dst-nat to internal IP

RouterOS General
1

I trying to dst-nat all internal requests to 80 and 443 to a local webserver

;;; dnat local 80 to pbody
      chain=dstnat action=dst-nat to-addresses=10.255.252.2 to-ports=80 protocol=tcp src-address=!10.255.252.2 dst-address=10.255.252.254 in-interface=bridge3-5 
      dst-port=80 log=yes log-prefix="DNAT local 80:" 

17    ;;; dnat local 443 to pbody
      chain=dstnat action=dst-nat to-addresses=10.255.252.2 to-ports=443 protocol=tcp src-address=!10.255.252.2 dst-address=10.255.252.254 in-interface=bridge3-5 
      dst-port=443 log=yes log-prefix="DNAT local 80:"

the packets are getting forwarded it seems

19:01:09.065603 IP 10.255.252.150.49796 > 10.255.252.2.443: Flags [R], seq 3398444274, win 0, length 0
19:01:09.163794 IP 10.255.252.150.49796 > 10.255.252.2.443: Flags [S], seq 3398444273, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 865734842 ecr 0,sackOK,eol], length 0
19:01:09.165938 IP 10.255.252.150.49796 > 10.255.252.2.443: Flags [R], seq 3398444274, win 0, length 0
19:01:09.364872 IP 10.255.252.150.49796 > 10.255.252.2.443: Flags [S], seq 3398444273, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 865735042 ecr 0,sackOK,eol], length 0
19:01:09.366192 IP 10.255.252.150.49796 > 10.255.252.2.443: Flags [R], seq 3398444274, win 0, length 0
19:01:09.769425 IP 10.255.252.150.49796 > 10.255.252.2.443: Flags [S], seq 3398444273, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 865735442 ecr 0,sackOK,eol], length 0
19:01:09.771483 IP 10.255.252.150.49796 > 10.255.252.2.443: Flags [R], seq 3398444274, win 0, length 0
19:01:10.573701 IP 10.255.252.150.49796 > 10.255.252.2.443: Flags [S], seq 3398444273, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 865736243 ecr 0,sackOK,eol], length 0
19:01:10.576169 IP 10.255.252.150.49796 > 10.255.252.2.443: Flags [R], seq 3398444274, win 0, length 0

I’v got nginx working just fine on the host 10.255.252.2

but I’m not getting a response
presumably because of a return route path ?
i.e. 10.255.252.150->254->2->150
the return path doesn’t return via 254

any other way of achieving what I’m trying to do?