Hi!

Maybe someone could help me with the following configuration.

I have a basic config of a LAN network based on Mikrotik.

WAN, Bridge (LAN). All traffic from LAN goes to the WAN interface. Previously I had an additional VPN tunnel configured on Mikrotik and I marked packets by the dst-adress list and routed this traffic to the VPN tunnel interface. Now I bought an additional router that should handle all the VPN stuff (cause mikrotik still offers a poor range of VPN options) and changed my mangle and route setting accordingly.

Configuration as follows:

if1 - WAN/120.0.0.1 (exp.)
if2-if4 - Bridge1/192.168.2.1 (DHCP with LAN1 - 192.168.2.0/24)
if5 - VPNRouter/192.168.3.2 (VPN router static IP 192.168.3.1 in LAN2 192.168.3.0/24). Output traffic on if5 is masqueraded.

VPN routers WAN is connected to Bridge1 interface and has IP 192.168.2.254. If I'm trying to connect from VPN's router LAN2 I'm getting to the Internet through VPN tunnel with no problem. But when I'm trying to get there from LAN1 I'm getting timeouts. Traceroute from LAN1 shows this:
traceroute 5.45.86.112
traceroute to 5.45.86.112 (5.45.86.112), 64 hops max, 52 byte packets
1 192.168.2.1 (192.168.2.1) 3.181 ms 1.033 ms 0.789 ms
2 192.168.3.2 (192.168.3.2) 3000.675 ms !H 2999.441 ms !H 2999.896 ms !H

I'm definitely dong something wrong but can't figure out what exactly.

I would highly appreciate if someone could help me out with that.

On your VPN router do you have any NAT rules specifying what IP ranges can be translated?

On a VPN router I have NAT rule that translates everything goes to the tunnel.

iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE

Can you ping a PC on your local network from the VPN router?

Yes, back and forth. No problems between this subnets.