Upon further reading, I think that the 2 VMs cannot communicate because they both sit behind a Port Restricted Cone NAT, which means it's not possible to punch between both NATs? I would need to change the two VM networks to use a simpler full cone NAT, assuming that's possible with iptables