I want to add transparent web proxy to the subnet office (192.168.200.0/24). I have 4 ipsec tunnes that i want to exclude from webproxy (always use port 80 through ipsec tunnels). Where should I place the NAT rule (add chain=dstnat protocol=tcp src-address=192.168.200.0/24 dst-port=80 action=redirect to-ports=8080) to exlcude ipsec traffic? Or i need to set dst-address-list=!ipsecsubnets in the NAT rule of webproxy? (where ipsecsubnets=10.xx.xx.xx/24,192.168.100.xx/24,192.9.xx.xx/24,192.168.10.xx/24).
/ip firewall nat>
.....
16 ;;; Disable masquerade for IPSEC tunnels
chain=srcnat action=accept src-address=192.168.200.0/24 dst-address=10.xx.xx.xx/24
17 chain=srcnat action=accept src-address=192.168.200.0/24 dst-address=192.168.100.xx/24
18 chain=srcnat action=accept src-address=192.168.200.0/24 dst-address=192.9.xx.xx/24
19 chain=srcnat action=accept src-address=192.168.200.0/24 dst-address=192.168.10.xx/24
20 ;;; NAT office
chain=srcnat action=src-nat to-addresses=2.xxx.xx.xx src-address=192.168.200.0/24 out-interface=ether1-gateway
Thanks!