Not all RDP traffic seems to be marked in firewall mangle

I have a RDP server on LAN which is forwarded to WAN:

add action=mark-connection chain=prerouting comment="MARK RDP CONNECTIONS" new-connection-mark=rdp-connection-mark passthrough=yes port=3389 protocol=tcp
add action=mark-connection chain=prerouting comment="MARK RDP CONNECTIONS" new-connection-mark=rdp-connection-mark passthrough=yes port=3389 protocol=udp
add action=mark-packet chain=prerouting comment="MARK RDP PACKETS" connection-mark=rdp-connection-mark new-packet-mark=rdp-mark passthrough=yes

If I make a queue on the WAN interface which has rdp-mark as a criterium I see much less traffic than it actually is sent by RDP server (kilobits, instead of few Mbps). Instead this traffic can be observed when I use queue with no-mark.

Could someone please explain why is this so (perhaps fasttrack should be disabled?), and how to mark all RDP traffic so you can rate-limit it?

You’ve answered yourself. Fasttracking means bypass of all firewall rules, fasttracked packets only pass through the connection-tracking part of the firewall.

Is there a way to still mark / count this traffic or is the only way for proper bandwidth management to have fasttracking disabled?

It depends what you need to do in particular. If the only traffic categories are “RDP” and “the rest”, you can selectively exclude from fasttracking the RDP traffic, handle it by the queues chosen by packet-mark, and handle the rest by the queues chosen by absence of packet-mark.

You have to use one queue tree on each interface, which handles only output through that interface, because in order for a queue to handle fasttracked packets, its ultimate parent has to be an interface, not global. You can reuse the same packet-mark values in all of these trees, i.e. you can assign the same packet-mark to packets in both directions of the tracked connection.