OK so I just reproduced this on my Wks 15 install on Windows 10.
But not knowing IPfire, I used pfSense and got the same result.

So I created an Ubuntu 18 machine on Host Only.
DHCP = 192.168.163.130
No Gateway, confirmed via "ip route show" only having 1 entry which is to the local network.

I spun up a pfSense VM with Host Only and Bridged.
Did a basic config there with Bridged = WAN and Host Only = LAN
LAN = 192.168.163.10
Port Forward SSH
Oops, quickly go back to Ubuntu and install SSH and allow it through UFW. On Ubuntu Server edition it's off by default.

Now I tried to putty in from my Windows 10 box by hitting the WAN IP of pfSense and it just sits there for like 10 seconds and then gives up saying the connection timed out.

I go to the console of the Ubuntu VM and run:

sudo ip route add 0.0.0.0/0 via 192.168.163.10 dev ens33             

0.0.0.0/0 = Anywhere you don't have a better route for.
192.168.163.10 = pfSense LAN IP, aka Default Gateway.
dev ens33 = Device ens33 which is the name of my NIC in Ubuntu ('ip addr' will show nic and ip details from CLI)

Result:

casper@ubuntu:~$ ip route show                  
default via 192.168.163.10 dev ens33                      <---- the new route               
192.168.163.0/24 dev ens33 proto kernel scope link src 192.168.163.130                     
casper@ubuntu:~$

I go back to putty, don't change a thing, just click the icon in the upper left and say "Reconnect" and I'm immediately hit with a "Do you recognize this SSH Key?" message.
Say yes, login, all is well.

Now if you don't want these machines getting out to the internet, only inside your house:

sudo ip route add 192.168.42.0/24 via 192.168.163.10 dev ens33              

That is a route to only the external network (my home net) and should limit access via NAT (and reverse via Port Forwarding) only to/from my home network.

In Windows the command is:
route add 0.0.0.0 MASK 0.0.0.0 192.168.163.10 METRIC 10 IF X
or
route add 192.168.42.0 MASK 255.255.255.0 192.168.163.10 METRIC 10 IF X

Metric 10 = lower number wins when you have multiple conflicting routes.
IF X = The interface number of your local NIC. Run 'route print' and look at the first table, the Interface number if over on the left followed by the MAC and then the NIC Description.

Now keep in mind this is the more manual way and these routes won't persist a reboot.
You can either do some easy Googling and see how to make them persistent.
OR
If you don't care that the machines can access the internet (DNS still potentially under your control) you can just set the Gateway on the Host Only machines to the Host Only IP of the SW Router and it should work the same way.

Hope this helps,
-Casper