I found this tip and wonder why I hadn't thought about that myself.
When you put any in Local Networks, all traffic is sent to your UTM when someone is remotely connected to it.
Of course you will need to add the VPN pool to your Masquerading list, and possibly also the Webfiltering and DNS lists and I would also make sure not to use auto Firewall rules if you don't want these inbound connections to be able to reach anything reachable from your UTM.
But by defining any, you can be certain that all traffic is sent over the encrypted VPN link, especially at places where you are using public free wifi hotspots which are often open networks and therefore the traffic in these networks is not encrypted (many passwords will be sent unencrypted over the air).
Another benefit is that any potential MITM malware can not easily "phone home".
When you put any in Local Networks, all traffic is sent to your UTM when someone is remotely connected to it.
Of course you will need to add the VPN pool to your Masquerading list, and possibly also the Webfiltering and DNS lists and I would also make sure not to use auto Firewall rules if you don't want these inbound connections to be able to reach anything reachable from your UTM.
But by defining any, you can be certain that all traffic is sent over the encrypted VPN link, especially at places where you are using public free wifi hotspots which are often open networks and therefore the traffic in these networks is not encrypted (many passwords will be sent unencrypted over the air).
Another benefit is that any potential MITM malware can not easily "phone home".