Well, the patch is ok. Don’t know why the patch command failed.
I patched the rejected parts handish and saved the patched files
in /Database/custom.
Then under the “Startup/cron” tab under “SYSTEM” “Setup”, I have put the following into the “pre-boot” script:

for file in /Database/custom/*
cp ${file} /root/kerbynet.cgi/scripts/

All works fine with balancing disabled. Even vpn99 works well. All virtual servers behind ZS are reachable. No need for virtual servers to reach ZS from the outsite. No need for NAT on the only default gateway.

But the crux is: If i enable balancing the hole ZS is unreachable from the outsite and no virtual services are reachable.
Enabeling NAT on the balanced devices has no effect.

My point of view is outsite. I have to manage ZS and the servers behind ZS remote.
I tried ZS for balancing traffic to the outsite additionally.

Any idea?