Well thats too vague of a response.
Condition 1 - many vlans and one separate vlan where adguard or DNS server resides............ - covered, no need for sourcenat
Condition 2 - only one LAN subnet and users and adguard/dns server device are on same subnet. - covered, need sourcenat says you and one other yahoo.
Condition 3 - many vlans and the adguard/dns device is on a vlan that also contains users that should go through adguard/dns server.
So we have a situation where 3 has not been fully explored but it has traces of both conditions 1 and 2 in it.
Personally I will be adamant that you dont need sourcenat regardless of location, you have not shown why.......... just telling me its so, carries no water LOL
Ex. vlans 10,20,30,,40, 50, and they all belong to the interface list of LAN.
- vlan 50 contains adguard/dns server on 192.168.50.50, vlan 20 needs to use regular DNS from router
- Firewall address list called "excluded
" includes 192.168.20.0/24 AND 192.168.50.50
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=192.168.50.50
add address=192.168.20.0/24 gateway=192.168.20.1 dns-server=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1 dns-server=192.168.50.50
add address=192.168.40.0/24 gateway=192.168.40.1 dns-server=192.168.50.50
add address=192.168.50.0/24 gateway=192.168.50.1 dns-server=192.168.50.1
input chain rules.
add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=tcp
add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=udp
forward chain rules
add chain=forward action=accept in-interface-list=LAN dst-address=192.168.50.50
Dst Nat rules
add chain=dstnat action=dst-nat in-interface-list=LAN src-address-list=!excluded dst-port=53 protocol=tcp to-addresses=192.168.50.50
add chain=dstnat action=dst-nat in-interface-list=LAN src-address-list=!excluded dst-port=53 protocol=udp to-addresses=192.168.50.50
Src Nat rules
not required, but who knows I could be wrong its happened before............once.