I'll summarize... for your needs:
- lan firewall zone
- contains the lan network
- default is configured properly
- don't add/remove/edit this zone.
- wan firewall zone
- contains the wan and wan6 networks (that's IPv4 and IPv6 respectively).
- default is configured properly
- don't add/remove/edit this zone.
- vpn firewall zone (you created this one)
- zone policies should mirror that of the wan firewall zone (input and forward = reject, output = accept, masquerading enabled)
- this will contain your VPN network(s)
- this also requires forwarding from lan > vpn (which you've added) to allow the lan to use the VPN.
The other part is the network assignment into zones...
- Each network may only exist in one zone.
- A zone may contain one or many networks
- Zones generally represent logical assignments/groupings of networks... that is to say
- the lan is trusted and represents your local network(s)
- the wan is untrusted and represents the upstream/internet connection
- new zones can be added
- in your case the vpn zone
- the VPN zone can contain all of your vpns since they are logically the same.
- Because these are commercial VPNs, they are treated similarly to the wan
- They could exist in the wan firewall zone (and only there)
- But since it is sometimes desirable to have a 'kill switch' to prevent traffic that is not flowing via a VPN tunnel, it can be a good idea to have them in a separate zone but with similar zone policies.