The problem with your current design is double-NAT - never a good idea. A second NIC in the ESXi host will save you from potential hassles related to that. Well worth the investment.
Unless you have told pfSense that the 172 network is its LAN, you probably just need some rules in pfSense to allow traffic in on that interface so they they can get access to the Internet. Only LAN has an "allow any" rule by default. All others are "deny all" by default.
If you've told pfSense that 172 is the LAN, you're going to have to allow traffic through its WAN interface in order to access your VMs from the PCs in the 192 network. You'll also have to allow traffic from private networks, specifically your 192 network, on its WAN interface.
There are almost certainly other things you'll need to do as well but I can't think of them just now.