Hello everyone,

I’m new at MikroTik, and I have some problems to set up VPN and route all my traffic through it.
First off all I have Huawei E5372 working at 5GHz, so I set up a repeater on my hap ac2 wlan2 interface.

/interface wireless setup-repeater number=wlan2 address=XX:XX:XX:XX:XX:XX ssid=MyHuaweiWIFI passphrase=MyPassword

Then I setup DHCP client adding default route with distance 2

/ip dhcp-client add interface=bridge disabled=no add-default-route=yes default-route-distance=2

It acquires IP address from my Huawei (192.168.8.8 for example)
Connect to my vpn adding default route with distance 1

/interface pptp-client add name=pptp-out1 user=MyUserName password= MyPasswordForVPN connect-to=46.1.101.100 disabled=no add-default-route=yes

MikroTik connect without a problem and pptp-out1 is reachable.
I get routes like this:

Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 pptp-out1 1
1 DS 0.0.0.0/0 192.168.8.1 2
2 ADS 46.1.101.100/32 192.168.8.1 0
3 ADC 192.168.1.1/32 192.168.8.3 pptp-out1 0
4 ADC 192.168.8.0/24 192.168.8.8 bridge1 0

Setting up nat

/ip firewall nat add action=masquerade chain=srcnat out-interface= pptp-out1

Then I look up my ip (at https://www.whatismyip.com/) and it shows my Huawei IP, like I’m not connected to VPN, so my traffic doesn’t go through my VPN gateway.
Then I tried to remove default route for VPN and set up Policy Based Routing

/ip firewall address-list add address=192.168.8.0/24 list=LocalAddress
/ip firewall mangle add action=mark-routing chain=prerouting dst-address=0.0.0.0 dst-address-list=”!LocalAddress” new-routing-mark=VPN passthrough=yes src-address=192.168.8.0/24
/ip route add distance=1 gateway=pptp-out1 routing-mark=VPN

But the result stays the same. I guess that is because there is a conflict between my routes to Huawei Modem and VPN. Is there any possible way to route all my traffic through vpn?

You should draw a network diagram as it simplifies to understand the problem.

Attaching my config also:

# jan/02/1970 00:15:06 by RouterOS 6.46.4
# software id = FL78-D138
#
# model = RBD52G-5HacD2HnD
/interface bridge
add name=bridge1 protocol-mode=none
/interface wireless
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface pptp-client
add connect-to=46.101.1.100 disabled=no name=pptp-out1 user=MyUserName
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=wlan1-HuaweiE53726-repeater \
    supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no mode=\
    station-pseudobridge security-profile=wlan1-HuaweiE53726-repeater ssid=HuaweiE53726
add disabled=no mac-address=C6:AD:34:7E:F4:A2 master-interface=wlan1 name=wlan3 \
    security-profile=wlan1-HuaweiE53726-repeater ssid=HuaweiE53726
/interface bridge port
add bridge=bridge1 interface=wlan3
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
/ip dhcp-client
add default-route-distance=2 disabled=no interface=bridge1
/ip firewall address-list
add address=192.168.8.0/24 list=LocalAddress
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=0.0.0.0 dst-address-list=\
    !LocalAddress new-routing-mark=VPN passthrough=yes src-address=\
    192.168.8.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pptp-out1
/ip route
add distance=1 gateway=pptp-out1 routing-mark=VPN

In /ip firewall mangle, I think your dst-address should be 0.0.0.0**/0**.
Also enable logging for your mangle rule and check your logs that it actually matches your traffic.