The problem is that in the log (output-chain routing mark addition) I can see that the out-interface is the default.
I'd expect that's exactly what I was talking about in the part about which you've written below that you hadn't understood it. When a locally orignated packet is sent, the routing chooses the route using always the routing table
main, which determines the out-interface. So at this step, the out-interface is always the same for all locally-originated packets sent towards the same remote address. Only after this step, if an
action=mark-routing rule in
chain=output of
/ip firewall mangle eventually assigns a
routing-mark, the route selection process is repeated one more time (on the
packet flow diagram, this phase is called "routing adjustment"). But at the moment when the mangle output rule is matched and assigns the
routing-mark, the out-interface is still the one chosen by the first pass through routing, hence that one is logged.
I can't understand why is this rule used, it's the same with the above
The first and second rules are not the same. The first one accepts mid-connection packets belonging to connections which didn't get any
connection-mark when established,
regardless the packet direction; the second one accepts
only download (WAN->LAN) mid-connection packets belonging to marked connections. This rule implements one of the possible ways to resolve the issue that the routes to connected subnets (LAN) are not present in other routing tables than
main, so if they got marked with some
routing-mark, they would get sent out the WAN again. In your particular application scenario, this rule is pointless, because the VPN server is the Mikrotik itself, so the packets belonging to the marked connections never need to be forwarded to LAN and packets for own addresses aren't handled by any routing table.
Are my rules ok?
Except for the presence of the pointless one, yes. The only remark is that I prefer the rules belonging to the same chain to be grouped together for better readability - RouterOS only cares for the rule order within each chain, but reading more complex configurations where rules in different chains of the same table are interleaved is complicated.
I think my problem is in this section:
...
I would be grateful if you could give me an example for this action=srcnat (or action=masquerade) rule I have to use
The rule is simple:
/ip firewall nat
add chain=srcnat out-interface=WAN2 action=masquerade
It seems useless because the only packets sent out via WAN2 are those sent by the Mikrotik itself, but it is necessary for the reason explained above - the routing initially wants to send them via WAN1, but then the output mangle forces it to use the WAN2, but the source address has already been chosen, so it needs to be changed "manually", using this rule, which is possible thanks to the fact that the NAT handling follows after the "routing adjustment", as seen from the packet flow diagram too.