[CentOS] NetworkManager vs. Firewalld vs. /etc/sysconfig/network-scripts/ifcfg-*****

I've made 3 CentOS 7 installation attempts to configure a simple
firewall/router box with 2 nics.
I got myself into a circular scenario where NetworkManager and
firewalld and /etc/sysconfig/network-scrpts/ifcfg-***** were
interfering or overwriting each other.

Needed to perform ifdown enp3s7 on the internal LAN nic in order to
make the external internet enp2s0 reach websites and ping nameservers.
After completing firewall-cmd --complete-reload the internal LAN nic
would still provide private ip addresses via dhcpd server but LAN
clients could not access the internet.


So far these steps work to enable both nics to provide router and
firewall services:

1. sysctemctl stop NetworkManager

2. systemctl disable NetworkManager

3. Create dhcp ifcfg-***** for external interface. It must include a
“ZONE=external” statement even though firewalld service will overwrite
and erase it like this “ZONE=”
Example (external/internet nic):
Code:

TYPE=Ethernet
BOOTPROTO=dhcp
NM_CONTROLLED=no
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=enp2s0
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
DEVICE=enp2s0
ONBOOT=yes
PEERDNS=yes
PEERROUTES=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
ZONE=external

4. Create static ip address ifcfg-enp3s7 for internal interface.
Example (internal/LAN nic):
Code:

TYPE=Ethernet
BOOTPROTO=static
NM_CONTROLLED=no
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=enp3s7
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx
DEVICE=enp3s7
ONBOOT=yes
HWADDR=xx:xx:xx:xx:xx:xx
DNS1=75.75.75.75
DNS2=75.75.76.76
IPADDR=10.10.1.1
NETMASK=255.255.255.0
PREFIX=24
GATEWAY=10.10.1.1
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_PRIVACY=no
ZONE=internal

5. As said in #3, firewalld will erase the ZONE setting on the
external nic configured for dhcp.
The only way I've found to deal with this overwriting is to make the
intended external ethernet device associated with the default zone in
firewalld. When firewalld reads the empty zone reference "ZONE=____"
it will revert and assign the default zone I set like this ---
Code:

firewall-cmd --change-interface=enp2s0 --zone=external --permanent
firewall-cmd --set-default-zone=external
firewall-cmd --complete-reload

6. The external ethernet device won’t work (cannot ping any internet
host) until you manually Deactivate it and then Reactivate it.
~# ifdown enp2s0
~# ifup enp2s0

I didn't include my dhcpd server settings or firewalld settings for brevity.
Please let me know if those would be helpful.

Although the steps above work, it's definitely not ideal.
If I need to reboot the routerbox remotely, I won't be able to access
it again to perform the necessary ifdown/ifup routine to enable
input/output/forward through the external interface.
Any guidance on how to make this work is greatly appreciated.
Kind regards.