OK, I worked it out!
I had the following Firewall rule for LAN:
Screen Shot 2021-04-06 at 8.17.46 pm.png
But of course, the 10.8.0.0/23 and 10.9.0.0/23 (I changed them to /23 instead of /24) are not in the "LAN Net", so I had to add extra rules to allow that traffic out:
That as well as the static routes fixed it!