I get that using Feistel network we can create a secure PRP from a secure PRF (in 3 rounds according to theorem).
My question is why not just 2 rounds of Feistel network is sufficient. Is it that the output is random enough compared to a truly random string before 3 rounds?
The simple answer is that fewer than 3 rounds can be easily distinguished from a random permutation. The 2-round Luby-Rackoff cipher on $2n$ bits, using random functions $f_i$ mapping $n$ bits to $n$ bits, consists of $$ F(L, R) = (A, B), $$ where $A = L \oplus f_1(R)$ and $B = R \oplus f_2(L \oplus f_1(R))$.
Now consider an attacker that wants to distinguish $F$ from a random permutation. First they send some arbitrary $(L_1, R_1)$ to the oracle, and get back $(A_1, B_1)$.
Next they send $(L_2, R_1)$, which results in $(A_2, B_2)$. Verifying that $A_1 \oplus A_2$ = $L_1 \oplus f_1(R_1) \oplus L_2 \oplus f_1(R_1)$ = $L_1 \oplus L_2$, the attacker is now pretty sure this is the Luby-Rackoff cipher.
What happens at 3 rounds is that no such distinguisher (querying only in the forward direction, of course!) is now possible. The proof relies on showing that collisions on the internal variables $A_i, B_i$ are necessary to mount any distinguisher, and then shows that those collisions are rare, in that you need approximately $2^{n/2}$ oracle queries to obtain one.
It's required for diffusion and achieving the avalanche effect.
The concept of diffusion and the avalanche effect basically means that each input bit should influence each output bit evenly. Changing one input bit should flip, on average, half the output bits.
Due to the nature of the Feistel construction, how it is split up into halves, only one side influences the other at a time.
After just two rounds, the left block has not influenced itself.
Note that achieving full diffusion in the Feistel network is going to require that the prf used on the block provides appropriate diffusion as well.
