may be in Brazil there are lots of criminals ,but in our situation we need that option to limit users that are not on our network from trying get the identity of the network runing in the air.
So if they set up a web server on a public address and open that page from your network, they will find your IP in the server log.
And it does not matter what you do on your network, the http request will include the public address.
So your only option is to enforce a transparent proxy by using a preroute redirect rule, and then the proxy address will show up.
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.