NAT table should be the simplest table of all in your router.
In the srcnat chain:
rule 1: out-interface= WAN1, action = masquerade
rule 2: out-interface=WAN2, action = masquerade.
Done with NAT table.
You will never want to use Wan1's IP when forwarding traffic in from WAN2 out LAN3, or any other strange combination. Don't try to use NAT for anything other than keeping the correct IP addresses on the correct interfaces.
Routing policy is done with the mangle table + routing policy.
For each policy you have, create a set of static routes with a routing mark (they're just numbers, so make Lan1 policy = routing mark 1, Lan2 = mark 2, etc.)
Put in routes that follow the policy you want.
Then in mangle table, pre-routing chain in-interface = LAN1 action = set routing mark to 1, etc.
Currently, I try to use PPTP for VPN protocol.
Your NAT config does not "discriminate" on source addresses, is that ok?; my rules for NAT are like:
rule 1: out-interface=VPN src-address=192.168.2.0/24 action = masquerade
rule 2: out-interface=WAN action = masquerade
Do I need to use src-address? is the order of NAT rules important?
As for mangle/IP route rules; I need to make mangle for each LAN separately?
I currently have single mangle and route rule which marks and points to VPN, and all others use default route (since all of them go out on same interface) Does it mean something if all other LANs are not marked?
To make things more clear I have following setup (office network, no servers on the inside which needs to be published):
WAN ether12 - link to my ISP
VPN interface - VPN to my VPN provider (goes out over ether12)
LAN1 ether1 - office lan 192.168.1.0/24
LAN2 ether2 - VPN lan 192.168.2.0/24
LAN3 ether3 - media lan 192.168.3.0/24
LAN4 ether4 - spare lan 192.168.4.0/24
LAN5 ether5 - guest WLAN 192.168.5.0/24
LAN1 and LAN2 can/should see each other, LAN3, LAN4, LAN5 should just have internet access (which is throttled via simple queue rule). LAN3, LAN4, LAN5 have simple filters which prohibits them accessing other LANs.
In my current setup; there is one NAT which is used for LAN1, LAN3, LAN4, LAN5.
There is second NAT which is used for VPN interface and it has src-address
There is single mangle rule which marks LAN2 traffic with route mark VPN
There is general 0.0.0.0/0 rule for ether12 (distance 5, no route marks)
There is additional 0.0.0.0/0 rule for VPN interface with route mark VPN (distance 5)
As I wrote before, it appears that everything from LAN1, LAN3, LAN4 and LAN5 works correctly BUT when I try to use my LAN2 and try to access something on the other side of VPN I do have trouble accessing content- It appears to work but also some services break down and are generally not reliable; I see that VPN link has correct address and path to the servers on the other side is accessible, it is just that when the server on the other side starts sending larger amounts if data that it breaks or is not reliable.
My thinking was that maybe, since I use PPTP client for VPN, something breaks with routing through my NAT specially for GRE protocol (I do have pptp helper activated, I also noticed that GRE helper is not avaliable anymore).
Any suggestion is welcome.