Fri Dec 11, 2020 6:25 pm
First of all, you may want to hide the public IP of the device from the screenshots in your OP (at least you haven't left Winbox open to the world on the default port, good).
Second, the SOCKS5 is easy to be identified, so it may not be the safest one to use for the purpose. The actual destination address of the remote server, can be seen in plaintext, so it is easy to find out where your clients are actually connecting. And if the actual traffic is not encrypted itself, it can also be seen in plaintext, so the DNS requests will also reveal what is going on to the authorities if the client will send them via the SOCKS5.
PPTP has some encryption but it has also been considered weak since years ago.
Next, as @Sob has explained, the SOCKS5 server on the Mikrotik sends all the requests in its own name, and there is no way the firewall rules could find out which outgoing traffic of the Mikrotik itself is actually the traffic forwarded by the clients via SOCKS5 and which is its own one. So you can route all the output traffic of the Mikrotik to the VPN tunnel, and only provide exceptions as @Sob has suggested.
Most important, the exceptions have to be the addresses of the remote VPN servers, but for that in particular, you don't need firewall rules and dedicated routing tables - dedicated routes are enough.
An example of another exception may be the addresses of the servers from which Mikrotik downloads the RouterOS upgrades, but if you don't mind that the download also goes via the VPN, there is no need for such exception.
If you replace the SOCKS5 idea by a VPN one, the Mikrotik will treat the clients' traffic as a router, not as a proxy, so you will be able to handle all traffic from the clients one way (forwarding it to the other VPN) and other traffic the other way, using other routing table(s). But it has to be something better than PPTP if it should serve the purpose.