Do I keep allow-lan off on café Wi-Fi?

Yes. Leaving allow-lan false on untrusted hotspots prevents strangers from pointing their browsers at your mixed-port once they guess your DHCP address pattern.

Why does only SOCKS work while HTTP fails?

Some apps ignore OS HTTP proxy hooks and need SOCKS explicitly. Mixed-port still serves both—but you must populate the SOCKS field wherever the toolkit reads it separately.

Windows hotspot clients cannot reach mixed-port.

Use the hotspot NIC IPv4 printed by ipconfig—not the ethernet address—because ICS assigns a miniature NAT space like 192.168.137.1 to the broadcaster.

Clash Verge Rev LAN Share: Allow-LAN & Mixed Port

Who needs Clash Verge Rev LAN proxy sharing?

You already run Clash Verge Rev (the actively maintained Mihomo GUI that replaced the dormant Clash Verge line on desktop) on a dependable Windows workstation. Phones, tablets, Smart TVs, or guest laptops occasionally need exactly the same rule-based routing you tuned for Discord calls, bilingual news, streaming regions, or development APIs—without reinstalling tunnels on every slab of glass inside the apartment. Typical search intents such as “Clash Verge Rev allow LAN” or “mixed-port share proxy hotspot” land here because Mihomo listens on 127.0.0.1 by default, which politely ignores every gadget that is not the local machine itself.

Fixing that is deliberate: flipping allow-lan tells the Mihomo kernel to bind the HTTP and SOCKS façade to reachable interfaces, pairing beautifully with mixed-port when you insist on exporting both proxy grammars across a single TCP port your firewall team only has to memorize once.

Vocabulary recap before touching toggles

Allow-LAN: a boolean in Mihomo-derived cores (Clash.Meta family) controlling whether ancillary listeners—including the SOCKS and HTTP fronts—accept connections originating off-loopback IPv4 segments. Turning it off is the sane default inside coffee shops because your DHCP-assigned LAN address leaks no useful service to attackers; turning it on is what enables LAN proxy sharing responsibly after you constrain firewalls.

Mixed-port: Instead of juggling port, socks-port, maybe redir-port, Mihomo merges HTTP proxy semantics and SOCKS5 on one listener. Appliances that only expose an HTTP proxy field and engineering tools insisting on SOCKS can both consume 192.168.1.42:7890 when 7890 is your unified choice. Profiles from certain providers preset 7890, but collisions with local dev stacks happen—inspect your merged YAML whenever another service screams “address already in use.”

Bind scope: Even with allow-lan true you still want Mihomo attaching to all interfaces—or at least every NIC that participates in forwarding—rather than pinning to a solitary IP when you roam between docking Ethernet and cafeteria Wi-Fi. Verge overlays usually manage this indirectly; Overrides remain the blunt instrument when a subscription refresh overwrites ephemeral toggles.

Prerequisites that save half an afternoon

One gateway PC with Clash Verge Rev installed plus a trustworthy provider subscription refreshed within policy windows.
Clients on identical L2/L3 LAN—same router VLAN—or inside the ICS bubble if you purposely host a mobile hotspot downstream.
Administrative appetite for Windows Defender prompts when opening inbound firewall holes.
Comfort reading merged YAML so you reconcile provider defaults with Overrides after each fetch.

IPv6-only meshes or carrier-grade NAT upstream from your router occasionally complicate simple mental models; this article focuses IPv4-centric home Wi-Fi—the pattern most televisions and IoT dongles advertise in their proxy menus.

Locate the LAN IPv4 Windows should advertise

Open an elevated PowerShell or classic cmd shell and execute ipconfig. Scan adapters until you distinguish the NIC actually carrying default-route internet today. Wired Intel controllers might read Ethernet; Intel AX Wi-Fi radios show something like “Wi-Fi.” Ignore virtual switches named after VPN vendors or Clash TAP unless you purposely route hotspots through those namespaces.

Copy the dotted quad—typically 192.168.x.y or 10.x.y.z—because every downstream screenshot will plaster that string inside manual proxy dialogs. DHCP lease renewals can shift the trailing octet overnight; televisions cache stale fields aggressively, so if living-room streaming suddenly wedges, re-read ipconfig before debugging Mihomo internals.

Operational steps inside Clash Verge Rev

Screens reorganize quarterly, yet the choreography stays recognizable: keep the Mihomo daemon running against the profile you latency-tested, expose networking toggles, merge persistence into YAML disk copies if the GUI keeps reverting imported fragments.

Kick the Mihomo daemon with a sane profile

Hop into Profiles, activate the freshest subscription merge, optionally hit health checks so policy groups populate before remote devices depend on flaky relay nodes thrashing failover loops.

Expose allow-lan cleanly

Inside Settings (wording shifts between builds) locate the Networking or Clash field group housing Allow LAN. Flip it on, acknowledging the risk banner—this fundamentally says “yes, strangers on permitted subnets may speak to Mihomo transports until firewalls negate them.” Professionals pair the toggle with host-isolation on guest SSIDs upstream.

Assign mixed-port without stomping localhost dev servers

Prefer a vacant high port documented in README snippets—commonly 7890 unless your Java microservice already squatting there screams. Some UI builds tuck mixed-port beside SOCKS fields; older builds defer to Overrides like:

mixed-port: 7890
allow-lan: true

After saving, reopen the textual profile preview verifying order: provider fragments append last, Overrides prepend or merge per Verge semantics you configured. If merges feel opaque, temporarily export merged output to VS Code diff view against provider baseline.

Apply and gently restart cores

Tray icons sometimes cache listeners until you issue a core restart—not a reboot. Use whichever Verge exposes: “Restart Core,” “Reload Config,” or flipping system proxy toggles intentionally to force Mihomo teardown.

Dashboard APIs versus everyday proxy payloads

Power users stumble when conflating external-controller, secret, and SOCKS listeners. The REST dashboards Mihomo publishes for dashboards like Yacd live on distinct ports—they are not substitutes for SOCKS handshakes televisions expect.

Should you fantasize remotely flipping selectors from tablets, tightening authentication headers and binding controllers to VLAN-only addresses remains mandatory. This article purposely sticks to plaintext HTTP/SOCKS forwarding because consumer electronics rarely speak RESTful Clash dashboards.

Windows Defender Firewall inbound allowances

Microsoft ships aggressive defaults: even loopback exemptions differ from NIC-classified networks. Navigate Windows Defender Firewall Advanced Security, choose Inbound Rules, craft a TCP rule permitting your mixed-port strictly on Private profiles while prototyping at home.

Name it something searchable like “Clash Mihomo Mixed 7890” so audits six months later do not classify it orphaned malware.
Scope remote IP allowances only if obsessive; narrower scopes break once DHCP hands guests new addresses anyway.
Public profile toggles belong off until you intimately trust every SSID handshake path.

Third-party suites (corporate McAfee layers, “Internet Security” bundles) may intercept before Defender sees packets—read their event logs if connections mysteriously black-hole though Test-NetConnection from another PC reports SYN-ACK success into Defender only.

Configuring phones, tablets, and TVs

Android Wi-Fi advanced menus accept per-network HTTP proxies; iOS buries similar controls under per-SSID settings in recent releases. Televisions differ wildly: some Android TV builds honor manual proxies, others demand side-loaded proxy apps or router-level policies because vendors assume streaming boxes never leave vendor CDNs.

Populate both fields when UI splits them:

HTTP proxy host: your Windows IPv4
HTTP proxy port: mixed-port integer
SOCKS host: identical IPv4
SOCKS port: identical integer (because mixed-port multiplexes)

Applications ignoring OS-level proxy tables—common among Flutter utilities or oddly sandboxed OEM browsers—might still require per-app SOCKS injectors or simply fail; treat that as UX debt, not Mihomo breakage.

DNS expectations on downstream gadgets

Pointing only HTTP proxies does not automatically rewrite handset DNS lookups. Queries may still hit ISP resolvers leaking geo intent. Mihomo resolves upstream according to YAML dns stanzas, yet local operating systems prefetch before SOCKS encapsulation kicks in depending on scheduling.

When precision matters—for example region-locked catalogs sniffing Resolver endpoints—combine proxy testing with Mihomo fake-ip awareness logs. Document whether your Overrides pin domestic CDNs DIRECT to conserve bandwidth versus routing everything blindly through pricey exits.

Windows mobile hotspot quirks and ICS “bypass lanes”

Microsoft’s mobile hotspot allocates a deterministic mini-space such as 192.168.137.0/24 with the tethering PC occupying 192.168.137.1. Downstream tethered notebooks must configure proxies toward that dotted address—even though corporate Ethernet still exposes an entirely unrelated 10.0.88.x address concurrently.

Users searching Windows hotspot proxy bypass often misunderstand split scenarios: ICS supplies NAT forwarding; Mihomo binds per interface directives. Mixed-port listens globally after allow-lan, yet firewall rules categorized under Public might inadvertently block ICS NIC classes until manually reclassified in network location awareness settings.

After toggling hotspots, rerun ipconfig to catalogue new adapters like “Local Area Connection*”—they matter when diagnosing why only Ethernet clients succeed.

Smoke tests borrowed from impatient network engineers

Loopback parity: From the gateway PC browse through system proxy referencing 127.0.0.1:mixed-port ensuring baseline health.
LAN sanity: From a second wired machine ping the gateway IP, execute curl -x http://IP:PORT https://example.com.
Verge Connections tab: Confirm flows list remote handset IPs, correct policy groups, and expected countries.
Failure bisect: Temporarily elevate policy group to GLOBAL (only briefly) distinguishing rule gaps from outright transport blocks.

Keep ephemeral GLOBAL trials short—pricing and provider ToS dislike sustained full-tunnel benchmarking without planning.

Security posture tenants you cannot negotiate away

Disable allow-lan when traveling; hotel VLANs mingle strangers faster than captive portals disclaim.
Never forward mixed-port blindly through WAN port-mapping without mutually authenticated overlays—consumers misunderstand “remote support” risks.
Rotate provider secrets promptly if proxies were exposed unintentionally—a leaked mixed-port doubles as SOCKS pivot for scanning.

Troubleshooting matrix

Devices connect but webpages hang at TLS handshakes: Corporate MITM inspecting HTTPS may distrust Mihomo egress roots; temporarily try DIRECT overlays for diagnostic hosts or inspect Mihomo TLS logs.
Android shows connected yet streaming apps veto playback: DRM stacks sometimes verify resolver locale separately; scrutinize GEOIP directives or provider domestic lists sending streaming CDNs contradictory paths.
CPU spikes coincide with ICS usage: Heavy QUIC plus misaligned UDP relays saturates hotspots; tweak protocol preferences or offload heavy downloads off tethered VLAN first.

Short answers teammates still Slack at midnight

Does macOS behave identically? Broadly yes—toggle allow-lan, align mixed-port, grant Little Snitch or pf rules—but screen captures differ enough that this Windows-centric article avoids pretending pixel parity.

Must I advertise HTTP and SOCKS URLs separately to kids’ tablets? Matching host plus identical port suffices because mixed multiplexes both grammars concurrently.

Would TUN on the gateway replace per-device SOCKS? TUN reshapes routing on that OS instance; tethered hotspots still demand explicit SOCKS/HTTP cues unless you escalate to routed gateway designs beyond this introductory scope.

Transparent routing versus closed consumer VPN dashboards

Shrink-wrapped VPN clients hide whether traffic truly rides an exit or quietly falls back DIRECT when QUIC fails. Debugging a Smart TV exhibiting that behavior resembles guessing through tinted glass—you toggle servers blindly until something sticks. Mihomo-based Clash clients such as Verge expose per-flow decisions: domain, matched rule snippet, outbound node, handshake latency snapshots. Hosting LAN shared proxy sessions atop that observable stack means televisions misbehaving over dinner become analyzable—you either adjust a rule, relax fake-ip quirks, or confirm the culprit was never your mixed-port firewall entry.

Compared with one-button anonymity apps marketed on neon gradients, disciplined Clash setups trade instant gratification for operability—you document Overrides once, propagate them alongside subscription refreshes, and stop relearning mystery toggles quarterly. That engineering clarity matters double when strangers on your hotspot depend on reproducible SOCKS endpoints.

If you rely on fiddly televisions and tablets that resent full-device VPN profiles, consolidating around Clash Verge Rev, allow-lan, and mixed-port converts the PC you already maintain into an intentional edge without buying another Raspberry Pi scavenged from a closet.

Download curated Clash builds for the platforms your household relies on →

Clash Verge Rev LAN Sharing: Allow-LAN and Mixed Port Setup Guide (2026)