1) No, firewall by default permits all on INPUT-OUTPUT-FORWARD. Take my advise and switch to DENY only the INPUT chain, after you have granted access to the ZS router by https and ssh.
2) No, not at all. I have Netbalancer and Openvpn working fine. In case you face issues with those two, consider adding a Balancing Rule for the Openvpn to be directed on one interface if both are up.