Have both VM NIC's bridged and give them static IP addresses in the different subnets. One "connected" to your router for Internet, and the other to the new local subnet. You will then have to connect the "protected" computer(s) to that subnet as a gateway.
I do similar (not for a firewall) but use a repurposed system running ESXi with an added network card. Works fine.
If your system is very old, you may have to use an older version, the current one is 7.0. We still run 6.5 on an older Dell Server (2012?). I think you can still run ESXi free, with restrictions. I also think the trial runs for 60 days.
