Per subject, how does one set this up to work ?

The DMZ port forwarding rule is static and at the end of my static list of ip/firewall/nat rules. UPnP port forwards are dynamic and added to the end of that list, but never reached since the DMZ matches everything. I have to manually move the DMZ rule to the end to get the dynamic port forwards to work. How do I keep the DMZ rule at the end ?

Yet again, HELP !?

I don't think you can, might just have to be a bit more granular with your dstnat rules?

I don't see a sane way either. In theory it might be possible to write a script that would make sure that DMZ rule is at the end, but since there's no event (AFAIK) when UPnP opens the port to trigger it, it would have to run periodically and with as small period as possible, which would make it horribly inefficient. And if the program decided to use the port right away, which is very possible, even the smallest period might not be enough.

A new option to specify chain, where to insert dynamic rules, would be handy. That way you could put jump to that chain anywhere you need, i.e. before DMZ rule. Ask MikroTik... if you're lucky, they may like the idea and add it.

Thanks for the feedback guys. It looks like DMZ needs to be a separate feature in RouterOS.