i recently purchased a hap lite mini (RouterBOARD 931-2nD) and tried to use cloud dns with a pppoe interface for cameras but there is a huge problem!!! see the picture below and you will understand. (ros 6.40.6 bugfix the same happens with previous one).
to catch you up pppoe is the default route interface and the rules at firewall have been updated to match inteface. also ether1 dhcp client had been disabled with same results so i enabled it again with NO default route or use dns just for management to be able to login remotely. and for your curiosity the public ip address of the parent modem-router is not that it appears in the picture so i dont know from where this public ip shows up. can it be an ISP problem?

(edit)
when i use ident.me to figure out my public ip address it returns the real public address 100.66.171.167 so i dont think it is an ISP problem.

That IP your router detects at DHCP Client is actually an private network address range as follows: https://db-ip.com/all/100.66.171

The IP the cloud informs is actually your public IP which everyone can connect, but if your ISP denies certain ports that you need or uses NAT for a big chunk at the same public IP (so you share your public IP with other clients) then you need to ask for an private port range or NAT 1:1 (which ISPs knows as static IP in Brazil).

yes you are right. that is indeed a private address i didnt noticed. so it is an ISP problem. i will contact my provider. Thank You. I think it is solved.

Your ISP is using CGNAT which is very bad if you're running a network behind it since you'll have double NAT. https://en.wikipedia.org/wiki/Carrier-grade_NAT