It’s normal for the IPFire machine to be able to access 192.168.0.212:80 without any problem because the IPFire machine exists in the same subnet as the web server (192.168.0.86 - green).
I have a single firewall rule: source is ANY, Destination NAT with Firewall interface automatic, destination 192.168.0.212, Protocol TCP and Destination port 80. I have added the rule and applied changes.
My understanding is that you did make a firewall rule to allow any packets towards 192.168.0.212:80 through the firewall BUT you did not make a forwarding rule to forward packets received by 192.168.1.3:80 towards → 192.168.0.212:80.
I haven’t touched the firewall interface of IPFire for a while so I can’t quite remember how to set this up but yeah, I think that’s the main thing that you’re missing here.
Forward packets received from 192.168.1.3:80 to 192.168.0.212:80
Actually, I think your setup should’ve still worked by configuring a custom network route where packets whose destination is “192.168.0.212” have 192.168.1.3 (your IPFire) as the gateway - this will have to be configured from your 192.168 subnet’s default gateway device. However, this would require additional configuration if you’re looking to be able to access 192.168.0.212:80 from the public internet.