This had been working until about June 5. But I was getting ready for major surgery and didn't pursue then.

I have 3 systems. 2 HW, 1VM. The 2 HW systems are connected via Wifi. Below the VM is on the right.

192.168.122.152<---- > 192.168.122.1/192.168.2.127<---->192.168.2.116

With firewalld running on 192.168.2.127 I get the following on 192.168.2.116

[egreshko@acer ~]$ ssh 192.168.122.152
ssh: connect to host 192.168.122.152 port 22: Connection refused
[egreshko@acer ~]$ traceroute 192.168.122.152
traceroute to 192.168.122.152 (192.168.122.152), 30 hops max, 60 byte packets
1 192.168.2.127 (192.168.2.127) 2.256 ms 2.834 ms 2.892 ms
2 192.168.2.127 (192.168.2.127) 3.284 ms 3.854 ms 4.398 ms

If I stop the firewall I get..

[egreshko@acer ~]$ ssh 192.168.122.152
Last login: Tue Jun 16 06:21:07 2020 from 2001:b030:112f:2::2
[egreshko@f31k ~]$ exit
logout
Connection to 192.168.122.152 closed.
[egreshko@acer ~]$ traceroute 192.168.122.152
traceroute to 192.168.122.152 (192.168.122.152), 30 hops max, 60 byte packets
1 192.168.2.127 (192.168.2.127) 3.594 ms 3.771 ms 4.345 ms
2 192.168.122.152 (192.168.122.152) 4.653 ms !X 5.260 ms !X 5.532 ms !X

I can connect from 192.168.122.1 to 192.168.122.152 no matter if firewalld is running or not.

[root@meimei ~]# firewall-cmd --get-active-zones
libvirt
interfaces: virbr0
public
interfaces: enp2s0 wlp4s0

What to check? This was working in early June and I doubt I made changes.

--
The key to getting good answers is to ask good questions.