When your PC sends out a packet, it expects to receive a packet from the website’s IP. This is not happening in your scenario.
If your Mikrotik does dst-nat, the website’s IP is being lost. So when your squid replies, the src-IP is the squid ip and not the website IP. But unfortunately dst-nat is required to re-route the packet to the squid-ip.
If you use a route instead of dst-nat, your squid server will receive the packet who’s dst-ip is still the website and will drop the packet because of this.
I don’t think there is a function in the Mikrotik to remember the website IP and then do src-nat to change the packet’s src-nat from squid-ip to website-ip.
Instead I think your squid server needs to be in between the NAS and CCR in your diagram. Then it would filter HTTP traffic passing through it. This setup wouldn’t require config on the Mikrotik.
The squid server needs to be doing the nat.
In the Mikrotik, you use the policy routing as you’re doing by setting the next hop address as the squid server’s IP.
(use a default gw route dst=0.0.0.0/0 gateway=squid_ip as the route, not the squid IP as the destination IP)
Remove dstnat from the Mikrotik.
Then on the squid server, put a REDIRECT rule:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
Of course there should be a default masquerade rule on the ISP gateay router, regardless of whether the source IP is the squid box or the LAN range(s).
