The second option that you used is correct. You need to add four vlan interfaces.
Once you do that, can you ping devices on those vlans? That would be the first thing I would focus on. When you are sure that connectivity is correct, then you can look at the policy. For example, what does the audit say when you try to pass traffic through?
I did create the VLAN's and once I did I could not even ping the Interface IP's which I find strange. And I cannot of course ping any IP on any other subnet. I haven't quite figured out how to use the aduit functionality but I will work on that.
Here are some screen shots of my setup. It is very basic at this time becuase I am testing it out.
Is your routing set up correctly outside the firewall? If you try to ping from 192.168.11.10 to 192.168.12.10, does 11.10 know to send this ping to the firewall first? Is the firewall 192.168.11.10's default route?
If so, and the ping goes through the firewall, does 192.168.12.10 know that to talk back to 192.168.11.10 he needs to send the packet back to the firewall's interface in the 192.168.12.0/24 network? Is the firewall 192.168.12.10's default route?
If you set NAT to 'localhost (Host)' on your rules this will take a routing problem out of the equation. If you set the NAT to localhost and this works you can say routing is the problem (routing outside the firewall).
I do not have any routing outside of the firewall. Maybe this is the issue? I was hoping the firewall could route the packets across the VLAN's.
The clients have the VLAN Interface IP set for the default gateway so a clinet would look like this as an example:
I did a real quick layout of the test network:
I took another look at your diagram. Since you are not doing any vlan tagging, it makes the most sense to connect each network to a different port on the firewall. Each port on the firewall would be assigned to a different zone and then you could enforce policy between the zones. The S2008 should have at least 8 ports, so you do have enough ports.
Note: Since your switches are not tagging the traffic, do not use vlans on the firewall.