Deploying pfSense as a VM in transparent bridge mode
I apologize in advance if this becomes a giant block of text. My set up is ATT fiber ONT -> BGW-210 (ip passthrough) -> Unifi Dream Machine Pro -> Unifi 24 port switch -> R720 ESXi server (and all other clients on my home network). I have the R720 segregated out on its own vlan with ACL rules. The unifi set up has been nice, easy to manage and totally fine for a home network, but I am currently shifting my career toward network engineering and security, and I'm always looking for a reason to try new devices in my home lab. I would like to bring pfSense into the equation so I can learn more about NGFW functionality, but I do not want to purchase another physical device right now so I figured I'd get it set up as a VM on the server I run 24/7 anyway (Windows Server 2019 domain controller). I have found some documentation on getting the pfSense VM set up, and also a few on transparent bridge mode, but I can't seem to get it set up correctly or even wrap my head around it.
First of all, does it make sense for me to set it up as a VM on the esxi box with its own WAN uplink to the switch/UDMP and a LAN vswitch/port group for the VM Network and then configure it as a transparent bridge (avoiding double NAT)? In this configuration, is there a way for me to place other segments of my home network behind the pfsense bridge, or would its functionality only extend to VMs on the esxi box?
And if this is not a recommended way to make use of the pfSense in my topology, is there a viable alternative that would keep the UDMP in the mix? I know I am limited by the limitations of the UDMP (can't turn off routing, no bridge mode). Would it be possible to set the pfSense VM up in transparent bridge mode between the BGW-210 and the UDMP?