You need to also open the ports for http and https internally.
Code:
firewall-cmd --permanent --zone internal --add-service=http
firewall-cmd --permanent --zone internal --add-service=https
firewall-cmd --reload
run as root or with sudo privileges.
Edit:. I'm sure there is also a way to forward http(s) traffic to your internal network to public interface using rich rules, but the above is much less complicated.
You can also enable masquerading but that is dependent on what kind of device/firewall/security you wish to implement.