0.a) Depends if you want to have a firewall or a router. If you want to have a router then default is accept, if you want a firewall then the default should be drop.
0.b) I’m not sure I got that. What are 3 rules for which requirement?
1.a) I have ALLOWED policy in my FORWARD chain and I don’t know if it is necessary to add this, cause as soon as you add the VS it is added as a PREROUTING rule to change the destination IP address.
2.a) Sounds reasonable unless you have the server working in specific ports.
2.b) Are you sure the upstream provider is honoring the DSCP field?
3.a) If you allow https web-gui only on internal LAN then you can redirect https from wan to another server.
3.b) as well as for other VS, if you have a dynamic IP just declare here the input wan interface, protocol and local port, not the input wan ip. Also declare the remote IP and port of course!