@steveits

I may be interested in knowing more. My ATT router has a 5G port that is unused, but only 1 of the 2 routers has 5G capability, the pfSense. The other router is a MikroTik, but none of it's eth ports have 5G.

For clarity, my pfSense router has a 5G wan input, and 2 10G SFP+ ports as potential outputs.

I wanted perfect separation at the WAN connection, but I could use the 5G ethernet port on the ATT machine and go to the pfRouter, then split the connection to a second router via SFP+ and then to a switch for VPN access via the 2nd SFP+.

This would give me 5G all the way to each router, than separate LANs from there.

That should not apply in this situation as 172.16.0.1 is the internal IP of the outer firewall so, presumably, does not have a gateway and hence also wouldn't have those rules.
It doesn't apply to the inner firewall as that is outbound traffic from a device on the 192.168.9.X subnet which is always allowed.

I assume you are NATing the outbound traffic in the inner firewall, the default configuration?

I would run a packet capture first on the WAN interface of the inner firewall. Filter by host IP 172.16.0.1 and try to access the outer firewall from a client on the 192.168.9.X subnet.

If you see traffic there try the same thing on the outer firewall LAN interface.

Either the outer firewall is blocking that traffic deliberately or it has some touting problem that means it cannot reply. For example perhaps that traffic is not being NAT'd for some reason so it has no route back to 192.168.9.X. The packet cap should show what's happening.

Steve