First off, I personally don't like to redirect any ports on mikrotik specially for proxy reasons. Depending on router boards it like to take allot of resources and there is easier ways.
I have a radiusmanager authenticating all my pppoe client and once their cap has been reached, the only page they can access is the radman UCP (user control pannel) page where the clients can purchase more bandwidth.
Now in your case scenario I would disable all the masquerading nat rules on all my hi-sites except your head office router connected to the adsl router.
Add routes forward and backwards to your high-sites so that you can ping your PCE units from your head office router board (keep the masquerading nat rule enabled on the CPE's - you don’t want to ping the client's local network as well)
Then I would take a small designated server hosting a simple webpage through a static ip (locally)
Then on your head office router board I would add the following firewall nat rule:
add chain=dstnat src-address=(Client CPE IP Address) action=dst-nat to
-addresses=(Webserver IP Address) protocol=tcp to-ports=0-65535
And then add a Static DNS entry:
add name=www.payup.com address=(Webserver static ip)
And Wola, thourgh this you can enable and disable the nat as you plisse.
I hope this help you and when it comes to mikrotik, I try to keep it simple