I followed this thread and i wonder if there is a sane reason why you do nat inside your network. Why don't you just route between different subnets i.e. 10.0.1.0/24 and 10.0.2.0/24 you still can have a firewall between those subnets -H