Based on above flow chart traffic would bypass decision, when bridge is the output interface, going to Bridge Decision instead.
What I see is that traffic is treated by before [Bridge Output] where bridge filter is at but after [Policyrouting]:
- packet mark “PrivateToWAN” all traffic destined to 192.168.0.0/16 subnet in postrouting
- drop all packets marked “PrivateToWAN”, out via WAN in bridge filter
ONLY PACKETS NOT TREATED BY IPSEC POLICY (to subnet 192.168.1.0/24) GET DROPPED by the bridge filter (which is great and what I want but not supported by the chart)
To think of it it does make perfect sense for [Bridge Output] to come AFTER [Postrouting] since packet marks are used by bridge filter.
EDIT: To summarize, traffic seems to flow like so:
…output traffic–