When I try to access the web console I keep getting 403 Forbidden, but when I access with the IP v4 address everything works fine. Used to work fine, but after a reboot (and I think a change in the IPv6 address), is when the problem presented. Just created a debug log and it is in here: https://tricorder.pi-hole.net/inzHSPuP/
What is the exact URL you are using to access your Pi-hole's web interface?
On a side note:
*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 10 seconds)
Scanning all your interfaces for DHCP servers
* Received 300 bytes from eth0:192.168.1.2
DHCP options:
Message type: DHCPOFFER (2)
dns-server: 192.168.1.2
domain-name: "local"
router: 192.168.1.1
You've configured local as your your local domain. *.local FQDNs are reserved for usage by the mDNS protocol and should not be used with DNS.
You should switch your DHCP server to another name.
@Bucking_Horn I been digging into this and I think I found out what is going on. So please let me know if I'm in the right direction:
From what I been reading lighttpd is configured to block public addresses, and from what I see in the file 99-dietpi-pihole-block_public_admin.conf it will block anything but IPv6 address that start with FE8, FE9, FEA, FEB (which I understand are local link addresses), and FC and FD (which are Unique Local Addresses), and will block anything else (like the Global Unique Address).
I did some testing based on your last request, and the host is resolving the GUA (which I think it makes sense), and looks like the first option is to resolve IPv6 over IPv4.
I logged using the LLA in the browser, and got the forbidden error, but looking into the 99-dietpi-pihole-block_public_admin.conf file, looks like it is checking for the /admin page, so if I use, the LLA and the /admin page, then the console opens OK.
Checking in FTL config I found the LOCAL_IPV6 option, and used it to override the GUA for the LLA (I think here is important to note that my ASUS router does not have the option to configure ULA)
With this new config I can log into the admin console, with the following options: http://pi.hole/admin and http://pi.hole.home/admin, but if I remove the admin, the I get the forbidden error
So I have two questions:
It is possible to configure pi-hole to resolve only the IPv4 when query for the local host and just for the local host?
It is ok to not redirect the web console to the admin page when accessing from an IPv6? Can this be fixed?
Note: I also changed the IPv6 address in the file /etc/pihole/setupVars.conf, not sure if this is also needed.
Thanks!
In short: If your router doesn't forward ports 80/443, you can safely disable the config, with the command that was provided during Pi-hole installation via dietpi-software, where you were asked whether you want to enable this "public" access blocking:
The block is based on public vs private IP ranges of the client. But with IPv6, when no ULAs are used, only GUAs can be used to connect to other IPv6 hosts in the LAN. So the webserver cannot distinguish between LAN and WAN clients, at least not trivially via client IP. If you have other web applications that you want to access from WAN, to not expose the Pi-hole admin panel, you can either enable ULAs and use them for the pi.hole host, or assign an IPv4 A record only, no AAAA record for pi.hole. I'm just having a look into the Pi-hole options how this is generally done, and which IPs are assigned automatically.
EDIT: Okay, pi.hole is managed FTL-internally (based on IPV6_ADDRESS in /etc/pihole/setupVars.conf?) and I do not see an option or config to prevent FTL from assiging this AAAA record. Also emptying IPV6_ADDRESS and restarting FTL does not unset that AAAA record. Since there is usually no need to use IPv6 for LAN connections, probably it makes sense to not assign an AAAA record for pi.hole by default, i.e. to have an option for this? However, it's really this combination only where it causes issues: IPv6 enabled on Pi-hole, no ULA assigned, access blocked (or any other action taken) based on private vs public IPv6 ranges, assuming that a public (GUA) IPv6 client address means a WAN client, which is a false assumption in this case.