The classic setup for a DMZ firewall with pf is one with a box with three NIC's:
- external interface : connecting to the dangerous Internet
- DMZ interface - connection to the servers in the DMZ
- internal interface - connecting the internal LAN
Is this an option for your?