>Makes sense to me. Yea, I just don't know technically speaking where the -m mac should appear, in the POSTROUTING line, or the first FORWARD line. Ultimately I would only masq'ing to be done for this one device on port 443. >Is the host that you are wanting to bypass your proxy on the same segment as the $LAN interface defined in your rulesets? It is, how comes? I could filter by ip instead of mac but this is easier and although a non issue really, more secure. Thanks! jlc