In this scenario, I think your best option is a site-to-site VPN between your firewalls allowing the TCP/52311 between relays in both directions; or an IPSec VPN between the two relays directly.
The new “Persistent DMZ Relay” config won’t work because it requires the upstream Relay to establish a persistent connection to the downstream Relay.
The normal “Persistent Connection” config for clients to establish the upstream connection, does not have an effect on Relays themselves.
If there is no downstream connection allowed, Command Polling on the child Relay really is your only option.
PeerNest is only used in file downloads, and reduces your traffic across WAN links by having the clients share downloaded files with each other. The main use is for branch offices or retail outlets that have too few clients to bother with a dedicated Relay at the site, but still want to reduce the WAN bandwidth used.