hmmm by the time we hit Zentyal 5.0 they leave us with an interface with just a HALT/REBOOT button 
Definitely. It is a massive disappointment to loose the Network Gateway feature and no alternative under Ubuntu/Debian 
Well... you could be a bit more creative...
Consider the following scenario:
Take a server with at least 2 NICs and a VTd capable processor
Install a vanilla Ubuntu LTS Server with KVM
Install 2 VM's
- pfSense
- Zentyal
Give eth0 exclusively to pfSense
share eth1 with pfSense, Zentyal and the rest of the LAN
This way all traffic MUST go through pfSense if it leaves (or get inside) the LAN.
However, for me Zentyal has reached the point it serves no use for my situation. I prefer to use a mixed environment where both Linux and MS clients can use all the features on the network. With current direction of Zentyal, Linux clients are not supported (enough) and therefore Zentyal 3.2 will be the last version I will use. Untill Ubuntu 12.04 is EOL I will keep using the servers I currently have, but after that, another sollution will replace Zentyal.
