Haproxy behind NAT

I'm trying to get haproxy running and I have no static IP addresses from my ISP...
Common guides say just to use a wildcard listening address but that's an unsatisfying solution.
So I was thinking about to let haproxy run on the lan interface on the router and use nat to make it reachable from the outside, which works fine for IPv4 but not so fine for IPv6...
I used this equivalent IPv6 fw4 port forward rule:

config redirect
	option name 'My not so working NAT66'
	option src 'wan'
	option dest 'lan'
	option src_dport '443'
	option dest_port '8096'
	option dest_ip 'routers ula lan interface address'
	option target 'DNAT'
	list proto 'tcp'
	option reflection '0'
	option family 'ipv6'

The fw4 packet counter does increase but nothing shows up in the haproxy log.
haproxy is listening on this address.
Anyone has an idea?
using the GUA address, it works but unfortunately the prefix is dynamic...
Is there an nft equivalent for the iptables suffix matching?
Or do I have to use a script to dynamically pull the address from the interface everytime the fw restarts?
I couldn't find any info on the suffix matching.
So I ended up creating/modifying an fw script that pulls the gua from the lan interface and create the proper rule.
And a simple sed replace in the haproxy init script.

When I wanted to get Wireguard VPN's IPv6 working I had to use NAT66 and did loosely follow OpenWrt's NAT66 and IPv6 masquerading guide. Especially

uci set firewall.@zone[1].masq6="1"

was helpful. That way I could use ULA's and the one IPv6 I get from the VPN provider.

Maybe that works for you too?

Isn't the Port Forward thing basically NAT66?
In the Wiki:

IPv6 port forwarding

IPv6 port forwarding can be configured similar to IPv4 since fw4 natively supports NAT66.

Set up a static DHCPv6 lease and configure IPv6 port forwarding using your ULA prefix.

Strange, I tested it and it works now.

So I ended up running ha proxy on the lan interface.
Binded to the corresponding IPv4 and IPv6 ULA addresses on Port 443.
Changed uhttpd to listen only on loopback with port 8080.
Setting up the Port Forwards:
On for IPv4 and the IPv6 one using the ULA prefix both from port 443 to 443.
haproxy serving uhttpd (luci) and the other service on my network that I wanted to have behind haproxy with SSL encryption.
Setting up split dns.
And it works.
Only down side is, all internal traffic has to go through haproxy too.
But I don't wanted to setup haproxy on the machine running the other service.
And this way I can add more services, actually kinda neat.

Now, I need to figure out how to make dnsmasq ignore the gua addresses from the odhcpd host file.
I modified the default odhcpd update script to scrap the gua addresses but I'm not sure if this will break other things...

whoops... I didn't work.
To make it work the source routing must be disabled as described in the wiki:

# Configure network
uci set network.wan6.sourcefilter="0"
uci commit network
/etc/init.d/network restart