I'm having problems on how to setup my PF rules so that I can limit the amount of bandwidth a particular machine has on my internal network.

Here is a simple example of my pf.conf where 192.167.0.129 is the ipaddress of the machine I'm trying to limit.

altq on cp0 priq bandwidth 10Mb queue { std_out, tcp_ack_out, sdb_out }
queue std_out priq(default)
queue lim_out priority 4
queue tcp_ack_out priority 6

altq on tap0 cbq bandwidth 10Mb queue { std_in, tcp_ack_in, sdb_in }
queue std_in bandwidth 50% cbq(default)
queue lim_in bandwidth 2Mb priority 4
queue tcp_ack_in bandwidth 25% priority 6 cbq(borrow)

# nat rule
nat on cp0 inet from 192.168.0.0/24 to any -> (cp0)

# filter rules for cp0 inbound
block in on cp0 all

# filter rules for cp0 outbound
block out on cp0 all
pass out on cp0 inet proto tcp from (cp0) to any keep state queue(std_out, tcp_ack_out)
pass out on cp0 inet proto { udp icmp } from (cp0) to any keep state

# filter rules for tap0 outbound
pass out on tap0 from any to 192.168.0.0/24
pass out on tap0 inet proto tcp from any to 192.168.0.129 queue(lim_in)

The issue as I can understand it from the verbose summary output, is that because of the stateful tracking all traffic for 192.168.0.129 is going through the std_out queue instead of lim_in. What am I missing?

Thanks in advance.