wrote: I'd rather create a simple DNAT rule that redirects traffic coming from the client's subnet targetted at the WAN IP to the server at eth2.100 directly. Unfortunately this won't work with a dynamic WAN IP + DDNS. If that's the case, you could add a custom DNS entry that links the DDNS address to the server's local IP and thus there'd be no need for NAT whatsoever.
Yes, you can use DNAT to redirect a dest WAN IP to the internal server even with a dynamic WAN IP. In the DNAT rule, just use
destination group address-group ADDRv4_ethX
where X if adjusted to the eth port used for WAN.