If a customer is routing traffic internally always make sure that they are routing traffic back to the LAN (eth0) of the ZO device.
If they route the traffic back via a different interface, WAN1, etc. The routing will not work across the tunnels. The traffic must go in and out of the LAN (eth0) interface.
If the customer has VLANs, the ZO device must be the gateway for that VLAN traffic and the remote network must be defined as that of the primary LAN interface subnet.