@nickh I am starting to suspect that my ISP may have finally blocked, via firmware update, to my cable modem, my ability to look at the statistics and logs. Even though I own my own cable modem, I realize that the ISP has sole control over firmware updates, and they have systematically removed various features and narrowed informational access. Since I can ping it, and it appears only the HTTP/HTTPS access not working, this seems likely.
This is true of Verizon hardware in America.
When possible I have removed there hardware. Now ONT to my IPFire.
Forgot to close this out. In short, I just configured IpFire so that Red0 connects to the internal network port on my edge router. Green0 of course is my gateway for all devices on the green zone. Red0 forwards to edge router port by default. The trick was to NOT configure the Red0 interface as a WAN interface which is what typically is done.
As for DNS, I did not have to do anything special after all, the Green0 side DNS server just has to point to/forward to the correct ISP or external DNS server, for any Green0 zone device, or in my case the default gateway which is the Green0 interface. Of course the IpFire configuration just needs to pass outbound DNS packets, so a simple DNS output rule. An example of this rule is already documented in the IpFire documentation,
So in my case…
192.168.10.2 - Router Internal Interface
192.168…10.3 - IpFire Red0 Interface
192.168.11.3 - IpFire Green0 Interface (i.e. default gateway for Green Zone)
192.168.11.4 - Local DNS (forward to Green0)
192.168.11.4 - Local DHCP for Green Zone
Rule DNS packet forwarding outbound only to 192.168.10.2 (from ANY on 192.168.11.3)
In effect any device on Red0 is in a DMZ. I strongly suggest that any SSH or HTTP/HTTPS access to the edge router is disabled on the internal router port. I use the dedicated console port on my edge router to mange the edge router.
Devices in the DMZ, which will be my external facing web server, will be static IP assignment and use only external DNS servers.
My edge router supports wire-guard as a VPN so I will be adding that to the design next, and wire-guard will only provide access to the Red Zone.
I also want to put all my IoT devices, Tasmota devices, etc. only in the Red Zone, but to do that, I need to change the physical network, which I cannot do right now.
To everyone that replied to this thread, Thank You!