Understanding Normalization rules for DSCP

[Dragonfly]

I'm trying to set the tos flag in the IP header for certain traffic using normalization rules. Basically I have a VPN tunnel from a home server (192.168.1.2) connecting to a public VPN server UDP/443. What I want is this traffic to be marked with CS1 (background).

I've made a rule like this:
Interface: LAN_1
Proto: UDP
Direction: any
Source: 192.168.1.2:any
Dest: any:443
ToS: CS1

However, the strange thing is that all return traffic get tos 0x20:

Code Select Expand

10:40:06.548763 IP (tos 0x20, ttl 58, id 32042, offset 0, flags [DF], proto UDP (17), length 133)
    1.2.3.4.443 > 192.168.1.2.57135: UDP, length 105
but all outgoing traffic remains on 0x00:

Code Select Expand

10:40:06.549125 IP (tos 0x0, ttl 64, id 10416, offset 0, flags [DF], proto UDP (17), length 105)
    192.168.1.2.57135 > 1.2.3.4.443: UDP, length 77
These are packets from a simple tcpdump -vni igb1 host 192.168.1.2 and udp port 443 -c 10. I've tried removing the state as well as simply restarting the tunnel several times.

I've also tried making an opposite rule, with srcport 443 dst 192.168.1.2:any, as well as include my WAN interface (pppoe0) but to no avail.

Does anyone know what's going on or how to solve this? Much appreciated!

edit: when I just create a blanket rule with my LAN interface selected and then everything else set to "any", outgoing traffic is still 0x00 whilst the incoming traffic is 0x20. What am I missing?