Problems when masquerade is enabled on host

[sblk]

Steps to reproduce issue:

1. Configure host linux with firewalld + enable masquerade on public zone (or configuration alike with iptables or nftables by hand)
2. Test access to both http and https on guest side
3. Disable masquerade on host and repeat 2

If netfilter masquerading is enabled on host, and guest is in bridge modem, both http and https don't work.

For example:

curl -I http://www.virtualbox.org
curl: (56) Recv failure: Connection reset by peer
root@techier-glossa:~# curl -I https://www.virtualbox.org
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to www.virtualbox.org:443

If I disable netfilter masquerading, it works.

In bridge mode it should not concern at all if host is doing that.

This the configuration of firewalld:

[root@munster ~]# firewall-cmd --zone=lxc --list-all

lxc (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: lxcbr0
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
[root@munster ~]# firewall-cmd --zone=libvirt --list-all
libvirt (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: virbr0
  sources: 
  services: dhcp dhcpv6 dns ssh tftp
  ports: 
  protocols: icmp ipv6-icmp
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule priority="32767" reject
[root@munster ~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: wlp108s0
  sources: 
  services: dhcpv6-client kdeconnect mdns ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

As far I know, In bridge mode it should not concern at all if host is doing that, should it?

Thanks in advance

[sblk]

VBox Log file