Glad its is working. If you're making the changes permanent using the Custom Firewall module, please change "iptables" to "$IPTABLES" or at leaset add the "-w" switch.

Thanks a lot. The solution consists in applying:
1.

iptables -I FORWARD -s 10.0.7.4 -d 172.16.16.2 -j ACCEPT

2. Static route on VM1 with destination VM2 and gateway 10.0.7.5

Don't worry about the webconfig for the moment and can you remove the port forwarding rule as well? Instead open the incoming firewall to the Webconfig and use 10.0.7.5 to access it. Then there is no chance of clashing firewall rules.
Next, get rid of the Custom Firewall rule and do it from the command line so you can check the rules actually go in, but not that f the firewall restarts (e.g making any changes to the firewall in the webconfig) you will lose your manual rules.

Start with:

iptables -I FORWARD -s 10.0.7.4 -d 172.16.16.2 -j ACCEPT

Check that it goes in correctly. Then run cpdume on the internal and external ClearOS LAN interfaces. If the packet does not appear on the internal interface then the rule is not working.

Is VM2 Windows based? If so, please make sure its firewall is either disabled or open to incoming packets from 10.0.7.4. Often it is only open to packets from its own LAN.

I tried your suggestion with postrouting rule and ping from VM1 to VM2 while having tcpdump listening on internal interface. The packets does not reach internal interface.
Also what I said related to 172.16.16.1 it's something strange. I tried pinging from VM1 to 172.16.16.1 and I can see packets only on external interface, but they don't reach internal interface. Maybe it's some kind of routing made by gateway mode of ClearOS.
Related to web interface, I made this possible by port forwarding on nat network.

How can it access 172.16.16.1? That is normally impossible unless you've already done something to specifically enable it. I would more expect VM1 to able to access the ClearOS Webconfig from the 10.0.7.5 interface.

If you're going down route 2, can you set up some packet sniffing on the ClearOS internal and external interfaces t see what is happening to the traffic. You could possibly try a POSTROUTING rule at the same time. Something like:

$IPTABLES -I POSTROUTING -t nat  -d 10.0.7.4 -s 172.16.16.2 -j ACCEPT 

Thanks for your response. Unfortunately, I tried the second solution because I don't want to use VPN and it does not work.
I would like to mention that VM1 can access ClearOS interface 172.16.16.1.

This is not as easy as you may thing. In reality, the easiest way may be to install the OpenVPN client in VM1 and use it to connect to the ClearOS gateway, at which point VM1 can access VP2 directly.

I think the alternative is to set a route in the gateway device for the NAT network, routing 172.16.16.0/24 via 10.0.7.5. At the same time you will need a custom FORWARD rule from 10.0.7.4 to 172.16.16.2, perhaps something like:

$IPTABLES -I FORWARD -s 10.0.7.4 -d 172.16.16.2 -j ACCEPT

I am not sure if you need a POSTROUTING rule as well so packets from VM2 don't get NAT'd by ClearOS. The custom FORWARD rule could be more open allowing whole subnet traffic.