It kind of depends on how much data you will be moving between these two external subnets. If you allow the HP to route directly between those subnets, you can have as many 1GB streams between them as you have ports configured for them. With "router-on-a-stick" (I've always called it vlan-on-a-stick, but same concept), you would be limited to just 1GB in total throughput between the vlans (leaving out the possibility of doing an lacp trunk between the SonicWALL and the HP).
In doing this method, the third vlan would be considered a "transit network", and would make it easier down the road as your network grows to implement a dynamic routing protocol, or to add more routers into the network, if the need ever arises.
The HP switch would be acting as your layer 3 core, and you would have an IP address in each of the 3 vlans. The SonicWALL would need only an access port to the transit network, and it's own IP on that network.
From there, a default route statement in the HP pointing to the SonicWALL's transit net ip address, and two static routes in the SonicWALL (one for each of your 'external' subnets) pointing back at the HP's transit net IP.
The easy button is to simply run a vlan trunk to the SonicWALL, and put an address on each of the vlans you want to route for. I've done it this way in the past, and if you don't plan on heavy traffic, it's perfectly viable, and pretty easy to configure.
If you could post some of your route statements in your attempts at setting up the transit net, I'm sure someone could help you get that straightened out.
Your access switches operate at layer-2 -- they're "just switches". At layer-2, everything funnels back to the routing-switch. The routing switch then moves ("routes") traffic between vlans. All of this looks fine, so far.
The issue is, you cannot ping anything in 192.168.11.0/24 from any of the other VLANs? (i.e. the firewall and thus the path to the internet) That's because nothing else in the network knows about the other networks. Traffic is getting to 192.168.11.0/24, but the reply will follow the default route to the firewall, or if you ping the firewall, it's default towards the internet.
You should be able to talk to things in the other vlans from any of the new vlans, because they're default gateway is the routing-switch.
(also, I cannot recommend the use of RIP. EVER. Your network is tiny and (mostly) static, so it's unnecessary. The firewall is the only thing that needs to know about the other networks.)
Best Answer
Limited broadcasts (to 255.255.255.255) are generally limited to the VLAN = broadcast domain. Directed subnet broadcasts (to e.g. 192.168.0.255/24) may be routed if your routers are configured that way.