FAQ 2026-04-27 · ~18 min read

Clash Meta GeoIP Wrong? Fix MMDB Path, Country Rules, and Updates

You already wrote GEOIP and Country-style rules, yet domestic pages ride PROXY while foreign APIs fall through to DIRECT. Before you blame node quality, assume the boring failure modes: the offline GeoIP database never loaded from the path you think, the MMDB file is years old, a higher-priority rule already decided the policy, or DNS and fake-ip changed which IP address GEOIP actually sees. This guide walks Clash Meta (Mihomo) users through MMDB placement, automatic refresh, and rule order so country-based split routing matches your intent—complementing our DNS and fake-ip and rule-provider download articles rather than repeating them.

Symptoms that point to GeoIP, not “bad rules”

GEOIP rules classify traffic by destination IP address after resolution. They do not read the browser tab title, the site’s language, or whether the domain “looks Chinese.” When users say “my rules are correct,” they often mean the YAML reads correctly while the effective evaluation order or the IP fed into GEOIP disagrees.

  • Domestic CDNs on PROXY: the resolved address may be anycast outside your home country, or an earlier DOMAIN line already sent the flow to a catch-all group.
  • Global SaaS on DIRECT: a corporate split DNS may return an on-net address; GEOIP then labels it “local” even though the service is foreign.
  • Flip-flops after subscription refresh: merged profiles can reorder rules; a downloaded RULE-SET may now sit above your GEOIP safety net.
  • Everything wrong after reinstall: the client moved its working directory, so the MMDB never sits where your old notes say it should.

One-line mental model

GEOIP answers: “Given this IP, which ISO country code does the database claim?” If the database is missing, stale, or never opened, implementations fall back to behaviors that look like “random routing.”

How GEOIP rules interact with DNS and fake-ip

In typical Rule mode, Clash evaluates rules against a connection’s metadata. For GEOIP, the critical metadata is the destination IP Clash intends to dial. When you use fake-ip, the client may initially see a synthetic address; the core must map that back to a real endpoint for GEOIP to be meaningful. If DNS and TUN disagree, you can observe “GEOIP lies” that are actually resolver stories.

Stabilize DNS first when symptoms resemble “only GEOIP is insane.” Our dedicated DNS and fake-ip walkthrough explains redir-host versus fake-ip, double resolver loops, and why browsers and CLI tools diverge. Fix that layer, then return here—otherwise you will chase MMDB paths while the IP never matched reality.

MMDB path, working directory, and “database not loaded”

MaxMind GeoLite2 / GeoIP2 databases ship as .mmdb files. Clash Meta derivatives expect the file to exist in a predictable location relative to the profile or working directory your GUI chooses—often different between Windows portable folders, macOS app sandboxes, and Docker bind mounts.

When debugging, do not trust forum screenshots. Instead:

  1. Open your client’s log pane and search for messages about geo, GeoIP, or mmdb load failures.
  2. Locate the directory that actually contains config.yaml (or the effective merged profile) and list files: confirm whether geoip.db, Country.mmdb, or similarly named artifacts exist and their modified time is recent.
  3. If you run containers, verify the volume mount: hosts frequently bake configs into /root/.config/mihomo/ while the MMDB download lands in an ephemeral layer.

Permission and read-only layers

A database that cannot be replaced will silently stay old. If auto-update is enabled but the path is read-only, you may see “update attempted” noise—or none at all—while the file timestamp freezes for years.

Geodata mode: MMDB versus embedded .dat-style bundles

Modern Meta cores can load geography data from different backends depending on geodata-mode (and related loader settings in your exact build). When geodata-mode is enabled, some deployments prioritize Sing-geoip-style .dat bundles for both GEOIP and GEOSITE; when disabled, many setups lean on MMDB for country classification. The precise defaults drift between releases, which is why “it worked on my old laptop” is not a spec.

Practical advice:

  • Pick one coherent story per device: either maintain fresh MMDB for GEOIP, or commit to geodata bundles and understand which file your GEOIP lines actually consult.
  • After toggling geodata-mode, restart the core and re-check logs—hot reload does not always remap loaders the way newcomers expect.
  • Do not mix half a MaxMind file with half a community mirror unless you know exactly how your build resolves precedence.

Automatic updates: geo-auto-update, intervals, and URLs

Stale country mappings are a genuine source of “foreign site acts domestic.” CDNs acquire new prefixes; registries reallocate ranges; a 2019 MMDB routinely mislabels addresses that moved in 2024. Meta-compatible configs usually expose:

  • geo-auto-update to allow background fetches.
  • geo-update-interval to throttle how often the core checks upstream (hours, not minutes—be kind to mirrors).
  • geox-url (or equivalent) to point geoip and geosite artifacts at URLs you trust.

Mirror etiquette matters: hammering official endpoints from thousands of home routers is how projects lose hosting. Prefer caching proxies or reputable mirrors your community documents, and pin versions when you need reproducible lab setups.

If downloads fail, the failure mode often resembles rule-provider issues—TLS interception, captive portals, or an outbound that cannot reach GitHub raw URLs. Our rule-provider path and interval guide shares the same debugging muscle memory: verify the fetch path, disk space, and whether the core logs a HTTP status.

Country rules: GEOIP,CN, inversions, and “no-resolve”

Common templates include GEOIP,CN,DIRECT followed by MATCH,PROXY. That pattern means: if the destination IP maps to China, stay direct; otherwise default to proxy. Invert the order or polarity and you get the classic “everything overseas is direct” complaint.

Less obvious pitfalls:

  • Private and LAN ranges: some builds need explicit GEOIP,LAN or IP-CIDR bypass rows; otherwise RFC1918 traffic collides with catch-alls.
  • no-resolve semantics: certain GEOIP variants include a no-resolve flag so the rule applies only when an IP is already known. Misusing it with fake-ip stacks produces “rule skipped” stories—read your core’s exact grammar.
  • GEOIP versus GEOSITE: GEOSITE,cn is a domain list, not a country lookup. Mixing them is fine, but they solve different problems; GEOSITE wins on hostname identity while GEOIP wins on IP geography after resolution.
# Illustrative pattern — adapt group names and ordering to your profile
rules:
  - DOMAIN-SUFFIX,cn,DIRECT
  - GEOIP,LAN,DIRECT
  - GEOIP,CN,DIRECT
  - MATCH,PROXY

The fragment is educational, not a drop-in: your remote provider may inject thousands of lines above these rows, which is exactly when “my CN rule never fires” appears.

Rule order: why your GEOIP line is decorative

Clash evaluates rules top to bottom until one matches. If a subscription merges a massive RULE-SET ahead of your GEOIP directives, those remote rows decide the policy first. Symptoms:

  • Domestic video CDNs proxy because a “global media” list matched a shared edge.
  • Foreign APIs go direct because an “Apple China” list captured hostnames you did not inspect.

Remediation strategies:

  1. Export the effective rule list from your client (many GUIs show merged order). Scroll until you find the first match for a failing hostname.
  2. Move high-confidence domestic bypass and critical foreign overrides earlier using mixin prepend modes or provider-specific ordering knobs—see our Clash Meta mixin article for merge hygiene.
  3. Treat GEOIP as a safety net, not the entire design: explicit DOMAIN rows for services you care about beat coarse country buckets.
Layer Strength Risk
DOMAIN / DOMAIN-SUFFIX Precise for known APIs High maintenance as edges rename
RULE-SET (remote) Fast to adopt community lists Opaque collisions with your overrides
GEOIP,CN Catches “everything else domestic” Wrong if IP geography ≠ business intent

When the database is fine but the IP is “wrong”

Even a fresh MMDB cannot fix business semantics. Many global vendors announce addresses geolocated to the United States while serving Chinese customers through localized front doors. Conversely, domestic banks sometimes front APIs on offshore hosting. GEOIP faithfully reports registry country; your product policy may want hostname rules instead.

IPv6 adds another wrinkle: some networks prefer AAAA records while your GEOIP intuition was tuned on IPv4 traces. If only half the stack is IPv6-capable, you may see different countries for the “same” site depending on Happy Eyeballs timing. When debugging, log both address families instead of assuming the failure is always “Meta broke GEOIP.”

Operational takeaway: if a single service misbehaves, capture three log fields—rule matched, destination IP, and policy group—then decide whether to add a narrow domain row rather than tweaking GEOIP.

Checklist before you open a support thread

  1. Confirm the GeoIP artifact exists on disk, is writable, and has a plausible modification time.
  2. Enable or verify geo-auto-update (or your equivalent) and read logs for download failures.
  3. Reconcile DNS mode with GEOIP: fake-ip stacks get a dedicated pass—see the DNS article linked above.
  4. Print merged rule order; ensure GEOIP rows sit where you think relative to RULE-SET imports.
  5. Test with one controlled hostname and one controlled foreign hostname; avoid “the whole internet feels off” debugging.
  6. After container or client upgrades, re-validate paths: working-directory changes are the silent killer.

FAQ

I updated MMDB and it is still wrong

Check whether an earlier rule matched, whether DNS returned an unexpected IP, and whether you restarted the core after replacing the file. Also verify you did not download a GeoLite ASN build when the core expects Country.

Should I use GEOSITE,cn or GEOIP,CN?

Use both deliberately: GEOSITE for domain identity, GEOIP as a coarse IP-level net. Many healthy profiles stack GEOSITE domestic lists, LAN IP-CIDR rows, then GEOIP for the remainder.

Docker shows empty geo files

Ensure the volume mount includes the download directory, not only config.yaml. Permission UID mismatches between host and container also block writes.

Keep the rest of the stack maintainable

GEOIP debugging is easier when subscriptions, mixin overlays, and remote rule sets stay transparent. Once MMDB load and rule order are boring again, you can return to tuning nodes and policy groups without second-guessing country data.

Download Clash for free and experience the difference

Fix split routing at the source

Verify MMDB paths, refresh geo data, and order GEOIP rules so domestic and foreign traffic follow the policies you actually wrote.

Download Clash
Previous
← Rule provider paths and intervals
Next
DNS and fake-ip troubleshooting →

Related articles

Troubleshoot

DNS leaks and fake-ip

 FAQ

Rule-providers: path and updates

 Advanced

Mixin and merge order