In firewall rules, in interface is IP interface which passed IP packet to routing/firewall engine. out interface is IP interface, which will (most likely) be used to send IP packet towards destination.
Pay attention to difference between interface and port. Sometimes same “hole in router” can be both, but there are times when they’re not:
- when using bridge to create kind of a switch … default config on multi (3 or more) port devices that do come with default config (SOHO mikrotiks). For example, a 5-port device will typically have ether1 configured as WAN interface, while the rest (ether2-ether5) will be configured as ports to bridge. In ROS, bridge has two pesonalities (read more on this), one is interface which allows ROS to communicate to network(s) bridged by bridge.
In this case, it’ll be bridge interface that will be seen as in-interface by firewall, not individual ether ports - when using VLANs, one will typically create multiple VLAN interfaces (in /itnerface vlan), anchored to same underlying interface (such as bridge or ether3).
In this case, it’ll be one of those vlan interfaces that will be seen as in-interface by firewall, not the underlying interface - when using any kind of tunnels, such as PPPoE (quite commonly used as access tunnel by many ISPs) or wireguard or IPsec, which create a virtual interface as tunnel entry/exit point. In this case, it’ll be one of those tunnel interfaces that will be seen as in-interface by firewall, not the underlying interface
- when interfaces need to be stacked (e.g. WAN physical port is made member of a bridge, traffic over that bridge is VLAN tagged and ISP requires PPPoE … so ether1->bridge->VLAN->pppoe), it’ll be the “top level” interface that will be seen as in-interface by firewall, not any of underlying interfaces.
And same goes for out-interface … and likewise for in-interface-list and out-interface-list.
In addition to that, most interface lists have to be created manually. There are a few implicit/automatic interface lists, but experience goes that use of those can bring troubles. There are two interface lists created by default configuration (WAN and LAN), but they are simply default lists which correspond to default configuration (ether1 as WAN interface, bridge as LAN interface). If you manually change default configuration (e.g. add PPPoE interface on top of ether1), you have to manually update also interface list members.
And (more importantly): those names don’t reflect any particular use, e.g. router doesn’t know what’s LAN in sociological definition used by particular user’s environment. It’s only names, they could easily be called “statler” and “waldorf” for that matter.