How Routing Works
When a user connects to your proxy and tries to visit a website, Xray checks routing rules before sending the traffic out to the internet.
Each rule says: "If traffic matches this condition → do this action"
Two possible actions:
- direct — allow traffic, send to internet
- blocked — drop traffic, user gets nothing
Rules are checked top to bottom. The first rule that matches wins. If no rule matches, traffic is allowed through (direct).
You can match traffic by:
- Destination Domain — what site the user wants to visit
- Destination IP — what country the site's server is in
- Destination Port — what port the traffic targets (25, 80, 443…)
- Source IP — where the user connects from
- Protocol — traffic type like bittorrent
Step 1: Set Up DNS Servers
Go to Xray Configs → Basics tab.
Find the DNS section. If it is empty, add:
8.8.8.8
1.1.1.1
Click Save.
Xray needs DNS servers to resolve domains and determine which country a domain belongs to. Without DNS configured, domain-based routing rules like
geosite:will not work.
Step 2: Set Up Outbounds
Go to Xray Configs → Outbounds tab.
You need two outbounds:
| Outbound | Protocol | Tag | Purpose |
|---|---|---|---|
| 1 | freedom |
direct |
Allow traffic through to internet |
| 2 | blackhole |
blocked |
Drop/block traffic silently |
The direct outbound usually exists by default. If blocked does not exist, click + Add Outbound, set Protocol to blackhole, Tag to blocked, and save.
Write down the exact tag names from your panel. If your blackhole outbound uses a different tag (like "block" instead of "blocked"), use your tag name in all rules below.
Step 3: Add Routing Rules
Go to Xray Configs → Routing Rules tab.
Below are all common rules organized by category. Pick the ones you need. For each rule, click "+ Add Rule", fill in only the fields listed, leave everything else empty.
Block Ports (Anti-Spam)
Users can abuse your proxy to send spam emails. Email uses ports 25, 587, and 465. Blocking these stops anyone from sending emails through your server and protects your server IP from being blacklisted.
| Field | Value |
|---|---|
| Destination Port | 25,587,465 |
| Outbound Tag | blocked |
| All other fields | Leave empty |
Type 25,587,465 exactly — no spaces, just commas.
What these ports do:
- 25 — SMTP (main email sending port)
- 587 — SMTP Submission (authenticated email sending)
- 465 — SMTPS (encrypted email sending)
Optional — block remote access and database ports in a single rule:
| Field | Value |
|---|---|
| Destination Port | 22,23,25,465,587,1433,3306,3389,5432,6379,27017 |
| Outbound Tag | blocked |
| All other fields | Leave empty |
Port reference:
- 22 — SSH (prevent tunneling through proxy)
- 23 — Telnet (unencrypted remote access)
- 3389 — RDP (Windows remote desktop)
- 3306 — MySQL
- 5432 — PostgreSQL
- 27017 — MongoDB
- 6379 — Redis
- 1433 — Microsoft SQL Server
Block Private / Local IPs
This stops users from accessing your server's local network through the proxy — a security must-have. Without it, someone could scan your internal services.
| Field | Value |
|---|---|
| Destination IP | geoip:private |
| Outbound Tag | blocked |
| All other fields | Leave empty |
This blocks 127.0.0.1, 10.x.x.x, 192.168.x.x, 172.16-31.x.x, and all other private IP ranges.
If you run WARP or another local service that Xray needs to reach on
127.0.0.1, add an allow rule for that service above this block rule.
Block Source Countries
This blocks people from certain countries from using your proxy. Good for stopping scanners and bots.
Source IP = where the user connects from (different from Destination IP which is where the user wants to go).
| Field | Value |
|---|---|
| Source IP | geoip:cn,geoip:ru |
| Outbound Tag | blocked |
| All other fields | Leave empty |
For any country, use geoip:COUNTRYCODE. The geoip database works for all countries — see the reference table at the bottom.
Block Destination Countries
This blocks users from accessing websites and servers in certain countries through your proxy.
| Field | Value |
|---|---|
| Destination IP | geoip:cn |
| Outbound Tag | blocked |
| All other fields | Leave empty |
You can combine multiple countries in one rule:
| Field | Value |
|---|---|
| Destination IP | geoip:cn,geoip:ru |
| Outbound Tag | blocked |
| All other fields | Leave empty |
Optional — also block by domain name (China only):
For China specifically, you can also add a domain rule because geosite:cn exists in the default Xray database:
| Field | Value |
|---|---|
| Destination Domain | geosite:cn |
| Outbound Tag | blocked |
| All other fields | Leave empty |
This catches Chinese domains even if they use a CDN with non-Chinese IP addresses.
Warning about
geosite:country codes: Unlikegeoip, thegeositedatabase does not have entries for every country. In the default Xray database, onlygeosite:cn(China) is reliably available. Tags likegeosite:ru,geosite:ir, orgeosite:usdo not exist in the default database. If you use a non-existent geosite tag, Xray will crash and your entire proxy stops working for all users. Always usegeoipfor country blocking. If you need extended geosite tags, install a custom database like Chocolate4U/Iran-v2ray-rules.
Block Ads and Trackers
Blocks thousands of known advertising and tracking domains:
| Field | Value |
|---|---|
| Destination Domain | geosite:category-ads-all |
| Outbound Tag | blocked |
| All other fields | Leave empty |
Optional — block adult content:
| Field | Value |
|---|---|
| Destination Domain | geosite:category-porn |
| Outbound Tag | blocked |
| All other fields | Leave empty |
Both category-ads-all and category-porn are confirmed to exist in the default Xray geosite database.
Block BitTorrent
Stops users from downloading torrents through your proxy. Torrent traffic can get your server IP reported for piracy.
| Field | Value |
|---|---|
| Protocol | bittorrent |
| Outbound Tag | blocked |
| All other fields | Leave empty |
The Protocol field is in the panel under the "Protocol" or "L4" column.
Important: For this rule to work, sniffing must be enabled on your inbounds. Go to Inbounds, click on each inbound, and verify that Sniffing is ON. In 3X-UI it is usually on by default. Without sniffing, Xray cannot detect traffic types and this rule will silently do nothing. Note that encrypted torrent clients may bypass this detection.
Block Specific Websites
To block individual websites by domain name:
| Field | Value |
|---|---|
| Destination Domain | domain:badsite.com,domain:another.org |
| Outbound Tag | blocked |
| All other fields | Leave empty |
Domain matching prefixes:
| Prefix | Behavior | Example |
|---|---|---|
domain: |
Matches domain and all subdomains | domain:example.com blocks example.com, www.example.com, mail.example.com |
full: |
Exact match only, no subdomains | full:example.com blocks only example.com |
keyword: |
Matches any domain containing the word | keyword:gambling blocks onlinegambling.com, gambling-site.net |
regexp: |
Regular expression pattern | regexp:.*\.xyz$ blocks all .xyz domains |
You can also block entire service categories using geosite tags:
geosite:facebook
geosite:tiktok
geosite:instagram
Step 4: Set the Correct Rule Order
After adding all your rules, use the up/down arrow buttons in the panel to arrange them in this order:
| # | Rule Type | Action |
|---|---|---|
| 1 | Block ports (25, 587, 465…) | blocked |
| 2 | Block source countries | blocked |
| 3 | Block private IPs | blocked |
| 4 | Block destination countries | blocked |
| 5 | Block ads | blocked |
| 6 | Block bittorrent | blocked |
| 7 | Block specific websites | blocked |
Why this order:
- Port blocks first — fastest check, stops spam immediately
- Source blocks next — reject bad clients before doing more work
- Private IPs — security
- Destination countries — geo-restriction
- Ads/torrents/sites — content filtering last
Any traffic that matches no rule is allowed through to the internet normally.
Step 5: Save and Restart
Click Save at the top of the page, then click Restart Xray.
Always save first, then restart. If you only restart without saving, your changes will be lost. Changes take effect immediately after restart. Connected users may briefly disconnect and reconnect automatically.
Testing
Connect using your VLESS, VMess, or Trojan configuration and verify:
Should work:
- google.com, youtube.com, twitter.com
- Any site not in your blocked lists
Should be blocked:
- Sites hosted in blocked countries
- Sending emails (port 25/587/465)
- Torrent downloads (if sniffing is on)
- Ad domains
- Sites you specifically blocked
- Accessing server local network
Troubleshooting
If users cannot connect after adding rules:
- Go to the Routing Rules tab
- Delete the rules you just added (start from the last one, work backwards)
- Click Save → Restart Xray
- Test again
Common mistakes:
- Xray won't start — you used a
geositetag that doesn't exist (e.g.,geosite:ru). Remove it and usegeoipinstead. - Wrong outbound tag name — check the Outbounds tab for exact spelling.
- Rule order wrong — allow rules must be above block rules.
- BitTorrent rule does nothing — sniffing is not enabled on your inbounds.
- Blocked
geoip:privatebreaks local service — add an allow rule above the private IP block for services like WARP.
Reference: geoip Values
geoip works for all countries. Use in Destination IP or Source IP fields.
Special:
| Tag | Matches |
|---|---|
geoip:private |
All private/local IPs |
geoip:telegram |
Telegram server IPs |
geoip:facebook |
Facebook/Meta server IPs |
geoip:google |
Google server IPs |
Countries (use 2-letter ISO code):
| Tag | Country |
|---|---|
geoip:cn | China |
geoip:ru | Russia |
geoip:ir | Iran |
geoip:us | United States |
geoip:de | Germany |
geoip:fr | France |
geoip:gb | United Kingdom |
geoip:tr | Turkey |
geoip:in | India |
geoip:pk | Pakistan |
geoip:af | Afghanistan |
geoip:iq | Iraq |
geoip:sy | Syria |
geoip:kp | North Korea |
Full list: ISO 3166-1 alpha-2 on Wikipedia
Reference: geosite Values
Unlike geoip, the geosite database does not cover all countries. Using a non-existent tag crashes Xray.
Confirmed safe in the default database:
| Tag | Matches |
|---|---|
geosite:cn | China domains |
geosite:category-ads-all | All ad/tracking domains |
geosite:category-porn | Adult content domains |
geosite:google | Google services |
geosite:facebook | |
geosite:instagram | |
geosite:youtube | YouTube |
geosite:twitter | Twitter / X |
geosite:telegram | Telegram |
geosite:whatsapp | |
geosite:netflix | Netflix |
geosite:spotify | Spotify |
geosite:tiktok | TikTok |
geosite:amazon | Amazon |
geosite:openai | ChatGPT / OpenAI |
Do NOT use (they don't exist in the default database):
| Tag | Status |
|---|---|
geosite:ru | Does not exist |
geosite:ir | Does not exist |
geosite:us | Does not exist |
geosite:category-gambling | Does not exist |
geosite:malware | Does not exist |
geosite:phishing | Does not exist |
For extended tags, install Chocolate4U/Iran-v2ray-rules which adds ir, malware, phishing, cryptominers, and more.
Reference: Ports Worth Blocking
| Category | Port | Service | Description |
|---|---|---|---|
| 25 | SMTP | Main email sending | |
| 465 | SMTPS | Encrypted email | |
| 587 | SMTP Submit | Authenticated email | |
| Remote | 22 | SSH | Remote server access |
| Remote | 23 | Telnet | Unencrypted remote access |
| Remote | 3389 | RDP | Windows remote desktop |
| Database | 1433 | MSSQL | Microsoft SQL Server |
| Database | 3306 | MySQL | MySQL database |
| Database | 5432 | PostgreSQL | PostgreSQL database |
| Database | 6379 | Redis | Redis cache |
| Database | 27017 | MongoDB | MongoDB database |
All ports in one line for copy-paste:
22,23,25,465,587,1433,3306,3389,5432,6379,27017
Tips
- No Inbound Tag on a rule = the rule applies to all your inbounds (all VLESS, VMess, Trojan configs). To target only one specific config, set the Inbound Tag field.
- Combine values to reduce rules:
geoip:cn,geoip:ru,geoip:afin one field instead of three separate rules. - Save before Restart. Always.
- Backup your routing rules (screenshot them) before making big changes.
- Test after each rule — add one at a time, save + restart, and test. If something breaks, you know exactly which rule caused it.