Wait… your VPN Policy is putting those three LAN-side devices for all of their associated traffic through it. That’s not really what Domain/IP → Only allow the follow to use VPN […] is meant for. If you wanted just those devices to use the VPN it’d be better to set the policy as MAC Address → Only allow the follow to use VPN […]
(Not that you’ve done this but the IP for the GL device (default 192.168.8.1) shouldn’t be included if the VPN connection originating that from that very device, of course.)
Domain/IP is meant for if you wanted to use the VPN link to ‘kick in’/route traffic when hitting specific Internet sites, eg: Netflix: