Could not duplicate on 2.4.2_1:
Set laptop switchport to set dscp 14
Set floating rule to match AF13 and log
@282(1521434373) match in log on igb1.223 inet all dscp 0x38 label "USER_RULE: Match DSCP Test Redmine 8379"
Connected laptop. iperf3 client to pfSense (no server running)
Shell Output - clog /var/log/filter.log | grep 1521434373
Mar 18 22:12:29 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,0,0,DF,6,tcp,64,192.168.223.199,192.168.223.1,65415,5201,0,S,1436453948,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
Mar 18 22:22:59 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,0,0,DF,6,tcp,64,192.168.223.199,52.84.154.170,65418,443,0,S,1320783426,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
Mar 18 22:23:20 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,61718,0,none,17,udp,76,192.168.223.199,17.253.4.125,63574,123,56
Mar 18 22:23:20 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,39080,0,none,17,udp,76,192.168.223.199,17.253.26.125,56859,123,56
Mar 18 22:23:20 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,63354,0,none,17,udp,76,192.168.223.199,17.253.4.253,56272,123,56
Mar 18 22:23:20 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,0,0,DF,6,tcp,64,192.168.223.199,17.249.25.246,65419,443,0,S,1108708379,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
Wireshark on pfSense interface says: Differentiated Services Field: 0x38 (DSCP: AF13, ECN: Not-ECT)
Changed laptop switchport to set dscp 18
Same firewall rule, same iperf test, same laptop
Nothing additional logged:
Shell Output - clog /var/log/filter.log | grep 1521434373
Mar 18 22:12:29 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,0,0,DF,6,tcp,64,192.168.223.199,192.168.223.1,65415,5201,0,S,1436453948,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
Mar 18 22:22:59 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,0,0,DF,6,tcp,64,192.168.223.199,52.84.154.170,65418,443,0,S,1320783426,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
Mar 18 22:23:20 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,61718,0,none,17,udp,76,192.168.223.199,17.253.4.125,63574,123,56
Mar 18 22:23:20 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,39080,0,none,17,udp,76,192.168.223.199,17.253.26.125,56859,123,56
Mar 18 22:23:20 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,63354,0,none,17,udp,76,192.168.223.199,17.253.4.253,56272,123,56
Mar 18 22:23:20 fw-223 filterlog: 282,,,1521434373,igb1.223,match,unkn(%u),in,4,0x38,,64,0,0,DF,6,tcp,64,192.168.223.199,17.249.25.246,65419,443,0,S,1108708379,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
Wireshark on pfSense interface says: Differentiated Services Field: 0x48 (DSCP: AF21, ECN: Not-ECT)
Probably should take this to the forum and hash out what testing issues you're having. Doesn't look like a malfunction.