possible solution that needed to be checked/beautified and integrated into GL-inets scripts:
### use Firewall | Port Forwards when VPN is running and is default gateway
## only the very 1st time:
# add routing table for port forwarding
cat /etc/iproute2/rt_tables | grep "201 fw" >/NUL || echo 201 fw >> /etc/iproute2/rt_tables
## after each reboot
# add default gateway of ISP to routing table "fw"
ip route add default via $Gateway-of-router dev $WAN-interface table fw
# add rule to use routing table "fw" for packets marked "0x1"
ip rule add fwmark 1 table fw
## after each firewall restart
# for each DNAT-target
iptables -A PREROUTING -i br-lan -t mangle -p $Protocol -s $DNAT-target --sport $DNAT-target-port -j MARK --set-mark 1
same principle worked for forwading into guest net
HTH!