TL;DR: Probably not very important, but possibly vitally important. Somewhere in that range! The probably correct simple answer is, nothing is getting through that you haven’t setup port forwarding for, the long answer is not as simple.
Just to make sure we’re all talking about the same thing, you have a box (possibly called an ONT) that connects to the incoming fiber optic connection, and it has various outgoing ports on it. The one concerning us is the ethernet port. Previously you had your Verizon router connected to that ethernet port. You then had your Orbi base unit connected to the router.
The router died, so you connected the Orbi base unit directly to the ONT, and everything kept working.
Where have you setup the port forwarding for your VPN? Or, have you not setup port forwarding for the VPN because your server is getting a routed IPV4 address and is directly on the internet?
If you setup the port forwarding in the Orbi, then it is acting as a router. If it is doing NAT (real IPV4 address on the outside, private IPV4 addresses at home), then having a firewall is not terribly useful.
Your routable IPV4 address (what you see when you go to https://ipv4.icanhazip.com/), is being bombarded with connections on port 22. If you have port forwarding setup for 22, then those connections are passed along, and it’s up to your computer to deal with it. If you don’t have port forwarding setup on 22, then nothing happens to those packets (assuming the Orbi itself isn’t responding). So whether firewall or not, nothing is getting through that you haven’t configured to be forwarded.
The worst case is that instead of any kind of routing, Verizon is just handing off multiple routable IP addresses to you. I can’t imaging this is the case, but dumber things have happened.
An in the middle case, is that instead of forwarding just your VPN port, you’re forwarding everything. Then any incoming connections are handed to your computer to deal with. Of course, your computer needs to have something listening on (as per the example) port 22, or it will just drop the packets.
Either of the two previous examples could be real bad if you have, for example, internal only services, like file sharing, setup that are now accessible to the whole internet. That is probably not the case, and is almost definitely not the case if you are behind NAT.
This can be complicated if you also have IPV6 (do you see anything at https://ipv6.icanhazip.com/) If so, and you have no firewall on the router, then it is possible that someone could connect directly to your computers over IPV6. The IPV6 address space is too large for brute force scanning, but any IPV6 host you connect to will know your current address, so could potentially scan your computer to see what services are running.
Defense in depth says that you should be running firewalls on all of your computers, anyway. Don’t run any services you don’t want. If some of those services are for LAN use only, then you should have a firewall on that computer which restricts connections to just your LAN. As long as your router is configured properly, that firewall may never be triggered, but if your router is not correct…