Could it simply be that packet classification and queuing which is done by tc takes place after all the things related to masquerading and nat such that all source addresses axed to have the same as the external IP address of the router? I have done some testing and found that filtering on destination addresses seems to work, but source address filtering still does not. I'm not sure how I can solve this problem without getting the fwmark filter to work.