This post lists the steps to configure firewalld to allow such a situation:
opening the link will show it formatted better than the above quoted text. Just make sure to substitute the correct network card for the internal and external zones. So internal zone being the one that has the 172 address, and external zone having the 192 wan address.
Changing the target to accept allows all traffic. Otherwise, leave the default target, and just add the services that you want to allow through. Eg, http, dns.