RED 15w to DMZ - no access

This should not be related to VLANs.

You are using transparent / Split. So did you configure your client / gateway on RED site correct? Does the client know, he has to use the RED to reach 192.168.2.0 ? 

https://community.sophos.com/kb/en-us/116573

Transparent/Split

In this option, the UTM is not expected to manage the remote network. It will be connected between the remote LAN and the remote LAN’s gateway, and it will expect to receive an address on the remote LAN via DHCP. Similar to the Standard/Split option, only traffic destined for certain networks will be sent down the tunnel. In this case, the RED does not act as the gateway, but since it is in-line with the gateway, it can transparently redirect packets down the tunnel.

This option requires no reconfiguration of the remote network, but it does not allow any management of the remote LAN. It can only provide security between the remote LAN, and any local subnets which are accessible through the tunnel. Also, in the event that the tunnel should go down, the internet will also go down for any devices behind the RED.

This should not be related to VLANs.

You are using transparent / Split. So did you configure your client / gateway on RED site correct? Does the client know, he has to use the RED to reach 192.168.2.0 ? 

https://community.sophos.com/kb/en-us/116573

Transparent/Split

In this option, the UTM is not expected to manage the remote network. It will be connected between the remote LAN and the remote LAN’s gateway, and it will expect to receive an address on the remote LAN via DHCP. Similar to the Standard/Split option, only traffic destined for certain networks will be sent down the tunnel. In this case, the RED does not act as the gateway, but since it is in-line with the gateway, it can transparently redirect packets down the tunnel.

This option requires no reconfiguration of the remote network, but it does not allow any management of the remote LAN. It can only provide security between the remote LAN, and any local subnets which are accessible through the tunnel. Also, in the event that the tunnel should go down, the internet will also go down for any devices behind the RED.

as i can access LAN (192.168.1.0) i thought, this should be enough routing on the client side.

could you please tell me, if i have to setup a static route on the client behinde the RED?

Basically Transparent / Split is just another "Gateway" in your RED Network.

The RED is not the default Gateway for your Clients there, correct? 

So the Client has to know, how to reach your DMZ/LAN.

So let me draw you a picture: 

RED Client (10.0.0.2) uses his gateway (10.0.0.1) for everything to communicate to the internet. There is a RED (10.0.0.3), which can perform a tunnel to your XG and DMZ/LAN. So the Client needs to know: OK - i have to use the RED IP to reach 192.168.1.0/24. This can be archive by a static route on the Client or on the Default Gateway. 

thanks a lot.

i have tested following:

1. changed gateway to red ip 10.42.10.10

no access to dmz

2. created a rule 192.168.2.0 MASK 255.255.255.0 10.42.10.10

and finally that worked. thank you very much