Linux QOS sees traffic closer to the wire than iptables, so if you are doing NAT then it will only see the public address.
On a full Linux setup the workaround is to use iptables to mark the packets, then use tc to match those marks.
Unless things have changed, you can't do that with routertech kernel as the iptables mark/ tc fw mark match are not compiled in.
filter parent 51: protocol ip pref 3 u32 fh 80a: ht divisor 1
filter parent 51: protocol ip pref 3 u32 fh 80a::800 order 2048 key ht 80a bkt 0 flowid 51:2
match 0a0a0100/ffffff00 at 12
match 00060000/00ff0000 at 8
match 00000050/00000050 at 20
flowid 51:2 is high prio, 51.3 med and 51.4 low. There is a 51.1 that's really high, but TI reserve this (IIRC for routers with voip)
match 0a0a0100/ffffff00 at 12
Source address is 12 bytes into an IP packet this matches 10.10.1.0/24 as ffffff00 is a mask.
match 00060000/00ff0000 at 8
10th byte is protocol 6 = tcp
match 00000050/00000050 at 20
IP header is normally 20 bytes next is tcp header first 8 bytes are source/dest port 0x50 = dst port 80.
I don't understand why the mask is not 0000ffff maybe TI logic is buggy (assuming intention was to match just port 80)
I notice one of your matches is -
match 0a0a0100/ffffff00 at 16
which is dst address 10.10.1.0/24 - just in case you don't know when you apply qos to ppp0 it only sees outgiong packets.