pf route-to issues

[Cameron Schaus <cam_(_at_)_schaus_(_dot_)_ca>]

I have a 3.5 firewall acting as a gateway for 2 networks (DMZ and
internal lan) to a single internet provider.  To alleviate bandwidth
issues, I purchased a second internet connection from a different
provider.  I would like to route the DMZ through the first provider
and the internal lan to the second provider.

I realize the 3.5 firewall is old, but I will upgrade this month.
Reading the pf.conf man page, it seems like pf has the capability to
do what I want, but I can't figure out how to make it work.

Internal lan nat/filter lines from pf.conf:
--------------------
block log all

nat on $ShawIF from $IntIF:network to any -> ($ShawIF)

pass in on $IntIF route-to ($ShawIF $ShawGW) from $IntIF:network to any keep state

pass out on $ShawIF proto tcp all modulate state flags S/SA label shaw_tcp_out
pass out on $ShawIF proto { udp, icmp } all keep state label shaw_udp_icmp_out
--------------------

Using these rules, when I try to ping from the internal lan to the
internet, I see the packets (using tcpdump) at the internal lan
interface, but I don't see them cross any other interface and I don't
see them in the pflog as blocked.  Where are the packets going?

I also tried the connection pooling example in the pf user guide to
route traffic from the internal lan to both internet connections.
When pf chose to route traffic out the first internet connection,
pings worked, but when pf chose the second internet connection, the
ping did not work, and they symptoms I saw were similar to those
described above.

Can anyone help me understand how to make this work?

Cam