Messages

Generally speaking (not specific to OpnSense, @Vilhonator pointed to the OpnSense specific configuration manual entry) - when you're running public-facing services, you want to also take in consideration what's leaving your server (as a best rule practice, and part of the defense in depth strategy). Sometimes and for specific scenarios, a drop-all on both ingress and egress sides (while allowing only necessary inbound and outbound connections) is the best strategy, although it takes time and patience to configure correctly (and even so it might not protect you against data exfiltration via not blocked protocols, such as DNS). If you have an exposed web service, perhaps a waf of some sort (modsecurity, coraza, or the more expensive commercial ones) would help in addition to a firewall.

As other people have mentioned, it's hard to guess without knowing your exact configuration and topology. Can you share with us a network diagram and/or screenshots of the current configuration (sans sensitive information of course)? Having a router behind a firewall does not necessarily mean that you have to NAT something on the firewall itself so you can avoid double NAT if the ONT is in bridge mode as you stated.

Conversely, you might want the OpnSense firewall to also act as the main router and set up the Google mesh in AP/bridge mode. This would entail configuring the client side (pppoe client, dhcp client, static ip, whatever your provider offers) on the OpnSense device. I've successfully had TpLink Decos behind an OpnSense firewall sitting on an industrial 4-port Ethernet mini-PC and it worked perfectly.