1) I mark routing, according to source networks:
0 chain=prerouting src-address=10.0.0.0/24 action=mark-routing new-routing-mark=public1 passthrough=yes
1 chain=prerouting src-address=10.0.5.0/24 action=mark-routing new-routing-mark=public2 passthrough=yes
and here I am not sure passthrough=yes is correct, but I can see both rules increasing transferred packets, so it probably works
This is fine. Passthrough can be either yes or no. It is only important if some later rule may change the mark, and you don't want this. In your case, since you are using src-address to identify traffic, you can just set this in the routing rules (/ip route rule) instead of needing mangle.
2) I set-up two gateways:
dst-address=0.0.0.0/0 gateway=x.x.x.x scope=255 target-scope=10 routing-mark=public1
dst-address=0.0.0.0/0 gateway=y.y.y.y scope=255 target-scope=10 routing-mark=public2
This is correct, but remember you will have a main table as well that has all of your local (DC) routes. You have to account for that in the rules (see below).
3) Masquarade both networks ...
chain=srcnat out-interface=public1 routing-mark=public1 action=masquarade
chain=srcnat out-interface=public2 routing-mark=public2 action=masquarade
And - only one outgoing interface works, the second does not - counters stay at 0. Not sure, but maybe for NAT, I don't need to specify those routing-marks, as packets are already going via correct interface?
You won't need to specify the routing mark in the src-nat. It is a good practice to specify the src-address, but not needed for making it functional. Here is a quick example using the following information:
public1 IP:10.10.10.1/30 public1 gateway:10.10.10.2 ether1
public2 IP:10.10.11.1/30 public2 gateway:10.10.11.2 ether2
192.168.1.0/24 on ether3 use public1
192.168.2.0/24 on ether4 use public2
/ip firewall nat
add chain=src-nat out-interface=public1 action=masquerade
add chain=src-nat out-interface=public2 action=masquerade
(NOTE: you may want to specify the src-address on the 2 above rules)
add gateway=10.10.11.2 routing-mark=public2
add gateway=10.10.10.2 routing-mark=public1
/ip route rule
add dst-address=10.10.10.0/30 action=lookup table=main
add dst-address=10.10.11.0/30 action=lookup table=main
add dst-address=192.168.0.0/16 action=lookup table=main
add src-address=192.168.1.0/24 action=lookup table=public1
add src-address=192.168.2.0/24 action=lookup table=public2
You can do the above with routing marks, too (I just like the way I showed it). If you use routing marks, you set the rules (and marks) like this:
/ip firewall mangle
add chain=prerouting dst-address=10.10.10.0/30 action=mark-routing \
add chain=prerouting dst-address=10.10.11.0/30 action=mark-routing \
add chain=prerouting dst-address=192.168.0.0/16 action=mark-routing \
add chain=prerouting src-address=192.168.1.0/24 action=mark-routing \
add chain=prerouting src-address=192.168.2.0/24 action=mark-routing \
/ip route rule
add routing-mark=maintable action=lookup table=main
add routing-mark=public1 action=lookup table=public1
add routing-mark=public2 action=lookup table=public2
Note: the need to add the rules for the main table is what most people seem to miss. There are one or two versions (I don't recall what they were) where this type of policy routing seemed to work without using the rules to tell the router to use the main table.
Hope this helps.