Thanks , at the end I have decided to use different approach.
I have created two instances of PI-HOLE DNS servers /LXD virtual machines/ . First as FamilySafe DNS and second for standard use. On router I created PREROUTING rules based on client IP adress.
-- FIRST RULE TO DNS1--
iptables -t nat -A PREROUTING -i br0 -s 192.168.2.101 -p tcp --dport 53 -j DNAT --to 192.168.2.150
iptables -t nat -A PREROUTING -i br0 -s 192.168.2.101 -p udp --dport 53 -j DNAT --to 192.168.2.150
-- SECOND RULE TO DNS2 --
iptables -t nat -A PREROUTING -i br0 -s 192.168.2.102 -p tcp --dport 53 -j DNAT --to 192.168.2.151
iptables -t nat -A PREROUTING -i br0 -s 192.168.2.102 -p udp --dport 53 -j DNAT --to 192.168.2.151
iptables -t nat -A POSTROUTING -j MASQUERADE
This approach is working for me - its not as good as previous one / I need two instances instead of one/, but at least its working and I can set different filtering and upstream DNS servers for each device...
Thanks for your time and help.