RouterOS bridge & bridge+firewall mode

RouterOS General
1

A re-posting under RouterOS to clarify (I hope) my question - Capitals are only being used for clarity to show setup commands

I am trying to answer a fundimental question for myself about how (for example) an RB750 (i.e RouterOS) operating in bridge mode can correctly identify the direction of packets so the rules NEW, ESTABLISHED, RELATED operate as one might intend. I have searched the forum and the manual and the packet flow diagrams but I have been unable to answer this question exactly - perhaps its a question for Mikrotik developers.

For example Step 1 - if I install an RB750 between my broadband router (that is doing NAT, and DHCP etc) and my ‘private LAN’.
The RB750 is operating in BRIDGE mode, it does not therefore, need to perform NAT. Initially it is operating at the MAC layer just bridging the two LAN segments.

Internet
|
[ISP ROUTER] (NAT, DHCP etc) gateway 192.168.8.1
|
[RB750] In bridge mode
| | | | 4 LAN ports to private network 192.168.8.0/24

Step 2 now, if I switch on USE IP FIREWALL in the bridge, it must start to operate at layer 3 to inspect the IP packets.

If I put the rule in the IP>FIREWALL FORWARD path to allow ESTABLISHED & RELATED for instance, how does the RB750 ‘know’ the direction to apply these rules correctly?

I dont fully understand what part of the bridge setup or forward rules specifically allow the router to know packets initiated on the ‘LAN’ side are allowed out unimpeded but ‘tagged’ so that the ESTABLISHED/RELATED rules can be correctly applied to ‘outside’ incoming reply packets.

As a bridge, it appears to be ‘orthogonal’ in that it bridges the two LAN segments bi-directionally. Unless the RB750 configuration allows it to differentiate between ‘inside’ and ‘outside’ (in the above scenario) it seems to me it could (incorrectly) ‘tag’ a new communication as ‘NEW’ if it was initiated on the ‘outside’ LAN or the ‘inside’ LAN.

I realise connection tracking is used and has to be enabled, but the RB750 still has to identify the ‘protected inside’ from the ‘unprotected outside’ to allow the ESTABLISHED/REALTED rules to work correctly?

How does it do this when it is operating in bridge mode with IP FIREWALL turned on?
Are there specific elements I must put in my rules (or other parts of the configuration) to ensure the direction can be correctly indentified?

Many thanks for any help you are able to give