Firewall + OpenVPN + Traffic Shaping problem

  • Hi,
    I have a firewalling problem doing traffic shaping on external openvpn clients connecting internal lan
    Connecting clients have no problem with openvpn, but I want to do traffic shaping, eventually limiting their bandwidth.
    To do so i thinked to create on external interface all out queues and on the internal one all in queue.

    outqueue –---> pfSense -----> LAN inqueue

    To put in the outqueue openvpn traffic of the external clients, i thinked to create a stateless rule allowing connection from outside world, and then keeping state on the resulting outbound traffic from lan to openvpn clients, on wan interface

    pass in on $WAN proto tcp from any port > 1024 to $WAN port 1194 no state
        pass out on $WAN proto tcp from $WAN:1194 to any keep state queue outqueue

    i've done this creating a firewall stateless rule in the gui for the first, and an out rule in the "Floating ruleset" for the second, but when i try to connect an external openvpn client i get blocked outbound traffic to the openvpn client from the "default deny ruleset".

    the log says that blocked traffic is TCP:SA why?