I have had the opportunity to review the new graphic.
As I perceive it, your new subnet "$dmz_ops" has introduced a routing problem, because the subnet address (192.168.15/24) is not within the larger $dmz subnetwork (10.12/16). I believe there may be three ways to manage this new subnet. In recommended order:
- Use a subnet within the larger 10.12/16 $dmz address space.
- Add a route in Router 1 to the new $dmz_ops subnet through Router 2. Add a similar route in any device in $mgt or $ops that needs access to $dmz_ops to direct that traffic through Router 1.
- Configure Network Address Translation (NAT) and appropriate TCP/UDP port forwarding as needed in order to reach the $dmz_ops platforms.
I may try to recreate this pictorial in virtual machines as time permits later this week.