Ah, that makes sense - also sucks that AT&T doesn't make things easy...
In that case, one change I might make to your design is to move the Dev VMs (the 1.1/24 segment) under the UTM, so pfsense doesn't have to run a mix of static IPs and NAT (assuming you want the dev VMs to access the internet). That way the LAN and Dev VMs can just use the UTM as a default gateway to talk to each other (subject to whatever firewall rules you want to set up), while you have the choice of relying on NAT to access the internet accessible servers from the LAN or setting static routes on the pfsense and NAT bypass on the UTM.
In that case, one change I might make to your design is to move the Dev VMs (the 1.1/24 segment) under the UTM, so pfsense doesn't have to run a mix of static IPs and NAT (assuming you want the dev VMs to access the internet). That way the LAN and Dev VMs can just use the UTM as a default gateway to talk to each other (subject to whatever firewall rules you want to set up), while you have the choice of relying on NAT to access the internet accessible servers from the LAN or setting static routes on the pfsense and NAT bypass on the UTM.