VPN

How to exclude external traffic from Remote VPN on Mikrotik?

Greetings gentlemen.
I broke my whole head, rummaged through a bunch of manuals and articles on setting up Mikrotik and IPSec, but I still can’t get the tunnel to work correctly for remote work of company users.
The situation is as follows:
1) In the central office of the main. Router RB1100AHx4 Dude Edition OS ver. 6.48.
The Internet works, VPN between branches too (but this is not the point here), remote connection of users via L2TP IPSec also works, but there is one BUT ... For reasons I do not understand, ALL traffic from VPN clients is wrapped in a tunnel (tried to connect from a PC on Windows, from an Android phone). Despite the fact that the CISCO ASA 5510 in another branch, the connection works as it should, only the building is wrapped in the tunnel. traffic, all external traffic goes through the default route through the gateway of the home provider.
So, now some details:
Several networks are configured on the central Mikrotik:
- servers 10.10.1.0/24
- users 10.10.10.0/24
- VPN users 10.10.100.0/24
2) L2TP Server on Mikrotik was raised for remote work

3) There are allowing rules in the Firewall, remote connection and authorization goes without problems:


4) In NAT, a network with VPN clients is not listed, clients are excluded from the masquerade;
5) When connecting to a VPN from the CVPN network, the network of servers and users is pinged. It would seem that everything is fine, but I really don’t want to drive all user traffic through the tunnel.

I suppose we need to dig in the direction of traffic marking, but I can’t figure out how to do it yet. Previously, this on Mikrotik did not set up.
If I create a mark routing rule with source addresses 10.10.1.0/24 and 10.10.10.0/24 and add this marker to the default route so that it does not route traffic from VPN clients 10.10.100.0/24, then I cannot connect to Mikrotik via L2TP.

I ask for help ... I've already broken my whole head.