Need help conceptualizing a DMZ reverse proxy setup where target servers are separated by another firewall and are not on the DMZ network.

Thanks in advance for your time and any insight you may have.

---

I might be creating a default gateway paradox by trying to do this, but there's a reason. I think. Feel free to tell me I'm dumb.

Let's say you have two Sonicwalls, one at the edge for normal traffic and you have a DMZ network on X4. On that network you have a reverse proxy. You need to proxy HTTPS to some backend servers that MUST be on the LAN. So you put one of their NICs in the DMZ network and give it the X4 IP for its default gateway.

Everything works, but let's say you wanted to separate the DMZ from the LAN with another Sonicwall, and have the reverse proxy connect to an interface there and another interface could serve the connection to the backend servers and be restricted by access rules in that second firewall. Let's say you want to do this so that if the reverse proxy is compromised, there's nowhere for it to go except the second firewall.

This probably means that the DMZ and the "DMZ 2" NICs behind the second firewall are on a different network and will have different default gateways.

How would you give the second firewall the ability to return traffic back to the DMZ from whence it came without also allowing the reverse proxy to talk directly to the servers outside of enforcement by nature of them being in the same subnet?

My thoughts are (to me) coherent with the following alternate setup until the default gateway:

DMZ Interface --> Switch --> Reverse Proxy | proxy cons -> | Second Firewall upstream interface [Same network as DMZ?]
[ Second Firewall ] DMZ Server IP NAT to --> Internal zone Server IP --> Internal Zone interface --> NICs on servers configured in different network than that of the DMZ.
[ Access rules ] Allow DMZ --> Internal zone HTTPS (DMZ Server IP Group)
[ Server NICs ] IP in Internal Zone network | Default Gateway = ???

If I use the Internal Zone interface IP for the DG, how will the traffic return to the DMZ? If I configure the NICs with a default gateway of the DMZ interface and add a route in the second firewall, will the traffic ever hit the Internal Zone interface to begin with, being in different subnets? Can't be. Should I make the Internal Zone the DG and NAT it to something that can touch the DMZ network going upstream? Is that even a thing?

???

My brain is mush from a very long day. I'm also not a network guy, so I am very sorry for doing this on you.
Thanks again.