Maybe I was not completely clear: the 159.148.147.229:30000 belongs to mikrotik, I think it is about /interface/detect-internet , and the protocol is UDP, no three-way handshake.
For some reason, the initial packet (from the router to the mikrotik server) is ignored by the connection tracking machinery, and the response appears to the firewall as starting an incomming connection, with connection-state=new :
[user@Mikrotik] > /tool/sniffer/quick interface=ether1 ip-address=159.148.147.229
Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, SIZE, CPU, FP
INTERF TIME NU DI SRC-MAC DST-MAC SRC-ADDRESS DST-ADDRESS PROTOC SI C FP
ether1 640.438 21 -> CC:2D:E0:C3:9B:90 94:6A:B0:60:CA:B9 192.168.1.33:5678 (discovery) 159.148.147.229:30000 ip:udp 74 0 no
ether1 640.516 22 <- 94:6A:B0:60:CA:B9 CC:2D:E0:C3:9B:90 159.148.147.229:30000 192.168.1.33:5678 (discovery) ip:udp 74 0 no
ether1 700.441 23 -> CC:2D:E0:C3:9B:90 94:6A:B0:60:CA:B9 192.168.1.33:5678 (discovery) 159.148.147.229:30000 ip:udp 74 0 no
ether1 700.516 24 <- 94:6A:B0:60:CA:B9 CC:2D:E0:C3:9B:90 159.148.147.229:30000 192.168.1.33:5678 (discovery) ip:udp 74 0 no