Looking through the config....... the parts that stand out for me...
In general confusing allocation of wanips to lans.
Ether5- admin lan is given 10.10.10.33 (vice .35 cleaner or more obvious)
Ether3- office lan is given 10.10.10.34 (vice .33) cleaner or more obvious)
1. /ip firewall connection tracking???????????? never seen this on any of my configs so not sure what it does??
2. Not sure why for ether3 office subnet ip address you state DNS servers but not for ether5 subnet ip address???
3. /IP routes,
a. change the admin one to look like the rest using the 10 routing.........
add distance=1 dst-address=0.0.0.0/0 gateway=10.10.10.1 pre-src=10.10.10.33 routing-mark=admin ******
b. I have no idea what you wanted to achieve with the last one one but preferred source is not for the LANIP entry 192,168,1,1.....
thus remove it! (you have covered off the route for the admin network with routing-mark admin)
c. so the question what is missing in IP ROUTES?
answer not sure yet.............
4. If you have fixed WANIP addresses one is supposed to use action source nat from my limited understanding thus require......
Do not mix mangling up with NAT!!
/ip firewall nat
add chain=src-nat out-interface=ether1 source-address=192.168.1.1/24 action=src-nat to-addresses=10.10.10.33
add chain=src-nat out-interface=ether1 source-address=192.168.3.1/24 action=src-nat to-addresses=10.10.10.34
(you could use source address list instead for example 192.168.1.6-192.168.1.100 if you wanted to narrow it down to DHCP pool but for myself sometimes I use static IPs outside the pool but still want them to be natted). In the office subnet there seems to be only one IP so it could be 192.168.3.2 , but I cannot make those decisions for you.
5. In general, Don/t populate the config with a bunch of routes or rules for non-existant network yet...... or at least add them but disable them all (grey them out).
6. Mangling fun........
question I have is when do you use passthrough =yes and when do you use passthrough=no. Always confuses me.
Also Not at home but I though the chain was usually prerouting?
/ip firewall mangle
add chain=prerouting in-interface=ether5 action=connection-mark new-connection-mark=ex_admin passthrough= ????
add chain=prerouting connection-mark=ex_admin action=routing-mark new-routing-mark=admin passthrough= ????
add chain=prerouting in-interface=ether3 action=connection-mark new-connection-mark=ex_office passthrough= ????
add chain=prerouting connection-mark=ex_office action=routing-mark new-routing-mark=office passthrough= ????
So the three questions I have for gurus is
a. use of passthrough
b. confirm I don't need to identify "in interface" or source or anything in second line (route mark line) because I am identifying traffic by connection marking.........
c. Is there any value in stating No-Mark on the first line??? (in other words traffic without any mark coming in on interface3 or 5)??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)