I would like to make a suggestion. I noticed that the masquerade rule for the BTH clients masks the IP segment of the BTH clients but doesn’t specify the outbound interface. Therefore, it gets NATed even when the destination is in the internal network. For example, if someone logs into a server, it logs the IP of the router instead of the BTH client.
Would it be a good idea to set the rule to NAT only when the outbound interface list is the WAN? This could help create ACLs that affect individual BTH clients instead of all of them.