SNAT or not to NAT, that's the question

Hi there!

So I have a host with a public IP in the same subnet as the ipfire red interface. Since there is no need for my local clients to use SNAT to connect to this host (and the services are not so NAT-friendly), I made this rule:

local subnet => allow HTTPS (and some other ports) to specific host with public IP in same subnet as RED interface.
To make sure, that the rule without the SNAT is used, I set the rule to position 1.

I also have a rule which allows the local subnet to access websites using SNAT (HTTP/HTTPS)

Unfortunately, as long as the second rule for webacces (with SNAT)is actve, this rule is always used and the direct option for the specified host without NAT is ignored.

If I deactivate the webaccess rule, everything works as it should.

How do I get this working?
SNAT for general webaccess and for the specific host direct connection.
Any help?