DMZ vs Port Forwarding (Router config)

I am setting up a web server running on my home network and using iPfire to create a DMZ(ORANGE) and port forwarding rules in iPfire firewall to direct incoming traffic. There’s also a windows machine on GREEN I want to remote desktop over the internet (VPN).

The query is about the configuration of the router.

  1. I can put the RED interface of ipFire on the DMZ of the router (effectively bridging the router), the web server on ORANGE and everything else on the GREEN interface. As such using DMZ would seem to be safe but ipFire is then needed to run my network (give me internet access as GREEN is my gateway).
  2. I can also use port forwarding on the router to the RED interface as above (ports 80,8080,3389) and leave the rest of my home network on the router (same subnet as RED). Advantage here being I can switch off iPFire/Webserver etc and my home network is unaffected.

Both work but which option is safer from a security aspect and what are the vulnerabilities of each?