Cant keep interfaces in assigned zones, Centos7

I also have this problem recently but I was able to add access to http and https services. But I had the problem of ssh services limiting to a source address. This is my work around.

First Add the interface to the public zone then

sudo firewall-cmd --permanent --zone=public --add-service=http 
sudo firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --add-rich-rule='rule family="ipv4" source address="x.x.x.x" service name="ssh" log prefix="ssh" level="info" accept'
sudo firewall-cmd --reload

The source address can be a range, just specify the subnet

Since ssh wasn't added for the public zone, it will be blocked by default. The rich rule will enable it for only that source ip/range.

Any better solution please add.

I answered it on my question at

Using Firewall-cmd to create address specific restrictions in centos 7

I don't see in your configuration where you set the masquerade option for your external interface.

firewall-cmd --zone=external --add-masquerade --permanent

This is what worked for me when I started playing with the infamous firewalld