On this entry:
add action=masquerade chain=srcnat disabled=no out-interface=pptp \
routing-mark=vpn
Could you tempoarily remove the routing mark requirement and see if it behaves differently? The symptoms sound like a lack of masquerade.
On this entry:
add action=masquerade chain=srcnat disabled=no out-interface=pptp \
routing-mark=vpn
Could you tempoarily remove the routing mark requirement and see if it behaves differently? The symptoms sound like a lack of masquerade.