It is not that hard. If you have static IPs on the 2 ZS it is more easy. On the 184.108.40.206 interface of ZS2 add only one static route for the ZS1 WAN interface. On the 220.127.116.11 interface assign the default gateway. On the virtual servers section add the ports to be forwarded on the 18.104.22.168 only! NAT only on the 22.214.171.124 interface, the other one works with the tunnel. Regarding the http administration you may block the interfaces that you don’t want to listen to. There is the https menu on the administration page.