Ok, you should be able to do something like me then. Even simpler if you don't have a guest VLAN.
You need to split your SQM instance in half - egress on the WAN interface to handle upload traffic, and egress on the LAN interface to handle download traffic.
And in between them you have your iptables rules which mark packets with DSCP tags before they hit the SQM instances.