IPv6 guest network on OpenWrt, but ISP only delegates one /64 subnet

I want to host both an ordinary unrestricted Wi-Fi network and a more restricted guest Wi-Fi network on the same OpenWrt router. The problem is that my ISP only delegates one /64 subnet to me. Obviously the ideal solution would be to switch to an ISP that delegates a /56 to each customer to allow up to 256 publicly addressable VLANs within the customer's network. Alas, I can't change ISPs or convince mine to change their policy, so how can I make my one /64 work for both the regular network and the guest network?

One option is to set up an IPv6 NAT on the guest network. It won't work for everything, but it's better than only having IPv4. Instructions for OpenWrt 23.05:

1. Complete the steps to set up an IPv4 guest network on OpenWrt.

2. Set a private IPv6 address and an IPv6 routed prefix on the guest interface. You can pick any subnet from fd00::/64 to fdff::/64. In this example I used the first one:

   

3. In the DHCP Server tab, turn on router advertisement and the DHCPv6 server:

   

4. In the IPv6 RA settings tab, set Default router to forced:

   

5. Go to the firewall settings and click the Edit button next to the guest zone:

   

6. Under Advanced Settings, check the box IPv6 Masquerading, but limit it to your private subnet:

   

   You don't have to enter your private IPv4 subnets here. If only an IPv6 subnet is specified on this tab, the IPv4 NAT continues to operate on all private subnets.

7. In the Traffic Rules tab, add a rule that allows ICMP input so that SLAAC works on the guest network:

   

If all went well, the regular network will continue to work as though there were no guest network. In addition, when a device on the guest network visits https://test-ipv6.com/, it will get a 10/10 score too and its public IPv6 address will be the IPv6 address of the router's WAN interface.