but in the main network, addresses are issued by DHCP, while virtual machines would like to have static addresses

add to /etc/sysctl.conf :
in the console do:
iptables is not needed if both networks have the same physical gateway

Oh, the experts came running. I'll try to explain in Chainikov's way. The easiest way to solve your problem is to connect virtual machines to the network not using a private subnet behind nat, but using a bridge (bridge), so the network with your virtual machines becomes part of the 192.168.2.0 network, and 192.168.5.0 becomes unnecessary - the virtual machines are assigned addresses from the main network. A more complicated case, if there is a need to separate the subnet with virtual machines (to make it easier to understand, it is better to abstract from the concept of a virtual network, from the point of view of OSI, this is a regular subnet with hosts) from the main network. As you understand, for routing between subnets, there must be some entity that unites two L3 subnets, in your case this entity is your router. In short, it has a separate port for the 192.168.5.0/24 subnet, the port itself is assigned an address from this subnet, for example 192.168.5.1, a hypervisor must be connected to this port, the hypervisor itself is also assigned an address from this subnet, the default gateway for it will be 192.168.5.1. As in the first case, virtual machines are connected to the network through a bridge (we remember, in fact, this is just a switch), addresses are also assigned from 192.168.5.0, and the gateway for them is also 192.168.5.1 - that is, the hypervisor, virtual machines - that's all, from the point of view of the network are separate hosts. After that, everyone is happy, traffic between subnets goes through the router, without strange crutches in the form of port forwarding and other unconventional entertainment. Consider the most difficult case, the hypervisor must be on the same network (192.168.2.0), and the virtual machines on the other (192.168.5.0). VLAN technology will help us with this. A port is also allocated on the router, but it should work in trunk mode (in a tricky way, combining two or more L2 domains within one physical segment), in general, this is still the same second case, only with the vlan interfaces configured as on a hypervisor as well as on the router. As you understand, an ordinary home router will not work for the second and third cases (unless, of course, it has been brought to mind with an alternative openwrt firmware).
Something like this. it would be possible to give more detailed advice if you indicate the model of your router and which hypervisor you are using.

You don't need nat inside kvm. Do it everywhere inside the route, and nat only outside.