I'm trying to setup a rather unusual configuration on my heX (RB750Gr3):
on a heX I need a PBR rule which redirects all TCP traffic to dst.port 80+443 from the port 2 to the transparent proxy (to its eth0.10 interface), which is a "router on a stick" - a PC with only one NIC and two VLANs. The HTTP/HTTPS traffic is processed on the transparent proxy and sent back using eth0.20 interface.

I fount a configuration example with an additional swith, but I wonder if it can be done with heX alone.

It can be done.

• "router on a stick" (let's call it proxy) with the two VLANs should actually be connected to only one ether port on hEX. Let's say it'll be ether5
• by default hEX has bridge with all ports but ether1 as members. You should remove ether5 from that bridge
• configure VLAN interfaces on ether5:
  Code: Select all

  /interface vlan
  add interface=ether5 name=e5v10 vlan-id=10
  add interface=ether5 name=e5v20 vlan-id=20
  

• configure IP addresses for both VLANs
  Code: Select all

  /ip address 
  add interface=e5v10 address=<router VLAN10 address>/24
  add interface=e5v20 address=<router VLAN20 address>/24
  

• ideally both proxy's IP addresses will be in different LAN subnets, both different than "normal" LAN subnet.
  You can use smaller subnets for proxy's interfaces if you want (I don't see any benefit in doing it though, there are enough "standard sized" private subnets available)
• after that you construct firewall filter/nat/mangle rules using IP addresses (of the client PC, both proxy's addresses, ...)

It can be done.

Thank you, it worked!