Update: Continuing on my IPv6-only journey with FreeBSD

These steps are rather brief, assuming you already have Tayga installed..

CLAT on Host
Tayga configuration

> cat /etc/tayga.conf
tun-device clat0
ipv4-addr 192.0.0.2
ipv6-addr 2001:db8:64:a::65
prefix 64:ff9b::/96
data-dir /var/db/tayga
wkpf-strict no
map 192.0.0.1 2001:db8:64:a::64
log drop reject

Routes

> cat /root/bin/routes-clat.sh
#!/bin/sh
ifconfig tun11 create name clat0
ifconfig clat0 inet 192.0.0.1/29 192.0.0.1 up
ifconfig clat0 inet6 -ifdisabled
route -n add default -iface clat0
route -6n add 2001:db8:64:a::64/127 -iface clat0

Start CLAT and run the script..

service tayga start
/root/bin/routes-clat.sh
sysctl net.inet6.ip6.forwarding=1

NAT64/PLAT
The NAT64/PLAT is configured on a dual-stack machine.

Tayga configuration

> cat /etc/tayga.conf
tun-device nat64
ipv4-addr 10.64.64.1
prefix 64:ff9b::/96
wkpf-strict no
dynamic-pool 10.64.0.0/16
data-dir /var/db/tayga
log drop reject

Routes

> cat /root/bin/routes-nat64.sh
#!/bin/sh
net4='10.64.0.0/16'
pref6='64:ff9b::/96'
ifconfig tun11 create name nat64
ifconfig nat64 inet6 2001:db8:64:a::8200/128 up
route -n add -net $net4 -iface nat64
route -6n add -net $pref6 -iface nat64

Start NAT64 and run the script..

service tayga start
/root/bin/routes-nat64.sh
sysctl net.inet.ip.forwarding=1
sysctl net.inet6.ip6.forwarding=1

DNS64 - DNS64 with BIND9 or Unbound

BIND9

dns64 64:ff9b::/96 {
  clients { localhost; localnets; trusted-nets; };
  mapped { !10/8; !192.168/16; !172.16/12; any; };
  exclude { 0::/3; 4000::/2; 8000::/1; 2001:db8::/32; };
  recursive-only yes;
  break-dnssec yes;
};

Unbound

module-config: "respip dns64 validator iterator"
dns64-prefix: 64:ff9b::/96

This guide is based on my tests running on a FreeBSD VPS. The host acted as a CLAT client
and then later as a NAT64 router with the CLAT running in a vnet jail.

Update: Forgot to add the pf rules for NAT64..

ext_if="em0"
nat on $ext_if from 10.64.0.0/16 to any -> ($ext_if:0)