If the firewall is turned off on the vApp Internal Network and the VM's OS it should be all or nothing. I've had this exact issue a couple times and it always came back to having the VLAN's added to the ports on the physical network switch and the Network Pool. It must be 2 different VLAN ID's for the external network traffic and the Network Pool traffic.
What type of Network Pool are you using (Network Isolation, VXLAN, etc...)? If Network Isolation what VLAN ID is it setup to run on? What VLAN(s) ID does your external network run on? Both of these VLAN's have to be available on the physical switch ports your DVS Switchport NICs are connected to.
We use the same setup. We use the Network Isolation backed Network Pool and direct connect it to the External Network.
-Eric