I think that's because traffic going to an outside server is getting mangled in prerouting before the Hotspot has a change to intercept it. Try replacing add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/0 action=mark-connection new-connectio...