I hope that I don't complicate things but my intention is to make things more clear.
1.VLANs and IP subnets are in no way linked to each other. ( You can
run as many IP subnets as you want on the very same VLAN, and one IP
subnet can span many different VLANs as long as you connect them to each other)
2. VLAN separates layer 2 traffic (ethernet) and hence also whatever load the ethernet frame is carrying (typically IP-packets).
3.
You can connect layer 2 traffic e.g thru a cable between two switch
access ports (where VLANs are untagged from the ethernet frames) or, as you have
drawn, via a firewall in transparent mode. Other techniques exist.
In
your case there will be no connection between the two VLANs if the
firewall is not there and ther will be no communication what so ever
between the two "HOST" VMs. No ping, no arp, nothing. It seems however
what you're trying to do is not having a transparent firewall but a
traditional routing one. and in that case you should put the VMs on
different IP subnets per above advice and have the firewall with a routing function in
between. The firewall must have an interface with an ip address in
each subnet and that interface must also be connected to the correct
VLAN. The HOST2 VM must have the firewall interface as default
gateway and the HOST VM must have an internet gatway as default
gateway and you must also put a static route from HOST1 to HOST2 for
HOST1 to know where to send traffic to HOST2. A more common, and much
simpler way, would be connecting internet to the FW and having the FW
as default gw for both hosts... like a traditional DMZ.
Please also note that if a sending node, by comparing IP address and mask, comes to the conclusion that is is on the same IP subnet as the target node, it will never try to send anything to the default gateway even if the default gateway happens to be connected to both nodes (there are exceptions to that too but now it's getting way to complex 
)
Good luck!
/R