firewalld: open by default, closed for a range, but open for a sub-range

As the title says: our CentOS system should in principle be accessible by everyone, but we have to block a range with a lot of unwanted activities (say 45.0.0.0/8), and then we want to allow a sub-range (say 45.91.0.0/16) because that range belongs to a client.

I could give you the settings I already tried in firewalld, but the mistakes I made are likely to distract you too much... I'll list therefore the two zones I created:

firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client domino http https smtp ssh websockets
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="135.181.173.14" reject


firewall-cmd --zone=drop --list-all
drop (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 45.0.0.0/8
  services: domino http https smtp websockets
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="45.91.0.0/16" accept

How can this be accomplished in firewalld?