Two Corefile changes:
- Add lumpiasty.xyz server block without dns64. Replaces the manual
RouterOS static FWD entry (\"bypass nat64\") which returned NOERROR
with empty answer instead of relaying NXDOMAIN. Combined with
ndots:5 and pod search domains this made getaddrinfo stop at the
search-suffixed candidate and fail with ENOTFOUND for valid names
(kaneo -> authentik OAuth fetch failures). CoreDNS relays rcodes
faithfully; internal zone keeps real AAAA for native IPv6.
- Add allow_ipv4 to dns64 (previously uncommitted): without it only
queries arriving over IPv6 are synthesized, but all clients reach
CoreDNS via RouterOS over IPv4, so translate_all never applied.
The RouterOS static FWD entry must be removed after deploying the new
image - ansible already declares only the ts.net entry, so a playbook
run handles it.
MikroTik: add vlan5 interface, bridge VLAN entry (ether3 tagged),
IP 192.168.5.1/24, IPv6 from-pool, DHCP pool/server/network,
firewall rules allowing IoT internet-only (IPv4 and IPv6),
DNS input from vlan5.
OpenWrt: add switch VLAN 5 (WAN+CPU tagged), br-iot bridge on
eth0.5, iot interface, iot firewall zone (forward ACCEPT,
input REJECT).
Also remove ensure_order from all non-firewall api_modify tasks
as RouterOS does not support move on those paths.
Move flat tasks/ and vars/routeros-secrets.yml into
roles/routeros/ with a main.yml that imports the domain
task files in order. Update playbooks/routeros.yml to
use the role instead of importing tasks directly.
Lumpiasty
