My setup includes 2 x controller / compute nodes. The server sitting in the internal side of the network is in compute node 1, the firewall / nat node is in compute 2. My host is in the public network wich is learned from the MX gateway.
The fw has 3 interfaces: mgmt, left, right.
Fw as 'transparent' mode, I can see all the flows, access all addresses where applicable.
If the service is set as 'In-network' I cannot reach any of the addresses however the fw can reach all addresses. This also disables the access to any fw service such as NAT.
The service purpose is to have a host in the public zone to ssh to a server in the internal network.