I see that there are two routers in Lan01 - one router with intf 192.168.1.254 and another with intf 192.168.1.1. But the machines on Lan01 can only have one gateway IP set and I suspect that it is set to 192.168.1.1. If you did not specify a gateway IP when creating the logical network Lan01, then Neutron will automatically pick .1 (192.168.1.1) to be gateway IP and when DHCP response is sent to the VMs on this network this .1 (192.168.1.1) IP is sent as the gateway IP.
So this is what is most likely happening. When you ping from a machine on Lan02
1. it reaches the router on intf 192.168.2.1 (Lan02) which is set as the default gateway on this machine
2. the router forwards it to the intf 192.168.1.254 (Lan01)
3. from the intf 192.168.1.254 (Lan01) it reaches the machine on Lan01
4. the machine on Lan01 most likely has its default gateway set to 192.168.1.1 and is sending the response back to 192.168.1.1, where it is being dropped as this is a different router which does not have a route to Lan02.
To verify this, on the machine on Lan01 can you print the routing table and see what the default gateway is. If it is a linux instance, then "route -n" command should print the routing table. If my hypothesis is right, then the default gateway should be set to 192.168.1.1.
Actually, I don't think there second router (between Lan02 and Lan01) is needed. The same router that connects Lan01 to EXTNET can be used to connect Lan02 and security group rules on Lan02 can be used to make sure that it does not send/receive traffic directly to/from EXTNET.