ah ok, i was 90% there, but is the Firewall/Nat Group i didn't have.
i'm not sure which IP address i'm supposed to put in there.
in the Allow ICMP rule, i put the 192.168.2.x variant (as opposed to 192.168.1.x), as 2.x is the IP range of the VLAN that is being restricted.