The VCD edge firewall only looks at the edge traffic (North/South of one of its networks).
You could use the proxy.
You could also look at creating a vapp with 2 networks, put on VM on each of these networks. Then setup static routing between those networks in the network configuration. I am not sure (but worth a test) this might let the firewall get involved. The only issue I do know of is that this static routing does not seem to exist until created after each deploy.