If you’re doing SRC and DST NAT on your MT, then in principle you don’t need routing set up on sophos … because your MT will act the same as if it was border gateway of your LAN … none of internet routers know your LAN IP address space. So the second line is not necessary. However, if you want to keep addressing 192.168.3.0/24 from your 192.168.2.0/24 hosts, then NAT won’t help you completely, you’ll have to do something about firewalling on sophos.