Two questions re. CrowdSec configuration

[tangofan]

I am currently in the process of configuring my first OPNSense bare metal system, which - once completed - will replace my current router, an Arista Untangle NGFW system in my home.

The only WAN port I will have open will be for an incoming remote Wireguard connection, so I can log into my home network, when on the road. I have configured GeoIP to block incoming remote connection attempts from most countries and I have also installed CrowdSec to block connection attempts from (and to) rogue IPs.

Re. the latter (CrowdSec) I have two questions:

1. CrowdSec (and various other tutorials) suggest that - in addition to the automatically generated rules for incoming connection attemps -  one should also manually create outgoing (in) rules on the LAN interface to block connection attempts from malware that is already inside our home network to remote servers.

Do I need to create such rules only on the physical interface (LAN, OPT1, OPT2, etc) or also on the virtual intefaces (e.g. VLANs and VPNs)?

I am asking because the documentation for ZenArmor states to only select physical interfaces for monitoring, since that will include monitoring on all associated virtual interfaces as well. I don't know, if the same logic would apply to CrowdSec as well.

2. After signing up and registering my unit on the CrowdSec website I saw that I can subscribe to 3 free 3rd party blocklists.  At the moment I am not quite sure which ones are best for my use-case (only port open is for Wireguard).

For now I subscribed to the "Firehol cruzit.com" list and the "Firehold cybercrime tracker" list. Perhaps the "Firehold SSL proxies" list would make sense as well (to counter circumvention of GeoIP and other block lists)?
I'm not sure at all, so I'd appreciate any advice on this matter, even if it's just to make sure that I'm asking the right questions, when picking a blocklist.

Thank you very much in advance for your advice and help.