Sorry, but means DLR "Edge bridge"? What is "Control Pane"? The firewall section in Edge bridge VM, is it L3 or L2? Do you want to say those rules dont apply at all to this Edge itself?

I want to allow VM-s in logical switch to output to outside world only through local host. And in L2 level.

Altough I can also block traffic by portgroup (all traffic in portgroup), but then I must have for every host separate portgroup. Much easier is to use at all Mikrotik VM that works as managed switch and then for all VM-s vNIC-s I dont need more that one uplink portgroup for Mikrotik WAN side. And connections between Mikrotik and VM-s I can made by local portgropups (without uplink) and edge bridges.    UPLINK<--->distributed portgroup (trunk)<--->Mikrotik WAN----Mikrotik switch(pvid,vlans group,tag/untag output)---Mikrotik virtual interface(vlan)<---->local switch portgroup (trunk)---local switch portgroup (vlan related to Mikrotik virtual interface)<--->Edge bridge<--->logical switch<--->VM-s vNIC

Maybe you should first read and understand what NSX is, what components exist and what they are used for and how different NSX architectures are built and work. It's hard to compare a traditional network setup and functions with a network virtualization solution that offers new possibilities and concepts.

I think these resources will help you to understand NSX:

NSX Components

NSX Distributed Firewall Deep Dive – Route to Cloud

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/nsx/vmw-nsx-network-virtu...

https://www.vmware.com/pdf/vmware-validated-design-20-reference-architecture-guide.pdf

So, what components they are? And what possibilities exactly? VMware documentation is crap. VMWare even cant connect some windows question mark with exact documentation page. When you press to question mark, then opens vmware main help page.....too few development evan in that area. I seen this only in amateut software products.

There are no any new possibilities and concpts. VMWare can name dog to wolf, altough its still stay dog. When something is bad desing, this dont mean its new concept or possibility.

For the fact that you seem to know everything better, you ask a lot of questions...

Once again, if you want to understand and use NSX, you will need to look at this solution in detail. That's all I said.

That you haven't done this yet is shown by your repeatedly used expression "edge bridge". There is no "edge bridge". There is an L2 bridge that is part of the Distributed Logical Routers (DLR) and Edge Services Gateways (ESG) that are also standalone components. This has nothing to do with each other.

There is 3 types of firewalls:

1) global distributed firewall - it have L3 and L2. I find out that its half implemented component at all. It control east-west traffic, VM to VM. (I dont need this at all) But its implementation is comic. I can set very different components in "applied to" and also for source and destionation. But its all only emty box, without any functionality. Seems like its only for future development empty place. Correct software must block all unnecessary choices to make things clear. Example in CheckPoint you also choose where you want to apply policies, and when you choose place, then policies installed exactly to this place, without any question.

2) logical router or edge bridge - this is useful component, but firewall rules dont work at all, no matter what you write there. Why? Because its bridge? Top brands firewalls are all able to control also bridge traffic. Example SophosXG can without problems control L2 bridge traffic in L3 level and even route it out from bridge, altough it still stay L2. Mikrotik can control both L2 and L3 traffic.

3) edge service gateway (fully functional firewall) - its only place where firewall policies work also in reality. Altough they are very primitive rules compared example with PaloAlto or Sophos. They even dont have zones, also VLAN-s.

Distributed switch also dont have normal switch capabilities, like PVIDs, VLAN groups and tag/untag outputs. Thats why I plan to put RouteOS VM. It at least allows to do something useful.

And L2 firewalling havent presented nor with router nor with gateway component. Why VMWare think Im interested about some cheap L3 firewall that even dont have zones and policy routing. L3 is far away from vSphere environment. From vSphere environment I expect first just L2 firewalling and normal switching.