Hi everyone!
I want to explain how I got port forwarding working, finally!

As many have pointed out, "System Access" is only for traffic to EFW - nothing else.
The problem is that DNAT isn't enought, because you also need to create an SNAT-rule so an 3-way handshake can be enstablished.
If you see previous post, especially from ddPAC, you will get the DNAT rule running.
Here comes my SNAT-rule (which applies to all DNAT-rules):
Source type: Network/IP
Internet network/IPs:
Destination Type: Zone/VPN/Uplink
Selected interfaces: GREEN
Service: <ANY>
Protocol: <ANY>
NAT: NAT ... to source address Auto
Enabled: Ticked (ofcorce)
Hope this helps!