VPN

Mikrotik how to display interaction with given sites through a separate vpn interface?

The organization has a Mikrotik router, which is used as the main gateway for accessing the Internet and serves the internal network of the organization. The task was to get access to a number of sites through a foreign vpn.
What I did:
1) set up a vpn tunnel on Mikrotik, the connection went through, I tried using the internal means of the router to trace to the desired site - the packet is normally traced through external nodes through the vpn channel;
2) set up labeling of packets from the internal network that go to the necessary nodes, and forward them to vpn according to the following rules:
/ip firewall address-list
add address=xxxx list=block_sites comment="www.kremlin.ru"
/ip firewall mangle
add action=mark-routing chain=prerouting comment=mark_for_routing_block_sites \
dst-address-list=block_sites new-routing-mark=block_sites
/ip route
add distance=1 gateway=xxxxxxxxxxxxx routing-mark=
block_sites provider, which is through a foreign vpn, however, access to these nodes from local network clients has become blocked when I wrap marked packets on vpn. I also noticed that from the local network I can’t reach the gateway to which a foreign vpn is hooked up. Those. if we consider:
192.168.1.1 - the internal address of the router for the local network
192.168.1.2 - the address of the local client-workstation
145.xx1 - the external address of the router from the Internet provider
145.xx2 - address of the provider's vpn server through which the Internet goes
194.yy1 - external address of the router through a foreign vpn
194.yy2 - address of a foreign server to which we connect via vpn 8.8.8.8
- the required resource ping 8.8.8.8 from address 192.168.1.1 or from address 192.168.1.2, if I set mandatory forwarding of tagged packets through 194.yy2, - 192.168.1.2 and 192.168.1.1 pings address 194.yy1 without problems; - in principle, it is impossible to ping the gateway 194.yy2 from ip addresses 192.168.1.1 or 192.168.1.2, although it is available from the address 194.xx1;
- it is also impossible to reach either 194.yy2 or 8.8.8.8 from the internal local network, if you make a local route on the client's computer, which for these ip addresses is made the main gateway 194.yy1;
- if you change the forwarding of marked packets directly through 145.xx2 - the packets start to go and be received as it should to the site 8.8.8.8 - i.e. the rule for marking and processing marked packets is executed;
- looked at all prohibiting / allowing rules - did not reveal anything suspicious or superfluous.
I am setting up Mikrotik for the first time, please tell me what I missed.