I want to add transparent web proxy to the subnet office (192.168.200.0/24). I have 4 ipsec tunnes that i want to exclude from webproxy (always use port 80 through ipsec tunnels). Where should I place the NAT rule (add chain=dstnat protocol=tcp src-address=192.168.200.0/24 dst-port=80 action=redirect to-ports=8080) to exlcude ipsec traffic? Or i need to set dst-address-list=!ipsecsubnets in the NAT rule of webproxy? (where ipsecsubnets=10.xx.xx.xx/24,192.168.100.xx/24,192.9.xx.xx/24,192.168.10.xx/24).

/ip firewall nat>
.....
16 ;;; Disable masquerade for IPSEC tunnels
chain=srcnat action=accept src-address=192.168.200.0/24 dst-address=10.xx.xx.xx/24
17 chain=srcnat action=accept src-address=192.168.200.0/24 dst-address=192.168.100.xx/24
18 chain=srcnat action=accept src-address=192.168.200.0/24 dst-address=192.9.xx.xx/24
19 chain=srcnat action=accept src-address=192.168.200.0/24 dst-address=192.168.10.xx/24

20 ;;; NAT office
chain=srcnat action=src-nat to-addresses=2.xxx.xx.xx src-address=192.168.200.0/24 out-interface=ether1-gateway

Thanks!

The "dstnat" chain is TOTALLY SEPARATE from "srcnat". It means, that it doesn't matter, if you place it before or after the srcnat rules. When the packet enters the router, all dstnat rules (in proper order) are applied, and later - before it leaves - the srcnat rules. If you don't want the packets going to TCP port 80 of the IPSec addresses be redirected to proxy - then you need to exclude them, for example using the "address-list=!..." or adding a second dstnat rule "accept" for them before the redirect.

thank's a lot!