff --git a/luci-app-passwall2/root/usr/share/passwall2/nftables.sh b/luci-app-passwall2/root/usr/share/passwall2/nftables.sh
index c33091a2b..5e90951a5 100755
--- a/luci-app-passwall2/root/usr/share/passwall2/nftables.sh
+++ b/luci-app-passwall2/root/usr/share/passwall2/nftables.sh
@@ -271,8 +271,8 @@ load_acl() {
 							msg2="${msg2}(REDIRECT:${redir_port})代理"
 						fi
 
-						nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
-						nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
+						[ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
+						[ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
 
 						[ "$accept_icmp" = "1" ] && {
 							nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT) comment \"$remarks\""
@@ -371,8 +371,8 @@ load_acl() {
 				[ "$TCP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${TCP_NO_REDIR_PORTS}外的"
 				msg="${msg}所有端口"
 
-				nft "add rule inet fw4 PSW2_NAT ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\""
-				nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\""
+				[ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_NAT ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\""
+				[ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\""
 
 				[ "$accept_icmp" = "1" ] && {
 					nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ip daddr $FAKE_IP $(REDIRECT) comment \"默认\""