Disabling the www service for specific ip range can't help, because I would need to block LAN range...
Now, I'm clueless what to do to disable webfig on the public ip.
Go ahead and remove any changes you made about restricting the port the http service listens on / the addresses it will respond to. The problem is in your nat rules.
I'm sure that your port forwarding rule has the criteria like this:
in-interface=WAN
protocol=tcp
dst-port=80
action=dst-nat
to-addresses=192.168.88.x
The thing that's tripping you up is that your requests to the public IP address are not entering via the WAN interface.
I very much prefer to use the interface method like this, but if you want to use hairpin nat (public IP pinholes from inside) like you're asking, then this rule won't work.
Change this rule as follows:
If your public IP address is static, remove in-interface=WAN and add dst-address=x.x.x.x (public IP address of your router)
If your public IP address is dynamic, remove in-interface=WAN and add: dst-address-type=local dst-address=!192.168.88.1 (private IP address of your router)
Finally, in order for the hairpin to work, you're also going to need this rule in the srcnat chain:
dst-address=192.168.88.0/24 src-address=192.168.88.0/24 action=masquerade
With all of my examples, I use 192.168.88.0/24 - obviously change these to match your actual addressing.
Happy routing!