Как локалку по нат направить через один интерфейс (ext_all), а несколько отдельных клиентов по БИнату через другой (ext_binat)?

Привожу свой pf.conf
В итоге вся локалка на выход ломится через (ext_all), включая БИнат-ных клиентов. На вход естественно видно и тех и тех.

ext_all="ext1"
ext_binat="ext0"
int="int0"
gw_all="333.333.222.1"
gw_binat="333.333.333.1"
tcp_svc="22"

table <lan> { 192.168.0.0/16 }

set optimization normal

scrub in all
set skip on lo0

nat on $ext_all from <lan> to !<lan> -> 333.333.222.0/24  source-hash
binat on $ext_binat inet from 192.168.1.5 to any -> 333.333.333.2

block in

antispoof quick for $int

pass in on $ext_all reply-to ($ext_all $gw_all) inet proto icmp to ($ext_all) tag EXT_IF_A icmp-type echoreq code 0
pass in on $ext_all inet proto icmp from ($ext_all:network) to ($ext_all) icmp-type echoreq code 0
pass in on $ext_binat reply-to ($ext_binat $gw_binat) inet proto icmp to ($ext_binat) tag EXT_IF_B icmp-type echoreq code 0
pass in on $ext_binat inet proto icmp from ($ext_binat:network) to ($ext_binat) icmp-type echoreq code 0
pass in on $ext_all reply-to ($ext_all $gw_all) inet proto tcp to ($ext_all) port { $tcp_svc }
pass in on $ext_all inet proto tcp from ($ext_all:network) to ($ext_all) port { $tcp_svc }
pass in on $ext_binat reply-to ($ext_binat $gw_binat) inet proto tcp to ($ext_binat) port { $tcp_svc }
pass in on $ext_binat inet proto tcp from ($ext_binat:network) to ($ext_binat) port { $tcp_svc }
pass in quick from ($ext_all:network) tagged EXT_IF_A keep state
pass in quick reply-to ($ext_all $gw_all) tagged EXT_IF_A keep state
pass in quick from ($ext_binat:network) tagged EXT_IF_B keep state
pass in quick reply-to ($ext_binat $gw_binat) tagged EXT_IF_B keep state
pass out inet from (self:network)
pass in inet proto icmp to (self:network)
pass quick on $int
pass out route-to ($ext_all $gw_all) inet from ($ext_all) keep state
pass out route-to ($ext_binat $gw_binat) inet from ($ext_binat) keep state
pass out inet from { $ext_all $ext_binat } to (self:network)