Hi,
I’ve been totally crazy for weeks with this topic.
On my side it was impossible to access Green network from any Blue devices even by configuring the DMZ pinhole as documentation advices.
After having read this post, I tried again to configure the Blue to Green rule by playing with NAT options.
I find one that solves my trouble 
Into NAT section:
- activate => Use Network Address Translation (NAT)
- Select Source NAT radio button
- Choose Green interface into ‘New source IP address’ combo box
If somebody can validate this fact, maybe it will be useful to update this page : wiki.ipfire.org - Creating a DMZ Pinhole or this one wiki.ipfire.org - Firewall Default Policy into the line related to blue to green default policy.
To sum up here you are the full rule to allow Blue devices accessing Green network
