We needed to do something similar. Instead of creating exemptions, we just defined what internal IP ranges needed to be NAT’ed. Everything else isn’t.
We did not enable NAT on any interfaces in the GUI. I added the following line to the startup scripts under NAT and Virtual Servers. You can add multiple lines if needed.
iptables -t nat -A POSTROUTING -s 172.21.0.0/16 -o ETH01 -j MASQUERADE