Ah! I found the culprit, in /etc/config/firewall
option flow_offloading '1
When I remove that (luci: network>firewall> Routing/NAT Offloading>Flow offloading type
should be set to none), snort sees all the packets it should and actually loads the CPU:
