Can you explain why though?
Do I have to use the PPPoE interface for NAT rules too as I have some trouble with those too?
Sure. For the real answer lookup the packet flow diagram and follow it through, but I'll give you the brief version here.
Basically ALL packets come in on ether1 and ether3, but when they are coming in they are all "PPPoE" type packets. The RouterBoard then takes them apart and determines what their "virtual interface" is. Then they come in through the "virtual interface". So for firewalling purposes if you wanted to filter PPPoE data then ether1 or ether3 would be correct, but odds are you don't actually want to do that. Since you really want to filter the data inside of the PPPoE tunnel and NOT the PPPoE packets themselves you want to use the "virtual interface".
The same would hold for NAT. If you NAT using ether1 or ether3 as the destination you will be sending those packets to the PPPoE server, or anyone else on the ether1/ether3 interfaces, but as normal packets. E.g. not PPPoE packets to the PPPoE server. It is basically the same as the above, just backwards. So you want to send them to the "virtual interface" so the routerboard encapsulates them in the PPPoE packet and sends them to the server.
To really get it I recommend you lookup the packet flow diagram and just step through it with your packets.
Does all that make sense? Think about the difference as this.... ether1 and ether3 should have mostly PPPoE packets on them.... and the virtual interfaces will have the actual data on them after they are de-encapsulated (generally what you want to filter, etc).