I have been successfully using a pfSense community edition firewall to protect my home test lab. My local ISP delivers me a subnet of addresses directly so I need to leverage a transparent firewall or "bridge" to protect the lab. After rebuilding a few pieces of the lab I restored my pfSense configuration to a new host/VM and found that no traffic was passing. I did a packet capture and did not see any communication traffic. I thought that *something* must be blocking the traffic before it gets to the pfSense transparent firewall VM. A lightbulb went off in my head back to my VMware architecture days about the 3 security settings you can set on a virtual network switch, promiscuous mode being the easiest to remember. I played with turning these on/off 1 by 1 and found I needed both Promiscuous mode and Forged transmits security turned off (Setting to Accept) for this pfSense transparent firewall VM to operate correctly. Obviously turning these features off does open your ESX Host up to accepting more (possibly malicious) packets, but the ESX host is simply passing the packets along to the VM(s) attached to that Network on the host. You can limit your exposure by only having a single VM on that host's "raw internet" network and a single (same) VM attached to the inside "filtered internet" network. Assuming you trust pfSense to do its job, turning off these features should work for most home use cases.