Regarding Installation and first setup nearly everything worked great ootb. WOW!
And now i am stuck with step 2: configure ipfire and debian 9 server in DMZ.
Likely the server (as well as ip-cams) are not accessible from outside as i cannot even ping a host outside from this server in DMZ.
Added some pictures … maybe its a stupid blind spot - i just don’t get it.
hi have a look at http://kb.unixservertech.com/software/ipfire/dmz and https://www.youtube.com/watch?v=ovDa7FHNE5o (only in german)
There are no port forwarding rules to the server so how is that supposed to work or what do you actually indent to do?
OT: what tool did you use for the system overview? 
@DJ-Melo
Yes, i watched the 5 copymaster tutorials already, but the first link looks like the missing link to me.
@xperimental
hm… i opened all protocols for ORANGE to RED (see last picture), so what should be opened else? What i would like to do is to reach the internet from the server…
The tool is yEd (https://www.yworks.com/products/yed). Great tool, it just needs to import more icon sets.
Thanks for sharing.
Your main problem is your internet connection. Private ip is not route able. For better understanding you only get a private ip from the outside (your LTE Modem as you wrote) so its not reachable. The second problem Terry already told you. You dont have a portforwarding.
Great info - i thought 10.XXX… was the public IP 
First i will change the IP from my ISP and then go for the port forwarding, thx.
The Videos show making administration easier. Just good to know i think.
The default firewall rules already have orange open to red.
See hear.https://wiki.ipfire.org/configuration/firewall/default-policy
The server has no DNS from Ipfire. it is blocked. that is my understanding.
Your server in the orange zone needs a DNS server.
Like 9.9.9.9.
or a fire wall rule to open DNS to orange
If I have this wrong some one can interject here.
You will then need a port forward red to orange to say a web server port 443
That is correct, but as i changed the default forward policy rule to blocked i have to explicitly allow green and orange for other networks - as far as i understand.
The switch from internal IP to an external IP is already done - so now i get 185.xxx.xxx.xxx as my Internet IP address.
The gateway itself shows still as 10.64.64.64 - googling says that’s a typical behavior when connecting via GSM/LTE modem… But if so, what am i supposed to configure as gateway on the server ? And do i have to NAT the internal 192.168.200.2 to the external 185.xxx.xxx.xxx address ?
On the server dnsmasq.conf shows already 26 nameservers in its resolv.dnsmasq.conf, but i still cannot ping any host… “ping: unknown host”
(~$ systemctl status dnsmasq.service shows active (running) of course)
By purpose, there should be no DNS, esp. no DHCP automatically available inside the ORANGE zone.
External clients should see your FW only.
There is absolutely no need that those boxes should be visible / accessible from outside!
Now a new server is in ORANGE and more questions occured:
How is this ruleset matrix default-policy affected when i set the standard FORWARD behavior to “blocked”
Is there a guide/example how the PortFW rules have to be set if the default FORWARD behaviour is blocked and a server in ORANGE should be able to ping/download updates from internet servers … i added a service group for DNS TCP/UDP and used it in a rule from server-IP to RED but that was not successful - i was not able to ping servers outside …
Actually i did not find a single step-by-step guide to configure the minimal rulesets for a single server in ORANGE that can connect to DNS servers and offers an ssh-port and one or two web services - when FW FORWARD policy is blocked of course … 
