What you want is to use pf to implement a "transparent proxy". You intercept the http traffic and force it, or redirect it to the Ubuntu HAVP box.
https://en.wikipedia.org/wiki/Transp...nsparent_proxy explains some problems of using a transparent proxy. It would be better to tell your local LAN users to configure their browsers to use the Ubuntu HAVP proxy.
Then you can simply block all http traffic not originating from the proxy. This has the positive side affect. Now any blocked web traffic is a signal to you as system administrator, that something is wrong with one your LAN clients.
BTW I learned this from Nonesuch, a forum member at the now defunct bsdforums.org