i dont think you will need the rule number 6. from the LAN site your traffic will not pass the forward chain, since it already routed to input chain by dst-nat.
About the MSN what kind protocol does MSN use? does it use http?
anytimeit seems beyond my exprties, but i'll give it a try. thanks a lot.
1) Just make another packet-mark on chain output and name it "packet-from-proxy" with dst-address-list=512kNo other rule for 512k list. But i'm using web proxy and caching.
/ip dhcp-server network print
route print
/ip firewall export