FRITZ!Box, IPsec, Failover (mwan3), accept traffic from VPN, Port Forwardings through VPN

Hi,
because of sporadic bad link quality of Vodafone Germany Cable Internet via FRITZ!Box 6591 (192.168.1.0/24, wan/eth0.2, Public IPv4) I decided to use mwan3.

I'm using an TP-LINK TL-WR1043ND V2 (OpenWrt 19.07.6) as Failover (192.168.123.0/24).

The second wan connection is via LTE/4G 1&1 (Telefonica Germany) using EasyBox 904 LTE (192.168.2.0/24, wwan/wlan0, Shared IPv4).

In the checks I increased the count to max val 5 and enabled the check for link quality.

In the FRITZ!Box 6591 an site-to-site VPN (LAN-LAN-Kopplung) is configured to FRITZ!Box 7490 (192.168.124.0/24, Public IPv4) using MyFRITZ! hostnames (.myfritz.net).

Goals

  1. communicate bi-directional 192.168.124.0/24 <=> 192.168.123.0/24 like it's currently working with 192.168.124.0/24 <=> 192.168.1.0/24
  2. create port forwarding in 7490 to any port on any device in 192.168.123.0/24. FRITZ!Box doesn't allow that to road warrior IPs (starting in my case from 192.168.124.201).

To reach my goals I have several options (or nor):

  1. Configure Port Forwarding in TL-WR1043 from zone wan to zone lan for every Port I need (with the mentioned limitation) :white_check_mark:
  2. Adjust the Firewall in TL-WR1043 to accept connections from 192.168.124.0/24. I played around with several settings like creating an zone vpn, moving my rules to the top but all without success.
  3. Configure site-to-site VPN in the TL-WR1043. For that I already tried to vpnc and ping from an device in 192.168.124.0/24 is possible :white_check_mark: . But then the mentioned limitation comes into game and I can't forward that port to public.
  4. Install another site-to-site VPN software packet e.g. strongswan-full in TL-WR1043 and in case of not enough space for all the dependencies (min. 4.3 MB) try to attach an USB flash drive and mount that permanently.

Thank you in advance.