Perhaps hairpin NAT is not working in your Router. Try adding your site FQDN to the IPF hosts with the NAS (LAN) IP so you have a split DNS and all local traffic using your website FQDN does not go outside your LAN.
I wouldn’t think you would need the “all to RED 443” rules because forwarding would open the port on red. So I would definitely delete that.
use this method to set up your port 443 server:
If you need access to this site by the TLDN and the internet connection is disconnected, add the site name to the host list under “edit host” in the Network section.
Hairpin NAT is automatically handled by setting up forwarding with “automatic” as the firewall interface and having “Use Network Address Translation(NAT)” and “Destination Nat(Port Forwarding)” selected when setting up the forwarding rule.
But straight routing (without hairpin NAT) should work if there is a name server outside pointing to the ip address of the red interface. Then the firewall interface selection of RED would be selected. However, in both cases, source port in the protocol section should be blank for a NAT translation entry if protocol is selected to TCP.
But normally when I use the system ipfire uses, I set the protocal to ‘all’ instead of TCP because of HTTPS issues when doing discrete routing instead of generic port forwarding. But this is slightly a different circumstance.
Removing the extra rule that the OP invoked that is required in some routers fixed the problem since everything else was set, and the unnecessary rule was causing a logic loop.