@johnpoz said in pfSense with port forward AND outbound NAT - rewrite source IP address:
@jarlel said in pfSense with port forward AND outbound NAT - rewrite source IP address:
WHY? Because the DNS servers have different filters based on which source IPs the request comes from
Even if you get that to work - you have a problem with the answers being cached in unbound.
client A asks for something.tld, which is allowed for client A.
Now client B asks for something.tld which should be blocked for client B, but unbound already has it cached, so it sends client B the answer.
There is no difference in the filters for clients in the same "client group". All clients using VIP 1 as DNS-server has the same filter/rules. All clients using VIP 2 as DNS-server has the same filter/rules.
The DNS-server is a public one with some special services/filtering, so all requests are considered and evaluated without caching.