Again, definitively, if Zentyal is between clients and routers, then IP range must be different.
So what is your conclusion?
Mine is that if you do need some clients to access directly routers, you have to either move them on the other side of Zentyal server (but this is risky and complex for what concerns fw rules) or you have to deploy Zentyal with only one single interface, like any client on the LAN.
All devices, including Zentyal, will share same address range and it will work.
Then this works depending on services you want to deploy.
With such design, you can deploy:
- mail, HTTP proxy, VPN (with NAT)
but firewalling has very little sense
Pay attention that HTTP proxy can't use transparent proxy mode if only one interface is deployed, except if Zentyal is the default gateway for devices but then reaching directly routers will not work
BTW, why do you need to have direct access between devices and routers and why can't this be done through Zentyal?