route-to on traffic from localhost breaks connectivity to WAN subnets
The route-to added to the pass out rules such as:
pass out route-to ( em1 220.127.116.11 ) from 18.104.22.168 to any keep state allow-opts label "let out anything from firewall host itself"
breaks connectivity with the locally connected subnet as it forces the traffic to the upstream router. Basically the reply-to problem in the reverse. Either need to:
1) add a rule above that one to not route-to for the local WAN subnet.
2) Patch route-to to not route-to for the local subnet.
#1 is preferable I think, this is easy to fix with a rule where the reply-to scenario is not.