Hi, I have a Pi-Hole server up and running on a linux machine.

I have 2 LAN Subnets on 2 ports which are -

ether1=10.10.10.1/24 and ether2=10.10.9.1/24

Both of the subnet is assigned for an individual DHCP server which gateways are 10.10.10.1 and 10.10.9.1

Pi-Hole Server is sitting under ether1 Interface, which IP is 10.10.10.5. I have configured this IP as my DNS server accross all of my devices using DHCP Server

For better understanding, here's my network diagram



my NAT Rules are -

add action=masquerade chain=srcnat src-address=10.10.10.0/24
add action=masquerade chain=srcnat src-address=10.10.9.0/24

I checked the DNS logs, every requests are coming from 10.10.10.1 and 10.10.9.1.

I can't understand what's wrong with my configuration. I need requests from the Device IP's not from their Gateway IP's

If your end devices are configured to use the gateway-IP as DNS then this is normal and you will never see requests from individual LAN devices.
You have the correct DNS-settings in your DHCP-config ? Please post some relevant config pieces for DHCP etc and conceptual drawing if the Pihole is sitting on some special separate network or something. What is the LAN-IP of the Pihole etc,etc,etc

If your end devices are configured to use the gateway-IP as DNS then this is normal and you will never see requests from individual LAN devices.
You have the correct DNS-settings in your DHCP-config ? Please post some relevant config pieces for DHCP etc and conceptual drawing if the Pihole is sitting on some special separate network or something. What is the LAN-IP of the Pihole etc,etc,etc

I have updated the post with some more details.

Adapt your masq-rules and include the outgoing ISP interface ??
Without specifying the exiting "Internet" interface it will probably do a bit more more snat/masq where you don't want it.

You want traffic from/between 10.10.10.x and 10.10.9.x to flow without any translation/nat/masq actions I guess, just "routed".

Adapt your masq-rules and include the outgoing ISP interface ??

I agree that masquerade rules should include outgoing ISP interface. But if masq rules are changed that way, you can probably only keep one and omit specifying the src-address. This way router will masq anything going out of ISP interface, no matter what original src-address of packet was. Hence single rule would be enough.

If you only have one WAN connection
add action=masquerade chain=src-nat in-interface=wanconnectionport

DHCP server-network DNS setting for the the user network should be the IP address of the pi-hole device.
Ensure the user subnet has access tot he pi-hole device in forward chain.
Ensure the pi-hole device and the users have access to the internet

add action=masquerade chain=src-nat in-interface=wanconnectionport

ehm...

/ip fire nat
add action=masquerade chain=srcnat out-interface=<WAN-interface> src-address=10.10.0.0/16

I Dont have source addresses on both my masquerade rules.
How on earth have I survived this long??

/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT FOR LAN - FibreOP" \
ipsec-policy=out,none out-interface=vlanbell
add action=masquerade chain=srcnat comment="SCR_NAT for LAN - Cable" \
ipsec-policy=out,none out-interface=Eastlink_eth7


what the heck is this trickery 10.10.0.0/16 ??
to clever for your own good LOL

Why not just go right to 10.0.0.0/8

For spoofing reason... must be use the shortest interval possbile, or at least more than one rule for each net

User use (only?)
10.10.10.x and 10.10.9.x

for both 10.10.0.0/16 if 9 and 10 is used, probably also 1,2,3,4 etc.

10.0.0.0/8 is too big and "fast" unique subnet for both are 10.10.0.0/16

the real short for 9 + 10 only are 10.10.8.0/22