Exploding Client List

Hey everyone,

I am using a Fritz 7590 as a Router and the Pi-Hole as DHCP and DNS for both IPv4 and IPv6.

The use of IPv6 is creating a huge mess of a Client List in Group Management.
Taking a look at the Database there are 16 listed Clients in the Network Table.

But 95 listed Clients in Network Addresses.

so it is not easy and quite confusing to maintain the client list for group management, because devices appear up to 6 times.

Is there another way to implement this, maybe on the base of MAC Addresses?


Pi-hole Version vDev (release/v5.0, v4.3.5-445-g22ce5c0)
Web Interface Version vDev (release/v5.0, v4.3.2-436-g49da889-dirty)
FTL Version vDev (release/v5.0, vDev-71e8498)

You may see lots of different IPv6 addresses if you have configured Pi-hole to use a low value DHCP lease time.

IPv6 privacy extensions force generating a new global IPv6 address before the valid lifetime of its current address expires, so setting DHCP lease time to 4 hours might result in 6 addresses per NIC in 24 hours (or even more, if accounting for link-local and ULA addresses as well).

Yes, I know.
I already set the DHCP Lease time to 0/infinite.
For the case, that the Fritzbox has any problems, the ULA is activated.

But that’s not what I meant.
I am talking about the IPv6 address ranges.

These are all assigned to my phone.

The fd00 Addresses should come from the DHCP Server.
As far as I understood IPv6 the 2003 addresses are addresses provided to connect to the Internet?!
I do not know what the fe80 address is though.

Edit: Typo

It is common for a device (or rather, a NIC) to have mutiple IPv6 addresses in different ranges (click for more).

fe80: are non-routable link-local addresses, only valid on the same network segment. Always present.
fd00: is a ULA address, valid in private networks, i.e. potentially for all network segments in your home network. Only present if a ULA prefix is provided, e.g. by your router.
2003: is a public IPv6 address, visible on the Internet. Present if you are connected to the Internet.

Privacy extensions will produce an additional temporary IPv6 address, potentially for each of these ranges.

Pi-hole digests DNS requests, and that protocol leaves only the IP address as distinguishing criterion.

The Network overview, as a relatively recent addition to Pi-hole, is based on link-local network cache rather than DNS, and potentially has access to MAC addresses, but only of link-local (i.e. directly connected) devices.

There are current efforts to associate this to the IP addresses observed, but this is not a trivial matter, as privacy extensions are not the only reason for a device to appear by a different IP address, and then there are devices with mutiple NICs (like WiFi/LAN connected laptops), and devices from other network segments (i.e behind L3 switches or additional routers) showing up under the same MAC (i.e the switch’s or router’s) etc.
On top of this, any solution has to make sure not to compromise Pi-hole’s resolution speed.

Still, I agree that things can get a bit confusing with so many addresses.

At the moment, the only fail-safe way to reduce them would be to disable IPv6 completely (if you do not depend on IPv6 for some reason, of course, and if your router supports it).

Fortunately, your FritzBox is among the routers that would allow you to do so. :wink:

Another approach, as suggested here on the forum by e.g. @pisome, would be to keep your FB as DHCP server and distribute your Pi-hole’s link-local address as local DNS server via DHCPv6. This would force your clients to just use their private addresses to send queries to Pi-hole.
You can give this a try, but note that this will only work if your network isn’t segmented (i.e. all devices are connected directly to your FB by LAN or WiFi).

1 Like

Thanks @Bucking_Horn , will try tomorrow setting the DHCPv6 server back to the Fritzbox.

I understand that this is not that easy. If it sounds like me complaining, that was not my intention.
I did not found it in the issues tab in the git repository and maybe this could be seen as suggestion, combining the IP Addresses based on MAC Addresses and Hostnames if possible.

This could may be a problem since we are using a Fritz 1750E as repeater in mesh network mode.
There were no problems when using the last stable version with this. Other than flatmates complaining they could not open certain websites :smile:

Link Local address.

1 Like

Deactivating IPv6 completely is helping for now with this long list.
I deactivated it this morning in the Router and the DHCP Support on the Pi-Hole.

By now everything works fine with only IPv4 addresses configured in the group management.

Some IPv6 addresses still occur but that are the local addresses of the Pi and of the computer I am using (thanks @Stan-qaz for that information).

Also the host names for the IPv4 addresses show up, which was not the case when also using IPv6.
Some devices had this cryptic p200… name.

The Fritz Repeater seems also not to be a problem so far.

You’d have to test for this - any device that constitutes a different network segment (e.g. by layer 3 switching or VLAN configuration) would be a road block for link-local addresses.

Your repeater may just be a layer 2 device, or there may be an option to configure it to act as as one, so it may work.

Note that normal private IPv4 addresses (common FB range are routable and thus are not affected from this limitation.

IPv6 strongly emphasises auto-configuration by devices, i.e. a device (or rather, the OS) decides how it will assign itself an IP address.

Commonly, a device won’t request IP address assignment via stateful DHCPv6 (as it would do for IPv4 via DHCP), but will instead calculate its address by itself while (possibly) respecting certain information provided by routers (e.g. an address prefix or lifetime), again deciding which router’s information it will use.

Seeing long cryptic hostnames (as you describe them) for global IPv6 addresses may hint at your ISP being considered by your device.
This would also be among the most common reasons for IPv6 devices to persistently bypass Pi-hole, querying your ISP’s DNS server instead.

So all in all, if you’ve no compelling reason to use IPv6, this seems like a good choice: