Get rid of NAT64 setup
This commit is contained in:
@@ -6,7 +6,6 @@
|
||||
- name: bridge1
|
||||
vlan-filtering: true
|
||||
- name: containers
|
||||
- name: nat64
|
||||
handle_absent_entries: remove
|
||||
handle_entries_content: remove_as_much_as_possible
|
||||
|
||||
@@ -69,9 +68,6 @@
|
||||
- bridge: containers
|
||||
interface: veth-coredns
|
||||
comment: CoreDNS container interface
|
||||
- bridge: nat64
|
||||
interface: veth-tayga
|
||||
comment: Tayga NAT64 container interface
|
||||
- bridge: bridge1
|
||||
interface: ether1
|
||||
pvid: 2
|
||||
@@ -180,7 +176,8 @@
|
||||
values:
|
||||
allow-remote-requests: true
|
||||
cache-size: 20480
|
||||
# CoreDNS container provides DNS64; it forwards upstream to 1.1.1.1/8.8.8.8.
|
||||
# CoreDNS container: plain forwarder with selective AAAA suppression.
|
||||
# Forwards upstream to 1.1.1.1/8.8.8.8.
|
||||
servers: 172.20.0.3
|
||||
|
||||
- name: Configure DNS static entries
|
||||
@@ -195,9 +192,9 @@
|
||||
# Do NOT add a lumpiasty.xyz FWD entry here. RouterOS FWD entries return
|
||||
# NOERROR with an empty answer instead of relaying NXDOMAIN, which breaks
|
||||
# getaddrinfo search-domain processing (ENOTFOUND for valid names in k8s
|
||||
# pods). The DNS64 bypass for our own zone lives in the CoreDNS Corefile
|
||||
# (mikrotik/coredns/Corefile, lumpiasty.xyz server block) which relays
|
||||
# rcodes correctly. See docs/coredns-nat64.md pitfall #4.
|
||||
# pods). Our own zone is handled in the CoreDNS Corefile (lumpiasty.xyz
|
||||
# server block, AAAA kept) which relays rcodes correctly.
|
||||
# See docs/coredns.md.
|
||||
handle_absent_entries: remove
|
||||
handle_entries_content: remove_as_much_as_possible
|
||||
|
||||
@@ -243,24 +240,6 @@
|
||||
handle_absent_entries: remove
|
||||
handle_entries_content: remove_as_much_as_possible
|
||||
|
||||
# Option 108 (IPv6-only preferred, RFC 8925). Without force=yes RouterOS only
|
||||
# includes the option for clients that request code 108 in their Parameter
|
||||
# Request List — i.e. RFC 8925-capable clients. Clients that receive it drop
|
||||
# IPv4 and rely on CLAT/NAT64, which REQUIRES pref64 in RA (see ND tasks below).
|
||||
- name: Configure DHCP server options (IPv6-only preferred, RFC 8925)
|
||||
community.routeros.api_modify:
|
||||
path: ip dhcp-server option
|
||||
data:
|
||||
# 32-bit seconds timer (V6ONLY_WAIT) — how long the client suppresses
|
||||
# IPv4. Refreshed on every renewal; acts as automatic fallback if the
|
||||
# DHCP server disappears. 0x00015180 = 86400 s (1 day).
|
||||
# Quoted to prevent YAML from parsing the hex literal as integer 86400.
|
||||
- name: v6only-preferred
|
||||
code: 108
|
||||
value: "0x00015180"
|
||||
handle_absent_entries: remove
|
||||
handle_entries_content: remove_as_much_as_possible
|
||||
|
||||
- name: Configure DHCP networks
|
||||
community.routeros.api_modify:
|
||||
path: ip dhcp-server network
|
||||
@@ -268,14 +247,12 @@
|
||||
- address: 192.168.0.0/24
|
||||
dns-server: 192.168.0.1
|
||||
gateway: 192.168.0.1
|
||||
dhcp-option: v6only-preferred
|
||||
- address: 192.168.255.0/24
|
||||
dns-none: true
|
||||
gateway: 192.168.255.10
|
||||
- address: 192.168.5.0/24
|
||||
dns-server: 192.168.5.1
|
||||
gateway: 192.168.5.1
|
||||
dhcp-option: v6only-preferred
|
||||
handle_absent_entries: remove
|
||||
handle_entries_content: remove_as_much_as_possible
|
||||
|
||||
@@ -288,18 +265,11 @@
|
||||
values:
|
||||
advertise-dns: true
|
||||
|
||||
# Per-interface ND entries must be CREATED — only the interface=all default
|
||||
# exists out of the box. The previous api_find_and_modify approach silently
|
||||
# matched zero entries and never applied pref64.
|
||||
#
|
||||
# pref64: NAT64 prefix discovery (RFC 8781) — required by clients honouring
|
||||
# DHCP option 108 to activate CLAT. Without it they go IPv6-only with no
|
||||
# working translation and appear stuck while "obtaining IP address".
|
||||
#
|
||||
# dns: RDNSS (RFC 8106) — IPv6-only clients ignore DHCPv4 entirely, including
|
||||
# its dns-server. They need an IPv6 DNS address from RA. We advertise the
|
||||
# router's own per-VLAN IPv6 address; RouterOS DNS forwards to CoreDNS.
|
||||
- name: Configure IPv6 ND per-interface (pref64 + RDNSS)
|
||||
# RDNSS (RFC 8106): advertise an IPv6 DNS server in RAs so dual-stack clients
|
||||
# have an IPv6 resolver. Points at the router's per-VLAN IPv6 address; RouterOS
|
||||
# DNS forwards to CoreDNS. No pref64 — NAT64 has been removed (see docs/coredns.md);
|
||||
# AAAA suppression now happens in CoreDNS, no client-side translation needed.
|
||||
- name: Configure IPv6 ND per-interface (RDNSS)
|
||||
community.routeros.api_modify:
|
||||
path: ipv6 nd
|
||||
data:
|
||||
@@ -308,9 +278,7 @@
|
||||
# entirely even when a static dns= list is configured.
|
||||
- interface: vlan2
|
||||
advertise-dns: true
|
||||
pref64: 64:ff9b::/96
|
||||
dns: 2001:470:61a3:9:ffff:ffff:ffff:ffff
|
||||
- interface: vlan5
|
||||
advertise-dns: true
|
||||
pref64: 64:ff9b::/96
|
||||
dns: 2001:470:61a3:a:ffff:ffff:ffff:ffff
|
||||
|
||||
Reference in New Issue
Block a user