BGW-320 devices with static IPs

IF you're trying to pass your DYNAMIC Public IP address through, then IP Passthrough is the right thing to do.  But once you start mixing in the Public Static block into the picture, you usually want to turn it off, because it changes the LAN IP of the "cascaded" router to the Dynamic Public IP and that complicates your efforts (really prevents) you from setting it up with a Static Public IP.

You should have been able to get rid of Double NAT without Public Static; not sure why you didn't. I have a BGW Gateway, with a router behind it, and a Plex server on that and it all works fine without double-NAT.  But that's neither here nor there now; you want to get a Public Static working.

So, set up the Public Static block in the Gateway (Public Subnet section of Home Network > Subnets & DHCP).  Do not play in the Cascaded Router section.  Turn off IP Passthrough.  Manually configure your router to have a WAN address of whichever of the 5 usable Public IP addresses you've chosen, with a subnet mask of 255.255.255.248 and a default gateway of the router address for your subnet (the 6th one in the block); the Gateway will be listening on this address as a result of the Public Subnet setup.

with the IP Passthrough OPNSense gets the first routable public IP

IP Passthrough shouldn't be doing that.

So due to issues I'm having with port forwarding to my Plex Media Server when using IP Passthrough

What issues did you have that led you to the $15/month sledgehammer of the public static block?

Once you start throwing containers into this mix, I'm not sure how to guide you.  My recommendation on public statics is to manually assign them on the device's interface.  

You could turn off IP Passthrough and just give the OP Sense a public address and do NAT/Port Forwarding behind it (if for some reason that would be better than IP Passthrough... maybe if I understood why you're going the public static route I'd understand).

I was under the impression that if you did not want to use the 320 as your router you needed to be in bridge mode or ip passthrough (I do not use the 320's routing or wifi features)  The 320 doesn't seem to have a transparent bridge mode so I went with ip passthrough.  I though what that did was take the 320 WAN IP address and "give it" to the selected LAN device (by MAC address) in this case the opensense fw/router (which is my gateway device on my network).

Before I purchased the dedicated IP's I was getting a double NAT not matter what I tried (opensense, PA-220 or Unifi USG).  Then static IP's are cheap and I don't have to worry about my DDNS not getting updated for some reason.  

All I really want to do is keep using my opnsense fw and assign one of my 4 remaining static IP's to my plex server (it can be virtual or bare metal as I can use a dedicated box).  But it seems like I would have to bypass my opnsense router and connect the plex server directly to the 320.

@JefferMC

Thank you!  I'm going to give that a try and report back.

Ok not sure what is going on but once I turned off passthrough I have internet if I'm connected directly to the 320 but nothing from opnsense (and I tried my Orbi as the router).    I tried it with allow inbound traffic off (was the default) and on.  Here are my settings in the 320:  

I setup the WAN interface on opnsense like this:

switched back to passthrough and internet is back up and running.  Going to have to take my time with this and see (Edited per community guidelines) is going on.

Tried this one more time and it's working.  IP Passthrough is turned off (allocation mode = off), no public subnet and my opnsense is just using one of the static block.  Thank you!  Now to figure out why remote access into my Plex isn't working.

Don't forget to set up Port Forwarding in your router, since right now you're using a private IP behind it for the Plex (right)?