Hi,
I am somewhat new to MikroTik (hap ac2) and networking.
To send dns requests from my kids devices to opendns I setup this rule:
chain=dstnat action=dst-nat to-addresses=208.67.222.123 protocol=udp src-address-list=Parental-Control-List-IPs dst-port=53
This blocks like I expected it to do.
Now I have setup DNS safety by Diladele https://dnssafety.diladele.com/index.html on an rpi 3 on my local network to block ads.
So I setup the following rule:
chain=dstnat action=dst-nat to-addresses=192.168.88.241 protocol=udp src-address-list=DNS-Safety-List-IPs dst-port=53
Edited: I found this blog post: https://paul.af/pi-hole-revisited → " With this addition, the Pi-hole dashboard shows requests as coming from the router’s IP as opposed to the device IP but I’m personally fine with that."
I actually do want to get the request from a specific device IP because I can then set certain policies with dns safety. How can I do that?
This does not work 
So I added the following rule:
chain=srcnat action=masquerade protocol=udp src-address=192.168.88.0/24 dst-address=192.168.88.241 dst-port=53
But when I look in the DNS safety access log all requests originate from 192.168.88.1 which is the MikroTik router and not the device I am browsing from. This means the incorrect policy is called.
I don’t want to send all dns request yet to the rpi box so I don’t want to set a fixed dns server in my dhcp options.
Is anyone else using dns safety in combination with mikrotik? If so have you setup it up so you can redirect some and not all dns requests to it?