Another try to find out if route marking works for me as it should.
I set route from main to rtr1 table:
/ip/route/add dst-address=78.136.141.22 gateway=wg1 routing-table=rtr1
Tunnel stops working, packets to 78.136.141.22 are sent via default route instead via gw1.
This time, this new modified fw rule
/ip firewall mangle add chain=output dst-address=78.136.141.22 action=mark-routing new-routing-mark=rtr1 passthrough=yes
continues to match the outgoing packets (counter increases) and presumably marks them with rtr1 routing mark.
But this is ignored by the route based on table rtr1, although after “mangle - output” there should be another routing adjustment as shown in this nice diagram: http://forum.mikrotik.com/t/firewall-vs-nat-packet-flow/135838/4
So, it seems I need to look at the route rules.
Although as per earlier info in this thread the rule for rtr1 routing mark applied by fw should not be necessary, let’s try it:
/routing/rule/add routing-mark=rtr1 action=lookup-only-in-table table=rtr1
And nothing happens, the packets are still routed via default route.
Let’s change the rule to match dst-address instead:
/routing/rule/add dst-address=78.136.141.22 action=lookup-only-in-table table=rtr1
A voila - connection starts working again, the packets are routed via wg1.
P.S. Drawing a network diagram with a tunnel inside a tunnel might be a bit demanding for skills and imagination, but I will surely try to do so, probably on Saturday.