My experiment was pretty simple.
[lan a] - [fw1] - [fw2] - [lan b]
Because the subnet between the firewalls was not a "virtual internet," I could get away with simple default routes in all four nodes, without NAT. If you like, I can add a 5th virtual machine to simulate the Internet, add NAT, and test again.
[lan a] - [fw1] - [Internet] - [fw2] - [lan b]
|