Welcome to the Community,
you don't want to forward ingress traffic to the ESXi host, but to your virtual firewall in such a case.
One option to achieve your goal would be to use two vSwitches on the ESXi host. One of them as an internal-only vSwitch (no vmnics/uplinks connected).
Connect the Web-Server to the internal-only vSwitch, and the firewall VM (which needs two virtual network adapters) to both of them, the vSwitch with network access (WAN interface), and the internal-only vSwitch (DMZ/LAN interface).
André
