There might be a different way to solve the problem. That is to enable the “masquerade” flag on the “internal” firewall zone by running something like this:
firewall-cmd --zone=internal --add-masquerade
firewall-cmd --zone=internal --add-masquerade --permanent
However, I have not evaluated the (security) consequences of doing this. In your particular case, this may not be bad as you have a single network interface. I have also not tested it.