OK, so this is helpfull: [http://forum.mikrotik.com/t/firewall-problem/140666/1]
.
- chain=input is for packets which enter router (any interface!) and are targeting router’s own services
- chain=output is for packets originating from router itself (and egressing=in/out any interface)
- chain=forward is for packets which (eventually) pass router. And those include NAT-ed packets which (if coming from internet) initially seem to target router itself, but if port is forwarded, these packets pass router hence chain=forward
.
.
Is that the order the rules need to be in?
1st chain=input
2nd chain=output
3rd chain=forward