Since Router 1 is on an outside interface of Router 2, it will not be able to originate traffic to the inside of Router 2. You have configured inside source NAT on Router 2, and this is one-way. Addresses are translated from the inside to the outside. When traffic is originated from the inside, NAT creates a table entry in order for responding traffic to be translated, but it has no table entry for traffic originated from the outside.
Running NAT on links where you are running a routing protocol is a very bad idea.
Edit based on your updated information:
If you need or want the firewall to know about the routes on the other side of Router 2, you will need to somehow get the routes into the firewall's routing table, otherwise any traffic for the unknown networks will be sent toward the default route for the firewall, and that should be the WAN.
A router, including the routing process of your firewall, needs to have a route in its routing table for any network to which it is expected to forward traffic. A default route can be used to encompass all networks, and any more specific routes in the routing table are used. Since your firewall's routing table has no routes to the networks on the other side of Router 2, it will use its default route.
You can configure your firewall to participate in OSPF with your two routers, and that will place those routes in the firewall's routing table. It will also let you originate the default route into OSPF from the firewall, and then you should remove that from the other routers.
The other, less desirable, solution is to manually configure static routes in your firewall for the networks to which it has no direct connection. This doesn't scale, and when you add, remove, or change those networks, you will need to manually change the static routes in the firewall.
The requirement is that each router have its own IP address (that's two), and there needs to be a virtual IP address (that makes three). If you are doing this on the public side, you will need three public addresses from your ISP, and that will require a maximum mask length of /29
since /30
will only give you two usable addresses.
I'm not sure what you mean by, "routing these to the switch," since switches don't know anything about IP addresses or routing.
Best Answer
You need to either