mangle rules to use when using PPTP

RouterOS General
1

I have following mangle setup:

 0    chain=prerouting action=accept connection-type=pptp log=no log-prefix="" 
 1    chain=prerouting action=mark-packet new-packet-mark=VPN passthrough=yes in-interface=VPN connection-mark=no-mark log=no log-prefix="" 
 2    chain=forward action=mark-packet new-packet-mark=VPN passthrough=yes out-interface=VPN connection-mark=no-mark log=no log-prefix="" 
 3    chain=forward action=mark-packet new-packet-mark=VPN passthrough=yes in-interface=VPN connection-mark=no-mark log=no log-prefix="" 
 4    chain=prerouting action=mark-packet new-packet-mark=VPN passthrough=yes in-interface=ether3 - VPN LAN connection-mark=no-mark log=no log-prefix="" 
 5    chain=prerouting action=mark-routing new-routing-mark=VPN passthrough=yes src-address=172.16.10.0/24 connection-mark=no-mark log=no log-prefix="" 
 6    chain=prerouting action=mark-routing new-routing-mark=VPN passthrough=yes src-address=172.16.10.0/24 packet-mark=VPN log=no log-prefix=""

Idea is that all of my LAN traffic (from ether3) goes out to VPN and everything which comes from VPN link comes back to ether3.

VPN interface is PPTP connection and because of it I mark my packets and not connections (I found out that you need to do that when using conectionless GRE protocol).

Setup above is probably (at least partialy) redundant, and some mangle rules I can do without. Any suggestion is welcome.

When I run it on my router, I can access internet and that seems to work ok, but some services (namely netflix) do not and I can not figure out why. I can log in to the service, browse and everything but when the stream starts nothing happens and after some time I get error. I see that a lot of traffic is flowing to the VPN interface, I see that it goes to my machine but it still fails to work.

Now, if I open VPN client on my machine and try to access netflix, everything works well and this is a reason why I think that something is happening on my mikrotik which confuses or missaddresses my packets.

Any ideas?

p.s. I have all of this working in multiple LAN/multiple gateway setup, but my LAN3 should work and see only VPN connection

2

If the PPtP connection and ether3 should be completely isolated from the rest of the system, then the easiest way to do this is to create a VRF.

In winbox, go under IP > Routes and choose the VRF tab.
Add a VRF and call it something like VPN - choose a routing mark to use (your current one should be fine) and then add the two interfaces ether3 and the pptp interface.
After that, look in the normal “Routes” tab and make sure there’s a default GW on the VPN VRF - the gateway can even just be the PPTP interface itself (no next hop IP required)

This will completely isolate the VPN from the rest of your system.