There is something wrong here. ETH00 and VPN99 have the same IP. If you want them to have the same IP you have to bridge them and if you do that the firewall will not interfere with the traffic properly.
My suggestion is to change the subnet of VPN99 to 10.1.10.1/255.255.255.240 (which provides you with the 10 IPs you want for VPN) and change the FORWARD chain to ACCEPT. You have a router there and you should treat it like a router and not a firewall that blocks everything. Then you can make specific rules of what you want to block from VPN to ETH.