Check the PINHOLE setup fro Blue to Green on the wiki…
I struggled a bit with this to but got it to work (totally my own head not getting things) , you can also see my extensive trial and error thread about it here… not exactly what you are asking about, but similar.
To summarize the discussion thus far: no special rules are needed for the green network to access either the blue network or the IPFire Web User Interface (WUI). In the context of the blue network, you also don’t need a specific rule to access the WUI. However, a rule is required to grant the blue network partial or full access to the green network. This is referred to as a “pinhole” rule in the IPFire wiki.
It appears that you’ve already created such a pinhole rule, specifically for the machine in the green network with the IP address 10.0.0.35, as outlined in post 6.
As a best practice, you should consider removing any existing rules that use the green network as a source. Additionally, the rule allowing the entire blue network to access the entire green network, shown in post 3, should also be removed. More restricted rules like the one in post 6 should instead be used, following the principle that the pinhole should not be bigger than necessary.
In short, maintain only the essential pinhole rule and remove all other related rules for optimal configuration. Do not forget to click Apply changes when modifying the firewall in the WUI.
Yes, this is my final firewall rules page, though I still cannot access 192.168.0.2 from green. But now my wireless speeds have tanked again. Not just wireless, but the wired connections on the AP as well.