Centos 7 port forwarding with firewalld not working

I can't seem to make firewalld-based port forwarding work under Centos 7. I am forwarding 192.168.0.148:905 to 192.168.56.102:22. When I try to ssh to 192.168.0.148 -p 905 I get "Connection refused". Here are some relevant settings: [root@GraceDev3 log]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: br0 sources: services: ssh dhcpv6-client https ports: 3389/tcp 905/tcp 908/tcp protocols: masquerade: yes forward-ports: port=905:proto=tcp:toport=22:toaddr=192.168.56.102 port=908:proto=tcp:toport=22:toaddr=192.168.56.105 source-ports: icmp-blocks: rich rules: Port forwarding: [root@GraceDev3 log]# cat /proc/sys/net/ipv4/ip_forward 1 tcpdump on 192.168.0.148 port 22 shows the ssh request arriving. The firewalld log does not show any packets being dropped. What am I missing? I note that others have had the same problem, but I haven't found any solutions posted.