MTCNA MikroTikCertified Network Associate Exam Questions and Answers

To configure a PPPoE client on MikroTik, you need to:

Set the client interface (usually ether1 or another WAN-facing port).

Optionally add NAT masquerading to enable LAN users to reach the internet.

IP address on the interface is assigned dynamically from the ISP after PPPoE negotiation, so a static IP is not required.

Option Analysis:

A.✔Required – You must select the interface that initiates the PPPoE connection.

B.✘Not Required – The IP is typically assigned by the PPPoE server (ISP).

C.✔Required – NAT masquerade is commonly used to allow internet access for private IP clients behind the router.

Extract from MTCNA Course Material – PPPoE Client Setup:

“The PPPoE client must have an interface specified. A NAT masquerade rule is recommended for internet access sharing.”

Extract from René Meneses MTCNA Study Guide – PPPoE:

“You do not need to assign a static IP to the PPPoE client interface. IP is received after successful login.”

Extract from MikroTik Wiki – PPPoE Client:

“After setting up the interface and credentials, PPPoE client negotiates and receives dynamic IP. Add NAT if routing LAN traffic.”

===========

The hardware-coded address that uniquely identifies a device's network interface card (NIC) on the local network is called a MAC address. It is “burned in” by the hardware manufacturer and remains constant unless manually overridden.

MAC stands for Media Access Control, and it operates at Layer 2 of the OSI model. It is used to identify devices on a local area network.

A. FQDN (Fully Qualified Domain Name) refers to a human-readable name used in DNS.

B. IP Address is a logical address used for routing at Layer 3.

C. Interface Address is a generic term and not a standard identifier.

D. MAC Address is correct and refers to the physical, hardware-encoded address on an interface.

Extract from MTCNA Course Manual – RouterBOARD Overview:

“A MAC address is a globally unique hardware identifier assigned to each Ethernet or wireless interface. It is used by Layer 2 to ensure local delivery.”

René Meneses Study Guide – MAC & OSI Layering:

“The MAC address is a 48-bit physical identifier, hardcoded by the device vendor and located in the NIC chip.”

Terry Combs MTCNA Notes – Layer 2 Concepts:

“MAC = Physical Address = Layer 2 Identifier. It’s what switches use to forward Ethernet frames.”

===========

To block a client’s application traffic (like MSN Messenger) that is passing through the router (from LAN to WAN or vice versa), the forward chain must be used. This chain processes packets that are routed through the router.

Evaluation:

A. static →❌Not a valid firewall chain.

B.✅forward → Correct – used to filter traffic that passes through the router.

C.❌output → Filters traffic originating from the router itself.

D.❌input → Filters traffic destined for the router itself.

MTCNA Firewall Section – Chain Descriptions:

“forward – Used for filtering transit traffic (client to internet or internet to client).”

René Meneses Guide – Firewall Chains:

“To block client application traffic, use the forward chain. Input/output are for local router access.”

Terry Combs Notes – Chain Matching:

“forward = traffic passing through router, like client web or chat traffic.”

Answer: BQUESTION NO: 71 [Routing]

There are two routes in the routing table:

0 dst-addr=10.1.1.0/24 gateway=5.5.5.5

1 dst-addr=10.1.1.4/30 gateway=5.6.6.6

Which gateway will be used to get to the IP address 10.1.1.6?

A. both – half of the traffic will be routed through one gateway, half through the other

B. 5.5.5.5

C. the required route is not in the routing table

D. 5.6.6.6

Answer: D

Routing decisions are made based on the longest prefix match (most specific route).

10.1.1.6 falls within:→ 10.1.1.0/24 → range: 10.1.1.0 – 10.1.1.255 (prefix length: 24)→ 10.1.1.4/30 → range: 10.1.1.4 – 10.1.1.7 (prefix length: 30)

Because /30 is more specific than /24, it will be selected for routing the packet.

MTCNA Routing Module – Prefix Length Decision:

“Router chooses the route with the longest subnet mask (most specific match).”

René Meneses Study Guide – Longest Match Principle:

“10.1.1.6 falls within 10.1.1.4/30 → use gateway 5.6.6.6.”

Terry Combs Notes – Routing Table Resolution:

“Always check if multiple routes match. Use the one with the longest prefix.”

Answer: DQUESTION NO: 72 [Wireless Security]

In order to use dynamic keys in your wireless security profile for an AP, you MUST set up the DHCP server to provide the dynamic keys.

A. true

B. false

Answer: B

MikroTik RouterOS supports dynamic key exchange for wireless networks using WPA/WPA2 (with PSK or EAP). These dynamic keys are not provided by the DHCP server but are instead part of the wireless security profile configured under /interface wireless security-profiles.

DHCP only assigns IP addresses and other network configuration parameters — it does not provide encryption keys.

MTCNA Wireless Security Module – WPA/WPA2 Explained:

“Dynamic keys are negotiated during the WPA/WPA2 authentication process, not via DHCP.”

René Meneses Guide – Wireless Authentication:

“Security profiles define pre-shared or dynamic key exchange (WPA-EAP). DHCP is unrelated.”

Terry Combs Notes – Misconceptions in Wireless Setup:

“DHCP and wireless encryption are separate layers. Keys are not assigned through DHCP.”

Answer: BQUESTION NO: 73 [Firewall / Security]

Which firewall chain should you use to filter SSH access to the router itself?

A. output

B. input

C. prerouting

D. forward

Answer: B

SSH access to the router targets the router itself. Therefore, any packets destined for the router (for example, to TCP port 22) are evaluated in the input chain of the firewall.

Evaluation:

A. output →❌For packets originating from the router, not to it.

B.✅input → Correct – handles traffic destined for the router (like SSH, Winbox, etc.)

C.❌prerouting → Used for NAT and mangle operations, not filtering

D.❌forward → Used for traffic routed through the router (not for router itself)

MTCNA Firewall Section – Chain Functions:

“SSH access to the router is incoming traffic. Use input chain to filter or allow it.”

René Meneses Guide – Access Protection:

“input chain is responsible for traffic to the router’s IP – block/allow SSH, Winbox, etc.”

Terry Combs Notes – Firewall Management:

“Always use input chain for filtering incoming management protocols like SSH.”

MikroTik RouterOS offers several queuing types under /queue type. These queuing algorithms manage how packets are buffered and sent, affecting fairness, delay, and throughput.

Available queue types in RouterOS:

SFQ (Stochastic Fairness Queuing)✔

FIFO (First In First Out – for bytes or packets)✔

PCQ (Per Connection Queuing)✔

RED (Random Early Detection/Drop)✔

Unavailable queue types:

DRR✘– Not supported by RouterOS

LIFO✘– Not supported; not suitable for networking queues

Extract from Official MTCNA Course Material – Queue Types:

"RouterOS supports PCQ, SFQ, RED, FIFO, and more. DRR and LIFO are not implemented."

Extract from René Meneses MTCNA Study Guide – Traffic Management:

“Only PCQ, FIFO, SFQ, RED are listed under /queue type. DRR and LIFO do not appear in the supported list.”

Extract from MikroTik Wiki – Queue Types:

“Supported types include FIFO, PCQ, RED, and SFQ. Each has specific use cases for latency or fairness.”

===========

MikroTik’s NAT (Network Address Translation) is part of the connection tracking mechanism. NAT rules are applied only to the first packet of a connection. Subsequent packets belonging to the same connection are automatically handled by the connection tracking module using the same translation mappings established by that first packet.

Option Analysis:

A.✔True – NAT is evaluated only on the first packet of a new connection.

B.✘False – Subsequent packets are not re-evaluated against NAT rules.

Extract from Official MTCNA Course Material – Firewall & NAT Section:

“NAT rules apply to the first packet in a connection. After that, RouterOS uses the tracked connection entry.”

Extract from René Meneses MTCNA Study Guide – NAT & Firewall Concepts:

“Once the initial packet matches a NAT rule, connection tracking applies it to the whole session.”

Extract from MikroTik Wiki – NAT Implementation:

“NAT is evaluated on the first packet. Other packets in the same connection follow the established NAT mapping.”

===========

PPPoE (Point-to-Point Protocol over Ethernet) does not natively support encryption. It provides authentication using PAP/CHAP and allows IP assignment, but any data transmitted through a PPPoE tunnel is unencrypted unless another encryption mechanism (such as IPSec) is used on top of it.

MikroTik RouterOS supports encrypted tunneling protocols such as SSTP, L2TP/IPSec, or OpenVPN, but not native encryption in PPPoE.

MTCNA Course Manual – PPP Protocols Overview:

“PPPoE supports user authentication and compression but not encryption by itself.”

René Meneses Study Guide – Tunneling Protocols:

“PPPoE is not secure by design. If encryption is needed, use SSTP or L2TP/IPSec.”

Terry Combs Notes – PPP Protocol Capabilities:

“PPPoE does not encrypt data. Only authentication is handled within PPP.”

Answer: BQUESTION NO: 36 [Wireless]

Why is it useful to set a Radio Name on the radio interface?

A. To identify a station in the Access List

B. To identify a station in Neighbor discovery

C. To identify a station in a list of connected clients

Answer: C

Setting a Radio Name in RouterOS provides a unique identifier that is visible to other devices in the wireless environment. It is particularly helpful for identifying connected clients in the registration table on the Access Point.

This name does not affect Access List matching or general Layer 2 communication — it’s used for human readability and monitoring.

A. Access List uses MAC addresses for filtering →❌

B. Neighbor discovery identifies devices based on MAC, IP, and identity →❌

C. Correct → Radio Name shows up in the registration table and helps identify stations✅

MTCNA Wireless Module – Interface Settings:

“The Radio Name is shown in the registration table of access points, making it easier to identify connected clients.”

René Meneses Guide – Wireless Management Tips:

“Use Radio Names to label devices in multi-client setups. It appears under registration when clients connect.”

Terry Combs Notes – Wireless Interface Options:

“Radio Name is not used for access filtering — it’s for display and diagnostics.”

Answer: CQUESTION NO: 37 [DHCP]

A DHCP server is configured on a LAN interface which is a port on a bridge. The DHCP server does not start. What could be the reason(s)?

A. The DHCP server cannot run on an interface which is also a bridge port

B. There might not be an IP address assigned to the LAN Interface

C. The IP address pool could be incorrectly defined

D. There may be multiple IP addresses set on the LAN interface

Answer: B, C

For a DHCP server to operate properly, the following conditions must be met:

The DHCP server must be attached to the correct interface (typically the bridge, not individual ports).

The bridge interface must have a valid IP address.

The IP address pool must be defined correctly (matching subnet, avoiding conflicts).

Let’s evaluate:

A.❌Incorrect. DHCP can run on a bridge or an interface on a bridge. It is recommended to attach DHCP to the bridge, not individual ports.

B.✅Correct. If there is no IP address on the interface (bridge), DHCP won’t start.

C.✅Correct. If the address pool is misconfigured (e.g., outside the subnet or overlapping with the router’s IP), DHCP won’t function.

D.❌Not a valid blocker. Multiple IPs can exist on the interface; DHCP still works if one is valid.

MTCNA DHCP Module – Configuration Troubleshooting:

“Make sure that the interface (bridge) where the DHCP server is assigned has a valid IP and a properly defined pool.”

René Meneses Guide – DHCP Server Setup:

“DHCP will not function if no IP is assigned to the interface. Check the pool range and binding address.”

Terry Combs Notes – DHCP Tips:

“Assign the DHCP server to the bridge, not individual ports. Missing IP or incorrect pool = DHCP won’t start.”

Answer: B, CQUESTION NO: 38 [PPP]

There can be more than one PPPoE server in a single broadcast domain:

A. True

B. False

Answer: A

Yes, it is possible — and fully supported — to run multiple PPPoE servers in the same Layer 2 broadcast domain. Clients will receive Offer packets (PADO) from all PPPoE servers, and can choose which one to connect to based on configuration or server name (service name).

This is commonly used in ISP networks to provide redundancy or offer different service types.

MTCNA Course Manual – PPPoE Deployment:

“Multiple PPPoE servers may exist in the same Layer 2 domain. Clients choose based on response or service name.”

René Meneses Study Guide – PPPoE Operations:

“PPPoE discovery protocol supports multi-server environments. Clients may be configured to select a preferred one.”

Terry Combs Notes – PPPoE Server Design:

“Several PPPoE servers can coexist. Just avoid assigning overlapping IP pools.”

The connect-list in RouterOS is used to define rules for wireless client behavior when connecting to available Access Points. You can define multiple entries in the connect-list, and RouterOS processes them in top-down order. This allows prioritization of APs based on criteria such as SSID, signal strength, and MAC address.

MTCNA Course Material – Wireless Client Settings:

“The connect-list determines the order in which the wireless client will try to associate with Access Points. Entries are processed from top to bottom, allowing prioritized connection attempts.”

René Meneses MTCNA Study Guide – Wireless & Connect-List Section:

“By placing the most preferred AP at the top of the connect-list, you ensure it is attempted first. Reordering entries is used to manage roaming behavior and priority.”

MikroTik Wiki – Wireless Client & Connect List:

“The client will attempt to connect to the first matching entry in the connect list. This means the connect list can be used to define AP priorities.”

Therefore, the statement is true.

Final Answer: BQUESTION NO: 98 [Hotspot]

What configuration is added by /ip Hot-Spot setup command? (Select all that apply)

A. /ip service

B. /ip Hot-Spot user

C. /ip Hot-Spot walled-garden

D. /ip dhcp-server

E. /queue tree

Answer: B, C, D

The /ip hotspot setup command is a wizard used to quickly deploy a HotSpot service on a selected interface. It automatically creates several configurations necessary for a functional HotSpot environment:

Creates a default user in /ip hotspot user

Adds entries in /ip hotspot walled-garden to allow access to login page

Configures a DHCP server on the selected interface if not present

MTCNA Course Material – HotSpot Setup Wizard:

“The hotspot setup creates a user, configures a DHCP server, and sets up walled garden entries. It does not touch system services or create queue trees by default.”

René Meneses MTCNA Guide – HotSpot Setup Section:

“After running hotspot setup, you will find new configurations in /ip hotspot user, /ip hotspot walled-garden, and /ip dhcp-server. The system automatically assigns IP pools and login pages.”

MikroTik Wiki – HotSpot Setup Overview:

“The setup creates a DHCP server, login page, user entry, and basic NAT and walled garden rules.”

Option A: /ip service is unrelated

Option E: /queue tree is not configured by the setup wizard

Final Answer: B, C, DQUESTION NO: 99 [PPP]

What kind of users are listed in the Secrets window of the PPP menu?

A. Hot-Spot users

B. wireless users

C. l2tp users

D. pptp users

E. pppoe users

F. winbox users

Answer: C, D, E

The /ppp secret menu is used in RouterOS to manage usernames and passwords for Point-to-Point Protocol (PPP) based services, including:

PPPoE (Point-to-Point Protocol over Ethernet)

PPTP (Point-to-Point Tunneling Protocol)

L2TP (Layer 2 Tunneling Protocol)

It does not include HotSpot users, wireless clients, or Winbox users.

MTCNA Course Material – PPP User Authentication:

“The PPP secret database stores credentials for services like PPPoE, PPTP, and L2TP.”

René Meneses MTCNA Study Guide – PPP Configuration Section:

“Users for PPP-based protocols are configured under PPP → Secrets. This includes PPPoE, PPTP, and L2TP.”

MikroTik Wiki – PPP Secrets Window:

“Secrets are used to authenticate users for all PPP interfaces. HotSpot users are managed separately under /ip hotspot user.”

Option A: HotSpot users → /ip hotspot user

Option B: Wireless users connect via WPA/802.11 — not listed in PPP

Option F: Winbox users refer to /user under system user management

Final Answer: C, D, EQUESTION NO: 100 [RouterOS Introduction]

Select valid MAC-address:

A. G2:60:CF:21:99:H0

B. 00:00:5E:80:EE:B0

C. AEC8:21F1:AA44:54FF:1111:DDAE:0212:1201

D. 192.168.0.0/16

Answer: B

A valid MAC address must meet the following criteria:

Be 6 bytes (48 bits) in length

Consist of only hexadecimal digits (0–9, A–F)

Written in six groups separated by colons or hyphens (e.g., 00:1A:2B:3C:4D:5E)

MTCNA Course Material – RouterOS MAC Address Basics:

“MAC addresses are 48-bit identifiers written as six pairs of hexadecimal digits. Invalid characters or incorrect length disqualifies an address.”

René Meneses MTCNA Guide – MAC Addressing Section:

“Each MAC is made up of 12 hexadecimal characters (6 octets). If a character like ‘G’ appears, or if it’s longer than 6 bytes, it is invalid.”

MikroTik Wiki – MAC Addressing Rules:

“Valid MAC format: XX:XX:XX:XX:XX:XX using only 0-9 and A-F. 192.168.0.0/16 is an IP subnet, not a MAC.”

Option A: Invalid — “G” and “H” are not hexadecimal characters

Option B: Valid — proper format and hex content

Option C: Invalid — Too long (appears to be IPv6 or malformed)

Option D: Invalid — this is an IP network (CIDR notation), not a MAC

Only Option B is correct.

The TCP/IP or DoD model includes the following layers:

Application

Host-to-Host

Internet

Network Access

The Internet layer in the DoD model is responsible for logical addressing and routing — matching the function of the OSI model's Layer 3 (Network Layer), which handles IP addressing and packet forwarding.

MTCNA Course Material – TCP/IP vs OSI Model:

“The Internet layer of the TCP/IP model maps directly to the OSI’s Network Layer and is responsible for logical addressing and routing.”

René Meneses MTCNA Study Guide – Layer Mapping Table:

“TCP/IP Internet Layer = OSI Network Layer. Handles IP routing, addressing.”

Other mappings:

Application = OSI Layers 5–7

Host-to-Host = OSI Layer 4 (Transport)

Network Access = OSI Layers 1–2

Final Answer: CQUESTION NO: 114 [RouterOS Introduction – ARP]

Which of the following allows a router to respond to an ARP request that is intended for a remote host?

A. Gateway DP

B. Reverse ARP (RARP)

C. Proxy ARP

D. Inverse ARP (IARP)

Answer: C

Proxy ARP allows a router to answer ARP requests on behalf of another device. It is often used in networks where hosts don't have proper default gateways but still need to communicate with devices in different subnets.

MTCNA Course Material – ARP Types:

“Proxy ARP allows a router to respond to an ARP request for an IP address that is not on the local subnet, effectively acting as a proxy.”

René Meneses MTCNA Guide – ARP Configuration:

“Proxy ARP is useful for bridging two IP networks or for clients that do not have default gateways defined.”

MikroTik Wiki – ARP Modes:

“When Proxy ARP is enabled, the router replies to ARP requests for hosts that are not on the same subnet.”

Other options:

A: Gateway DP is not a standard term or protocol.

B: RARP maps MAC to IP — outdated and not used in this context.

D: Inverse ARP is used in Frame Relay, not Ethernet/IP networks.

Final Answer: CQUESTION NO: 115 [DHCP]

You want to implement a mechanism that automates the IP configuration, including IP address, subnet mask, default gateway, and DNS information. Which protocol will you use to accomplish this?

A. SMTP

B. SNMP

C. DHCP

D. ARP

Answer: C

DHCP (Dynamic Host Configuration Protocol) is specifically designed to assign IP configuration details automatically to clients on a network, including:

IP address

Subnet mask

Default gateway

DNS servers

MTCNA Course Material – DHCP Server Function:

“DHCP is a service that dynamically assigns IP settings to clients, removing the need for manual configuration.”

René Meneses MTCNA Study Guide – DHCP Operation:

“DHCP provides automatic configuration of network parameters including IP, mask, DNS, and gateway.”

Other options:

A: SMTP is for email

B: SNMP is for monitoring

D: ARP resolves IP-to-MAC addresses

Final Answer: CQUESTION NO: 116 [DHCP]

Which of the following describe the DHCP Discover message?

It uses FF:FF:FF:FF:FF:FF as a layer 2 broadcast.

It uses UDP as the Transport layer protocol.

It uses TCP as the Transport layer protocol.

It does not use a layer 2 destination address.

A. 1 only

B. 1 and 2

C. 3 and 4

D. 4 only

Answer: B

When a client sends a DHCP Discover message:

It does not yet have an IP address, so it sends a Layer 2 broadcast (FF:FF:FF:FF:FF:FF).

DHCP uses UDP, not TCP.

Specifically, it uses UDP port 67 (server) and 68 (client).

Layer 2 destination is broadcast — it certainly does use a Layer 2 address.

MTCNA Course Material – DHCP Process:

“The client broadcasts a DHCP Discover message to FF:FF:FF:FF:FF:FF using UDP ports 67 and 68.”

René Meneses MTCNA Study Guide – DHCP Message Types:

“DHCP uses UDP. Discovery messages are Layer 2 broadcasts to locate a DHCP server.”

MikroTik Wiki – DHCP Protocol Behavior:

“The Discover message uses UDP and broadcast MAC addressing.”

Statements:

1: True (Layer 2 broadcast)

2: True (Uses UDP)

3: False (TCP not used)

4: False (Layer 2 destination address is broadcast)

────────────────────────────────────────────────────────────

Setting "forwarding=no" on a wireless interface prevents communication between connected clients on that interface and between that interface and other interfaces in the same bridge. This means:

Stations connected to wlan1 cannot talk to each other

Stations on wlan1 cannot talk to stations on wlan2 (even if bridged)

Stations on wlan2 can talk to each other normally

Evaluation:

A.✅Correct – forwarding=no does not affect wlan2

B.❌Incorrect – forwarding=no blocks this

C.✅Correct – clients on wlan1 cannot talk to each other either

D.❌Bridge filters can be used but this scenario is about forwarding settings

E.❌Blocked by forwarding=no

MTCNA Wireless Module – Wireless Forwarding Behavior:

“Forwarding=no disables client-to-client communication on the interface and across bridges.”

René Meneses Study Guide – Wireless Access Config:

“Use forwarding=no to isolate clients on the same AP. Affects bridging too.”

Terry Combs Notes – Wireless Isolation:

“Setting forwarding=no isolates all clients on that wireless card.”

Answer: A, CQUESTION NO: 81 [Wireless]

Consider a wireless access point with mode=ap-bridge. What is the maximum number of concurrent clients that can connect to it?

A. 2007

B. 2012

C. 2048

D. 1024

Answer: C

In MikroTik RouterOS, the theoretical maximum number of clients that can associate with an AP in ap-bridge mode is 2048. However, practical limits depend on hardware performance and network stability, and most real-world setups use far fewer clients.

Let’s review:

A. 2007 →❌Close, but not the actual hard limit

B. 2012 →❌Incorrect

C.✅2048 → Correct per MikroTik’s AP mode specification

D. 1024 →❌Lower than the actual maximum

MTCNA Wireless Module – AP Behavior:

“In ap-bridge mode, the maximum theoretical client limit is 2048. Actual stable operation may be lower.”

René Meneses Guide – Wireless Scaling:

“2048 is the upper limit for client associations on a MikroTik AP in bridge mode.”

Terry Combs Notes – Client Capacity:

“2048 clients = maximum. Performance may degrade before that in high-traffic environments.”

The PPPoE server functionality in RouterOS relies primarily on the PPP package, which includes support for protocols like PPP, PPPoE, PPTP, L2TP, SSTP, etc. The system package is also always required, as it contains the core OS components.

Option breakdown:

A.✔ppp – Required. Contains all PPP and PPPoE server/client implementations.

B.✘user-manager – Optional. Used for advanced AAA (authentication/accounting), not required for basic PPPoE.

C.✘radius – Optional. Used for external authentication, not essential unless RADIUS integration is needed.

D.✘synchronous – Used for legacy synchronous interfaces (e.g., serial or modem), not for PPPoE.

E.✔system – Required for all RouterOS functions.

Extract from Official MTCNA Course Material – RouterOS Packages:

“To enable PPPoE server functionality, you need the ppp and system packages. Radius and User Manager are optional.”

Extract from René Meneses MTCNA Study Guide – PPPoE Deployment:

“Only the ppp and system packages are strictly required. Additional features like radius are for centralized authentication.”

Extract from MikroTik Wiki – RouterOS Package Descriptions:

“ppp: required for PPP, PPTP, L2TP, PPPoE; system: required core package. user-manager and radius are optional.”

===========

PAT (Port Address Translation) is a subtype of NAT that maps multiple private IP addresses to a single public IP address using different port numbers. It is the most common form of NAT used in home and business networks to allow multiple internal hosts to access the internet using one public IP address.

MTCNA Course Material – NAT Concepts:

“PAT (also known as NAT overload) allows multiple devices to share a single public IP address. It uses different port numbers to distinguish sessions.”

Cisco IOS NAT Configuration Guide:

“PAT translates multiple local IP addresses to one public IP address by assigning different port numbers to each session.”

Other options:

A: Generic term — not specific enough

B: Static NAT maps one private IP to one public IP

C: Dynamic NAT maps private IPs to a pool of public IPs, not one-to-many

Final Answer: DQUESTION NO: 149 [IPv6 – Addressing Standards]

How long is an IPv6 address?

A. 32 bits

B. 128 bytes

C. 64 bits

D. 128 bits

Answer: D

IPv6 addresses are 128 bits in length, represented as eight groups of four hexadecimal digits separated by colons (e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334). This allows for a vastly larger address space compared to IPv4 (32 bits).

MTCNA Course Material – IPv6 Basics:

“An IPv6 address is 128 bits long, providing 3.4×10^38 possible addresses. It is written in hexadecimal format.”

René Meneses MTCNA Study Guide – IPv6 Addressing:

“IPv6 = 128 bits, not bytes. Address includes a 64-bit network prefix and 64-bit interface identifier.”

Other options:

A: 32 bits is IPv4

B: 128 bytes = 1024 bits — incorrect

C: 64 bits = only half of an IPv6 address

Final Answer: DQUESTION NO: 150 [IP Addressing – Subnetting]

How many usable IP addresses are there in a 23-bit (255.255.254.0) subnet?

A. 512

B. 510

C. 508

D. 254

Answer: B

A /23 subnet provides 2^9 = 512 total addresses.

Subtract 2 (network address + broadcast address)

512 – 2 = 510 usable IP addresses

MTCNA Course Material – Subnet Calculations:

“For any subnet, usable hosts = 2^(32 – subnet mask bits) – 2.”

René Meneses MTCNA Study Guide – IP Subnetting:

“/23 provides 512 total addresses; usable = 510 after subtracting network and broadcast.”

Option Breakdown:

A: Total addresses (512)

B:✔Usable addresses (510)

C: Incorrect (508 is for /23 minus 4 — not relevant here)

D: 254 is usable for /24

Winbox is a small, native Windows utility provided by MikroTik for graphical administration of RouterOS devices. It is typically downloaded from MikroTik's official website.

A. Router’s webpage → Incorrect. While the router’s WebFig interface may allow configuration, it does not offer a Winbox download.

B. Files menu → Incorrect. The Files menu is for storing backups or firmware packages, not distributing Winbox.

C. Console cable → Incorrect. Console access is CLI only; no GUI utilities can be transferred through it.

D. mikrotik.com → Correct. The only official and secure location to download Winbox is the MikroTik website.

Extract from Official MTCNA Course Material – RouterOS Introduction:

“Winbox can be downloaded from the official MikroTik website. It provides a GUI frontend for managing RouterOS.”

Extract from René Meneses MTCNA Study Guide – RouterOS Access Methods:

“You can download Winbox from mikrotik.com under the Software Tools section.”

Extract from Terry Combs MTCNA Notes – Access Methods:

“Winbox is a Windows application that must be downloaded from MikroTik’s website. It is not available directly from the router.”

===========

The /interface wireless access-list in MikroTik is used to define a set of rules that permit or deny wireless clients based on their MAC addresses and signal strength.

This list applies only to clients trying to connect to the router’s wireless interface when it is configured as an Access Point.

Let’s break down the options:

A.✅Correct – Used to allow or deny client MAC addresses and apply settings like rate limits, VLANs, etc.

B.❌That’s the role of the registration table.

C.❌Security profiles are configured separately under /interface wireless security-profiles.

D.❌Hotspot authentication is handled via /ip hotspot, not wireless access lists.

MTCNA Wireless Module – MAC Access Control:

“Access-list matches incoming clients by MAC. You can allow, deny, and apply custom settings.”

René Meneses Study Guide – Wireless Security:

“Access-list is used to explicitly permit or block clients based on their MAC address.”

Terry Combs Notes – Wireless Filtering:

“Think of access-list like a whitelist/blacklist for Wi-Fi clients.”

Answer: AQUESTION NO: 65 [Firewall]

One host on an internal network is accessing an external web page through a MikroTik router that is doing source NAT. Select the correct statement about the packets that flow from that web page to the host:

A. Packets go through the input chain

B. Packets go through the forward chain

C. Packets go through the output chain

D. Packets go through the input chain before the routing decision and after that through output chain

Answer: B

When a host on a LAN accesses a website on the internet via a MikroTik router that’s performing source NAT (e.g., masquerade), the traffic path is as follows:

From LAN host to internet → forward chain → NAT (src-nat)

From internet back to LAN host → forward chain again → connection-tracked → src-nat reversed

Since the router is only routing the packets and is not the originator or final destination, the packet passes through the forward chain.

Clarifying the options:

A.❌input chain is for packets destined to the router itself

B.✅Correct – packet is routed through the router (forwarded)

C.❌output chain is for packets originating from the router

D.❌This description applies to packets sourced by the router itself

MTCNA Course Manual – Packet Flow Diagram:

“Forward chain handles packets that are being routed through the device (not destined to or from the router itself).”

René Meneses Guide – Firewall Chains:

“For routed traffic, the forward chain is used. This includes NATed traffic between LAN and WAN.”

Terry Combs Notes – Packet Flow:

“Understand the router’s role. If it’s just forwarding, only the forward chain applies.”

Answer: BWould you like to continue with Questions 66–70, or generate a full summary (PDF-style) of all 65 completed qu

In IPv6, the Address Resolution Protocol (ARP) is not used. Instead, IPv6 uses the Neighbor Discovery Protocol (NDP), which is part of the ICMPv6 suite. NDP handles address resolution, router discovery, and reachability.

MTCNA Course Material – IPv6 Address Resolution:

“IPv6 replaces ARP with Neighbor Discovery Protocol. NDP uses ICMPv6 to perform tasks like address resolution and router discovery.”

René Meneses MTCNA Study Guide – IPv6 Fundamentals:

“There is no ARP in IPv6. It uses NDP messages for neighbor solicitation and advertisement.”

Thus, ARP is not used in IPv6.

Final Answer: AQUESTION NO: 152 [Monitoring and Management – SNMP Protocol]

Which of the following protocols / ports are used for SNMP (Simple Network Management Protocol)?

A. TCP 162

B. UDP 162

C. UDP 161

D. TCP 25

E. TCP 123

F. TCP 161

Answer: B, C

SNMP uses the following ports:

UDP 161: Used for SNMP agent queries (GET, SET, etc.)

UDP 162: Used by SNMP managers to receive trap notifications

MTCNA Course Material – SNMP and Monitoring:

“SNMP uses UDP 161 for polling devices and UDP 162 for traps.”

MikroTik Wiki – SNMP:

“SNMP communication uses UDP ports 161 (queries) and 162 (traps). TCP is not used for SNMP by default.”

Option breakdown:

A: TCP 162 → incorrect (SNMP traps use UDP)

B:✔UDP 162

C:✔UDP 161

D: TCP 25 = SMTP

E: TCP 123 = NTP (incorrect protocol and transport)

F: TCP 161 = incorrect transport

Final Answer: B, CQUESTION NO: 153 [ARP – MikroTik Specific Behavior]

If arp=reply-only is configured on an interface, what will this interface do?

A. Accept all IP/MAC combinations listed in /ip arp as static entries

B. Accept all IP addresses listed in /ip arp as static entries

C. Add new MAC addresses in /ip arp list

D. Accept all MAC addresses listed in /ip arp as static entries

E. Add new IP addresses in /ip arp list

Answer: A

Setting arp=reply-only on an interface disables the normal dynamic ARP process. The router will only respond to ARP requests for IP/MAC pairs that are explicitly listed in /ip arp with type=static. No dynamic entries will be added.

MikroTik Wiki – ARP Modes:

“reply-only – the interface will only reply to ARP requests if there is a static entry. It will not add any new entries.”

MTCNA Course Material – ARP Configuration:

“When reply-only is set, the interface will not send ARP requests and will only respond to those IP/MAC combinations configured as static entries.”

Option breakdown:

A:✔Correct—replies only to statically configured IP/MAC pairs

B: Incorrect — ARP entries must have both IP and MAC

C/E: No new dynamic entries are added in reply-only mode

D: MAC addresses alone are not matched — ARP matches IP/MAC pairs

Final Answer: AQUESTION NO: 154 [RouterOS Tools – Configuration Export]

Mark all correct statements about /export (rsc file).

A. Exports logs from /log print

B. Exports full configuration of the router

C. Exports only part of the configuration (for example /ip firewall)

D. Exports scripts from /system script

E. Exported files could not be edited

Answer: B, C, D

The /export command in RouterOS allows exporting configuration as a script (.rsc file). It can:

Export the full configuration

Export a specific section (e.g., /ip firewall)

Include scripts under /system script if specified

It does not export logs and the exported .rsc file is plain text and can be edited.

MTCNA Course Material – Configuration Management:

“/export outputs configuration to a text file. You can export the full config or a specific menu, and it includes scripts if present.”

MikroTik Wiki – Export Command:

“You can use /export to generate editable .rsc files. Use /export file=name or /ip firewall export.”

Option breakdown:

A:❌Logs are not exported

B:✔Full config export is default

C:✔You can target specific sections (e.g., /ip dhcp-server)

D:✔Scripts are included if present

E:❌Exported files are editable text files

Final Answer: B, C, D

For a client to exchange data over a wireless network, it must complete two key steps:

Association – Establishes the basic radio link between client and access point

Authentication – Verifies credentials (e.g., WPA2 handshake)

When both are complete, the client is both authenticated and associated.

A.✔Authenticated – Encryption and access control is complete

B.✔Associated – Wireless radio link is established

C.✘Unauthenticated – Incorrect; client is verified

D.✘Unassociated – Incorrect; client is linked to AP

Extract from MTCNA Course Material – Wireless Client States:

“A connected client is associated (Layer 2) and authenticated (security/credentials verified).”

Extract from Terry Combs MTCNA Notes – Wireless States:

“Authenticated and associated are required for data transfer. Unassociated = disconnected.”

===========

The action=masquerade is used exclusively in the srcnat chain. It dynamically hides internal IP addresses behind the router's public IP. It cannot be used in the dstnat chain.

A.✘Incorrect – masquerade is not allowed in dstnat regardless of parameters.

B.✘Incorrect – masquerade is not valid in the dstnat chain.

C.✘Incorrect – masquerade does not operate in dstnat, direction does not change this.

D.✔Correct – masquerade must only be used in chain=srcnat.

Extract from MTCNA Course Material – NAT Concepts:

“Masquerade is a special type of source NAT used only in the srcnat chain. It is invalid in dstnat.”

Extract from René Meneses Study Guide – NAT Actions:

“Use action=masquerade in chain=srcnat. RouterOS will not accept it in dstnat.”

Extract from MikroTik Wiki – NAT Rules:

“action=masquerade is not allowed in dstnat chain and will result in error if applied.”

===========

Winbox is the graphical configuration utility for MikroTik routers. By default, Winbox connects to RouterOS over TCP port 8291.

A.✘UDP/5678 – Used for Winbox neighbor discovery, not for connecting.

B.✘TCP/22 – SSH service.

C.✔TCP/8291 – Default and official port for Winbox connections.

D.✘TCP/8080 – Often used for HTTP proxy; unrelated to Winbox.

Extract from MTCNA Course Material – RouterOS Access Methods:

“Winbox uses TCP port 8291 to establish connections to RouterOS.”

Extract from René Meneses MTCNA Study Guide – Access Tools:

“Winbox connects via TCP 8291. Neighbor discovery uses UDP 5678.”

Extract from MikroTik Wiki – Winbox Port Info:

“TCP/8291 is the default port for Winbox. Ensure it is not blocked by firewall.”

MikroTik RouterOS supports running multiple dynamic routing protocols simultaneously, including RIP, OSPF, and BGP. They are independent processes and can be configured in parallel. This is commonly used in complex network environments or during routing migrations.

A.✔FALSE – You can run OSPF and RIP at the same time.

B.✘TRUE – Incorrect; both protocols are fully supported to coexist.

Extract from MTCNA Course Material – Dynamic Routing:

“RouterOS supports multiple dynamic routing protocols, including simultaneous use of RIP and OSPF.”

Extract from René Meneses Study Guide – Routing Protocols:

“You can configure both RIP and OSPF to run at the same time on a single router.”

Extract from MikroTik Wiki – Routing Overview:

“RouterOS allows multiple routing protocols to operate concurrently.”

===========

In this configuration, the wireless interface (wlan1) on the AP is in ap-bridge mode, and on the CPE it's in station-bridge mode. This mode allows full Layer 2 bridging over wireless, supporting all Ethernet-based protocols and services, including:

IPv4, IPv6, DHCP, ARP, PPPoE, and routing protocols like BGP (which use TCP/IP).

Protocols like USB or Firewire are hardware-level or local bus protocols and cannot be transmitted over Ethernet frames or wireless.

Option Review:

A.✔IPv4 – supported

B.✔ARP – Layer 2 protocol, supported

C.✘USB – not a network protocol, not transmitted over bridges

D.✔BGP – Layer 3 protocol, supported over bridged links

E.✘Firewire – not a Layer 2 or network protocol

F.✔IPv6 – fully supported

G.✔DHCP – Layer 3 broadcast protocol, works over bridges

H.✔PPPoE – Ethernet-based protocol, passes over Layer 2 bridge

Extract from Official MTCNA Course Material – Wireless Bridging:

“station-bridge mode allows transparent Layer 2 bridging, supporting all Ethernet protocols including IPv4, IPv6, ARP, DHCP, PPPoE, and more.”

Extract from René Meneses MTCNA Study Guide – Wireless Modes:

“Use station-bridge with ap-bridge to pass full Layer 2 traffic. This allows DHCP, PPPoE, and other protocols to work transparently.”

Extract from MikroTik Wiki – Station Bridge:

“station-bridge mode is used with MikroTik-only links and allows full Layer 2 protocol support, including dynamic IP assignments and bridging.”

To upgrade or install a new Cisco IOS image on a router, you typically copy the IOS image file from a TFTP server into the router’s flash memory. The correct syntax is:

copy tftp flash

This command tells the router to copy the IOS image from a TFTP server into flash storage, where it can be booted.

Cisco IOS Documentation – Image Upgrade Process:

“Use the command copy tftp flash to transfer an IOS image from a TFTP server to the router’s flash memory.”

Other options:

A: copy tftp run – invalid; you cannot copy into the running-config that way

B: copy tftp start – used to copy configuration, not IOS image

C: config net – an older and deprecated command, not for IOS upgrades

Final Answer: DQUESTION NO: 122 [RouterOS Introduction – ICMP and Diagnostics]

Which protocol does Ping use?

A. TCP

B. ARP

C. ICMP

D. BootP

Answer: C

Ping is a diagnostic utility used to test reachability between devices. It sends ICMP Echo Request packets and waits for ICMP Echo Replies. ICMP (Internet Control Message Protocol) is used for these types of control messages and is encapsulated within IP.

MTCNA Course Material – Diagnostic Tools:

“Ping uses ICMP Echo Requests to verify if a destination is reachable. It does not use TCP or UDP.”

René Meneses MTCNA Study Guide – Ping and ICMP:

“Ping uses ICMP, not TCP or ARP. ICMP packets are used to check basic connectivity.”

MikroTik Wiki – Ping Tool Description:

“Ping works by sending ICMP packets. It cannot use TCP.”

Other options:

TCP: Used by protocols like HTTP, FTP

ARP: Resolves IP to MAC, not used for ping

BootP: DHCP-related protocol, not diagnostic

Final Answer: CQUESTION NO: 123 [Cisco – Frame Relay Troubleshooting]

What command will display the line, protocol, DLCI, and LMI information of an interface?

A. sh pvc

B. show interface

C. show frame-relay pvc

D. show run

Answer: C

In Cisco IOS, to display detailed Frame Relay virtual circuit information, including the line status, protocol status, DLCI (Data Link Connection Identifier), and LMI (Local Management Interface) details, the correct command is:

show frame-relay pvc

Cisco IOS Command Reference – Frame Relay:

“The show frame-relay pvc command displays information about PVC status, including DLCI numbers and LMI statistics.”

Breakdown:

A: sh pvc – shorthand and ambiguous, may not be recognized

B: show interface – general interface stats but lacks detailed LMI/DLCI info

C: show frame-relay pvc –✔correct, provides detailed DLCI/LMI info

D: show run – shows current configuration, not real-time PVC status

Final Answer: CQUESTION NO: 124 [Networking Fundamentals – Ethernet and Switching]

How many collision domains are created when you segment a network with a 12-port switch?

A. 1

B. 2

C. 5

D. 12

Answer: D

Each port on a switch creates its own collision domain. Unlike hubs (which extend a single collision domain), switches segment each interface, allowing full-duplex communication and eliminating collisions.

MTCNA Course Material – Ethernet Switching Concepts:

“Each switch port is a separate collision domain. A 24-port switch creates 24 separate collision domains.”

René Meneses MTCNA Study Guide – Collision and Broadcast Domains:

“Switches break up collision domains per port, unlike hubs.”

Therefore, a 12-port switch creates 12 individual collision domains.

The log action in MikroTik's firewall does not block or drop packets. Instead, it generates a log entry for packets that match the rule and passes the packet to the next rule in the chain. It is used for monitoring, debugging, or auditing network behavior.

MTCNA Official Course Material – Firewall Filters:

“The action 'log' creates a log entry when a packet matches the rule. It does not terminate or alter the packet's flow. The packet continues to be processed by subsequent rules.”

René Meneses MTCNA Study Guide – Firewall Logging:

“Log action is used to generate logs for matched packets. It does not block or modify traffic.”

MikroTik Wiki – Firewall Actions:

“log – This action writes matching packets to the log. Logging rules have no effect on the packet’s behavior.”

Hence, Option D is correct: It logs the packet, nothing more.

Final Answer: DQUESTION NO: 86 [Firewall]

Which of the following is true for connection tracking?

A. Connection tracking must be enabled for NAT'ed network

B. Enabling connection tracking reduces CPU usage in RouterOS

C. Disable connection tracking for mangle to work

D. Connection tracking must be enabled to be able to use all firewall features

Answer: D

Connection tracking (conntrack) is a feature that enables RouterOS to monitor and manage the state of all network connections passing through the router. It is essential for features like NAT, stateful firewalling, and proper use of mangle and filter rules.

MTCNA Course Material – Connection Tracking:

“Most firewall and NAT functionality depends on connection tracking being enabled. Without connection tracking, many features (like NAT) won’t function properly.”

René Meneses MTCNA Study Guide – Firewall Section:

“Connection tracking is required for NAT and most firewall filters. When disabled, connection-state-based filtering or NAT is not possible.”

Terry Combs MTCNA Notes – Conntrack Section:

“Conntrack must be enabled to use full firewall capabilities, including NAT and filtering by connection states like established and related.”

Option A is partially true but not complete.

Option B is incorrect – conntrack may increase CPU load due to session tracking.

Option C is incorrect – mangle rules often depend on connection marks which require conntrack.

Only Option D accurately captures the critical requirement of connection tracking.

Final Answer: DQUESTION NO: 87 [RouterOS Introduction]

Which of the following keystrokes enables safe mode in console?

A. Ctrl+x

B. Ctrl+c

C. Ctrl+d

D. Ctrl+s

Answer: D

Safe Mode in MikroTik CLI is a protective mode that helps revert any unintended changes if you get disconnected. It is activated by pressing Ctrl+X in older versions, but the current standard keybinding for enabling safe mode is Ctrl+S.

MTCNA Course Material – Safe Mode:

“To enable safe mode in the terminal, press Ctrl+S. A confirmation [Safe Mode] will appear in the prompt. If the terminal is closed or disconnected, the changes are rolled back.”

René Meneses MTCNA Study Guide – Terminal Commands:

“Safe Mode can be activated using Ctrl+S. This is useful during remote configuration. It reverts changes if the terminal is closed.”

MikroTik Wiki – Safe Mode Section:

“To enter safe mode, press Ctrl+S in CLI. This ensures configuration rollback if disconnected.”

Other options:

Ctrl+C terminates commands or CLI input

Ctrl+X may not activate safe mode in newer versions

Ctrl+D is used to log out in some Unix-like terminals

Correct answer: Ctrl+S

Final Answer: DQUESTION NO: 88 [Wireless]

Select minimal set of software packages in RouterOS required to configure a wireless AP:

A. Wireless

B. advanced-tools

C. dhcp

D. routing

E. system

Answer: A

To configure a wireless access point (AP) in RouterOS, the only required software package is wireless. All other functionalities like DHCP or routing are optional depending on the network setup. The system package is always present and not removable, so it's not listed as a required dependency in package selection.

MTCNA Course Material – Wireless Configuration Basics:

“Wireless functionality is provided by the wireless package. Without it, no wireless interfaces are present or configurable.”

René Meneses MTCNA Guide – Wireless Module:

“Only the wireless package is required to configure an AP. DHCP is used optionally for IP address assignment.”

MikroTik Wiki – Packages:

“The wireless package is responsible for enabling WLAN interfaces and features such as AP mode, client mode, and security.”

Other packages:

advanced-tools: includes tools like bandwidth-test and traffic generator

dhcp: only needed if the router is issuing IPs

routing: required for static/dynamic routing but not AP setup

Only Option A is required.

ICMP (Internet Control Message Protocol) is used for diagnostics and error reporting in IP networks. It is encapsulated directly within IP datagrams and not over UDP or TCP. It does not guarantee delivery — it merely provides feedback about problems (e.g., host unreachable, time exceeded).

MTCNA Course Material – ICMP and Network Tools:

“ICMP is used for error messages and operational queries such as ping and destination unreachable. It is encapsulated in IP and does not use TCP or UDP.”

René Meneses MTCNA Study Guide – ICMP Section:

“ICMP provides diagnostic information. It is a Layer 3 protocol encapsulated directly in IP. It does not provide guaranteed delivery.”

MikroTik Wiki – ICMP Overview:

“ICMP packets are carried in IP packets and used for control messages. They are not transported using TCP or UDP.”

Breakdown:

Statement 1: False – ICMP does not guarantee delivery

Statement 2: True – provides network problem feedback

Statement 3: True – encapsulated in IP

Statement 4: False – ICMP is not encapsulated in UDP

Correct set: 2 and 3

Final Answer: BQUESTION NO: 106 [RouterOS Introduction]

Which Layer 4 protocol is used for a Telnet connection?

A. IP

B. TCP

C. TCP/IP

D. UDP

Answer: B

Telnet is a protocol used to access remote devices via command-line over the network. It operates over TCP at Layer 4, using port 23.

MTCNA Course Material – Layer 4 Protocols:

“Telnet uses TCP port 23 for remote shell access. TCP ensures ordered and reliable delivery of commands and responses.”

René Meneses MTCNA Study Guide – TCP/IP Protocols:

“Telnet is an Application Layer protocol using TCP as its transport protocol.”

MikroTik Wiki – Telnet Access:

“Telnet communicates over TCP. It does not use UDP.”

Other options:

A. IP is a Layer 3 protocol

C. TCP/IP is a model, not a single protocol

D. Telnet does not use UDP

Final Answer: BQUESTION NO: 107 [RouterOS Introduction]

Which of the following are layers in the TCP/IP model?

Application

Session

Transport

Internet

Data Link

Physical

A. 1 and 2

B. 1, 3 and 4

C. 2, 3 and 5

D. 3, 4 and 5

Answer: B

The TCP/IP model has four layers:

Application

Transport

Internet

Network Access (includes Data Link & Physical in OSI terms)

Session is part of the OSI model, not TCP/IP.

MTCNA Course Material – TCP/IP vs OSI Model:

“The TCP/IP model has Application, Transport, Internet, and Network Access layers. Application includes OSI’s Session, Presentation, and Application layers.”

René Meneses MTCNA Guide – Model Comparison:

“The TCP/IP model consists of: Application, Transport, Internet, and Network Access (which covers Data Link and Physical). Session layer is part of OSI.”

So, correct TCP/IP layers from the given list:

Application (✔)

Transport (✔)

Internet (✔)

Session is not part of TCP/IP model.

Final Answer: BQUESTION NO: 108 [RouterOS Introduction]

Which statements are true regarding ICMP packets?

They acknowledge receipt of a TCP segment.

They guarantee datagram delivery.

They can provide hosts with information about network problems.

They are encapsulated within IP datagrams.

A. 1 only

B. 2 and 3

C. 3 and 4

D. 2, 3 and 4

Answer: C

Reiterating from earlier:

ICMP does not acknowledge TCP segments; that’s TCP’s job.

ICMP does not guarantee delivery; it’s an unreliable protocol.

ICMP does provide diagnostics (e.g., unreachable, TTL exceeded).

ICMP is encapsulated directly in IP, not over TCP/UDP.

MTCNA Course Material – ICMP Behavior:

“ICMP is used for control messages like ping and unreachable. It provides feedback and is encapsulated in IP.”

René Meneses MTCNA Study Guide – ICMP & IP Layer:

“ICMP is a Layer 3 protocol, not used to acknowledge TCP, and is wrapped in IP datagrams.”

Correct:

Statement 3: True

Statement 4: True

In MikroTik’s firewall, the correct chain depends on the traffic direction and whether the traffic is destined for or originating from the router itself.

To block access to MSN (or any other service being accessed by a user from the LAN to the Internet), you must filter transit traffic. This is done in the forward chain.

A. input → Used for traffic destined to the router (e.g., WinBox, SSH).

B.✘process → Invalid option (does not exist in RouterOS).

C.✔forward → Used for user traffic passing through the router (e.g., LAN client to MSN servers on the Internet).

D. output → Used for traffic originating from the router itself (e.g., ping from router to external IP).

Extract from Official MTCNA Course Material – Firewall Chains:

“Use the forward chain to filter traffic passing through the router (LAN to WAN). Blocking access to external services like Facebook or MSN belongs here.”

Extract from René Meneses MTCNA Study Guide – Firewall Chains:

“To block Internet services for users, configure rules in the forward chain. Input is only for traffic targeting the router.”

Extract from MikroTik Wiki – Firewall Overview:

“forward: filters all traffic going through the router. For user access restrictions, place rules here.”

IP addresses are categorized as either public or private. According to the IANA (Internet Assigned Numbers Authority), the following are reserved for private use:

10.0.0.0 to 10.255.255.255 (Class A Private)

172.16.0.0 to 172.31.255.255 (Class B Private)

192.168.0.0 to 192.168.255.255 (Class C Private)

Any IP outside of these ranges is considered public and routable on the global internet.

Evaluation of each option:

A. 172.168.254.2 → This is in the 172.16.0.0 – 172.31.255.255 range → Private

B. 172.28.73.21 → Also falls in the same private 172.16.0.0/12 range → Private

C. 11.63.72.21 → Outside all private ranges → Public✅

D. 10.110.50.37 → In the 10.0.0.0/8 range → Private

E. 192.168.0.1 → In the 192.168.0.0/16 private range → Private

Extract from René Meneses MTCNA Study Guide:

“Private IP ranges include 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. These are non-routable over the public internet.”

Extract from Terry Combs Notes:

“Only IPs outside of the above ranges are considered public and routable. Watch out for 172.X.X.X — not all are public; only 172.0.0.0–172.15.255.255 and 172.32.0.0+ are public.”

MikroTik Wiki – IP Addressing Reference:

“Private addresses are not globally routable. They are used inside local networks and must be NATed for internet access.”

===========

An IP packet contains two critical IP addresses in its header:

Source IP address – the IP of the sending host

Destination IP address – the IP of the receiving host

These addresses allow routers to forward the packet from source to destination over Layer 3 (Network Layer).

Other values in the IP header include TTL, protocol type, and checksum — but not additional IP addresses.

A. 4 →❌Incorrect. Only 2 IPs are included

B. 2 →✅Correct: Source and Destination

C. 3 →❌Some protocols like NAT may temporarily associate more addresses, but not in header

D. 1 →❌Incomplete

MTCNA Course Manual – IP Packet Structure:

“An IP packet always contains a source and destination IP address in the Layer 3 header. This allows routing to function across networks.”

René Meneses Guide – Packet Flow:

“IP headers are designed to carry the minimal information necessary for routing. That includes the source and destination IPs.”

Terry Combs Notes – Header Fields:

“Two IPs: one for sender, one for receiver. That’s all you’ll find in the IP header.”

Answer: BQUESTION NO: 21 [Routing]

When viewing the routes in Winbox, some routes will show "DAC" in the first column. These flags mean:

A. Dynamic, Active, Console

B. Dynamic, Active, Connected

C. Direct, Available, Connected

D. Dynamic, Available, Created

Answer: B

MikroTik’s RouterOS assigns flags to routing table entries to describe how they were created and their status.

D = Dynamic (added automatically by the system)

A = Active (currently used by RouterOS)

C = Connected (directly connected subnet or interface)

Thus, "DAC" means:

→ Dynamic, Active, Connected✅

Other flags that may appear include:

S = Static (manually added)

R = RIP

O = OSPF

B = BGP

MTCNA Course Manual – Routing Flags:

“DAC means that the route is dynamically added by the system, is currently active, and is directly connected to the device.”

René Meneses MTCNA Guide – Routing Table Interpretation:

“Flags help identify how the route was installed and its type. DAC is common for directly connected interfaces.”

Terry Combs Notes – Route Flags Table:

“DAC = Dynamic + Active + Connected. Usually appears after setting IP address on interface.”

Answer: BQUESTION NO: 22 [RouterBOARD Hardware]

In which situations Netinstall can not be used to install RouterOS on a RouterBOARD?

A. The router is connected only to a secondary Ethernet port

B. The router does not have an operating system

C. The router is connected only to a wireless network

D. The password of the router is not known

Answer: C

Netinstall is a MikroTik utility used to reinstall or upgrade RouterOS. It requires a direct Ethernet connection to the router’s first Ethernet port and works via PXE (boot over Ethernet). It cannot function over wireless.

Let's review the options:

A. The router is connected only to a secondary Ethernet port →❌Netinstall works if booted over that port

B. The router does not have an operating system →❌This is the purpose of Netinstall

C. The router is connected only to a wireless network →✅Correct: Netinstall requires a wired Ethernet connection

D. The password of the router is not known →❌Netinstall bypasses current OS; password irrelevant

MTCNA Course Manual – RouterBOARD Recovery and Netinstall:

“Netinstall must be done over a wired Ethernet connection. Wireless booting is not supported.”

René Meneses Guide – System Recovery:

“Netinstall needs Layer 2 communication via Ethernet. It cannot operate over Wi-Fi.”

Terry Combs Notes – Netinstall Limitations:

“Netinstall does not support Wi-Fi. Must connect via Ethernet to first interface, preferably.”

Answer: CQUESTION NO: 23 [DHCP]

DHCP server is configured on a router’s ether1 interface. IP address 192.168.0.100/24 is assigned to the interface. Possible IP pools, that can be used by this DHCP server, are:

A. 192.168.0.1–192.168.0.255

B. 192.169.0.1–192.169.0.254

C. 192.168.0.1–192.168.0.99, 192.168.0.101–192.168.0.254

D. 192.168.0.1–192.168.0.14

Answer: C

The router’s interface IP is 192.168.0.100/24 → which belongs to the subnet 192.168.0.0–192.168.0.255.

However, 192.168.0.100 is already assigned to the router. So, this IP must be excluded from the DHCP pool to avoid conflicts.

C offers two valid ranges excluding .100:→ 192.168.0.1–192.168.0.99→ 192.168.0.101–192.168.0.254

Let’s evaluate other options:

A. 192.168.0.1–192.168.0.255 →❌Includes broadcast (.255) and router IP (.100) → Invalid

B. 192.169.0.1–192.169.0.254 →❌Completely wrong subnet

D. 192.168.0.1–192.168.0.14 →✅Valid but unnecessarily small

MTCNA DHCP Chapter – Address Pools:

“Make sure the pool does not include the router’s IP or the network’s broadcast address. Common errors involve overlapping pools.”

René Meneses MTCNA Guide – DHCP Configuration:

“Exclude the router’s own IP from the range. Use address pools below and above the assigned IP.”

Terry Combs Notes – DHCP Pool Tips:

“Split the pool to avoid assigning the interface IP to clients. Also avoid .0 and .255.”

The redirect action is only valid in the dstnat chain. It is used to redirect traffic to a service running on the router itself (e.g., redirecting HTTP to a local proxy server).

A.✘srcnat – Not compatible with redirect

B.✘forward – Redirect doesn’t apply in this chain

C.✔dstnat – This is the correct and only supported chain for action=redirect

Extract from Official MTCNA Course Material – NAT Actions:

“The redirect action is used within the dstnat chain to forward packets to the router’s local services.”

Extract from MikroTik Wiki – NAT Rule Actions:

“Redirect is used in dstnat chain and changes destination address to a local router IP and port.”

===========

MikroTik uses connection tracking to assign states to packets that pass through the router’s firewall. When a packet initiates a connection that is not previously tracked, it is marked as new.

Connection states:

new: First packet of a new connection

established: Part of an existing tracked connection

related: New connection related to an existing one (e.g., FTP data channel)

invalid: Unrecognized or malformed connection

unknown: Used in very specific or rare circumstances (not common in IP-based networks)

Therefore:

A.✘Incorrect – All packets entering the firewall are tracked

B.✔Correct – This is a new connection

C.✘Incorrect – "unknown" is not used for typical traffic

D.✘Incorrect – Not invalid unless malformed or contextless

E.✘Incorrect – This is not an existing connection

Extract from Official MTCNA Course Material – Firewall Connection States:

“A packet that begins a new connection is marked as ‘new’. Connection tracking then continues monitoring that session.”

Extract from René Meneses MTCNA Study Guide – Connection Tracking:

“New connections receive the 'new' state. Firewall rules often start by permitting or blocking 'new' and 'established' states.”

Extract from MikroTik Wiki – Firewall and Connection States:

“State=new is assigned when no existing connection entry matches the incoming packet.”

===========

The best way to transfer only the firewall filter rules is to use the export command for just that section:

Command:

/ip firewall filter export

This produces a readable script containing only the firewall filter rules. This method is safer than editing binary backups and more efficient than exporting the global configuration and deleting unrelated parts.

Evaluation:

A.✅Correct – clean and script-based approach

B.❌You cannot selectively back up just firewall rules using the backup function (it’s system-wide)

C.❌Editing a backup file is not recommended and often not possible (it’s binary)

D.❌Too cumbersome and error-prone

MTCNA Course Manual – Configuration Transfer:

“Use export to get script output of specific sections. Backups are for full system restore.”

René Meneses Guide – Migrating Configurations:

“Export is recommended for transferring specific configurations like firewall rules.”

Terry Combs Notes – Export vs Backup:

“Backups = full system. Use export for clean, readable configuration transfer.”

Answer: AQUESTION NO: 79 [DHCP]

How many DHCP servers can be configured per interface on RouterOS?

A. Five

B. One

C. Two

D. Unlimited

Answer: B

RouterOS allows only one DHCP server instance per interface. If you attempt to assign more than one DHCP server to the same interface, RouterOS will throw an error.

If you need to serve multiple subnets or ranges, this must be done on different interfaces or by configuring DHCP relay or advanced routing.

MTCNA DHCP Module – Server Configuration:

“One DHCP server per interface is allowed. Assigning multiple servers to a single interface is not supported.”

René Meneses Study Guide – DHCP Design:

“Plan carefully: one server per interface. Use DHCP relay if multiple scopes are needed.”

Terry Combs Notes – DHCP Server Behavior:

“Trying to configure two servers on the same port results in failure.”

In the PPP > Active Connections window in RouterOS, the letter "R" in the "Flags" column indicates the session is Running. This means the session is active and fully negotiated.

A.✘Radius – Not what "R" stands for in this context

B.✔Running – The connection is established and currently operating

C.✘Remote – Not relevant in this context

Extract from MTCNA Course Material – PPP Interface Flags:

“R indicates a Running state. The session is successfully established and data can be transmitted.”

Extract from MikroTik Wiki – PPP Flags Reference:

“R = Running. The session is active.”

MikroTik RouterOS allows DHCP administrators to modify the DHCP address pool without creating an additional DHCP server. You can simply edit or extend the address pool range, and the DHCP server will start offering those new IPs.

Therefore, it is completely possible to:

Extend the existing address pool

Exclude statically assigned IPs

Continue using the same DHCP Server instance

You do NOT need to create a second DHCP server on the same interface.

MTCNA Course Manual – DHCP Configuration:

“It is possible to expand the address-pool dynamically without adding additional DHCP servers. Just add more IPs to the pool.”

René Meneses Study Guide – DHCP Pools Section:

“You can edit the address pool associated with the DHCP server anytime to include more addresses. No need to create another server.”

Terry Combs Notes – DHCP Tips:

“Keep one DHCP server per subnet. Extend pools via IP > Pool if more IPs are needed.”

Answer: AQUESTION NO: 25 [Wireless]

In which order are the entries in Access List and Connect List processed?

A. By Signal Strength Range

B. By interface name

C. In sequence order

D. In a random order

Answer: C

MikroTik processes the entries in the Access List and Connect List in a top-down fashion —meaning that the first matching entry is the one applied. This is known as sequence order (from top to bottom).

Each rule is checked in the order it appears in the list, and once a match is found, the rest of the list is ignored for that client.

Incorrect options:

A. Signal strength is only a condition, not a sorting method

B. Interface names are part of rule conditions

D. Not random — rules are processed sequentially

MTCNA Official Training Manual – Wireless Access & Connect List:

“Rules in access-list and connect-list are checked in the order they are listed. Once a match is found, further rules are ignored.”

René Meneses Guide – Wireless Access Rules:

“Access-list is evaluated top-down. Sequence matters.”

Terry Combs MTCNA Notes – Wireless Filtering:

“Be careful with order. The first matching rule is applied — no exceptions.”

Answer: CQUESTION NO: 26 [Wireless]

During a scan, in order to see all the available wireless frequencies that are supported by the card, the following option must be selected in the wireless card's "Frequency Mode":

A. superchannel

B. regulatory domain

C. manual txpower

Answer: A

In MikroTik RouterOS, enabling the "superchannel" frequency mode allows access to all frequencies supported by the wireless chip, including those that may be outside of country-specific regulatory limits. This mode is typically used in lab testing or in regions where regulations permit.

A. superchannel →✅Correct. Enables full frequency range

B. regulatory domain → Restricts visible frequencies to region’s law

C. manual txpower → Controls power output, not frequency scanning

MTCNA Course Material – Wireless Configuration Options:

“To unlock all available wireless frequencies for scanning or connection, enable the 'superchannel' frequency mode.”

René Meneses Study Guide – Wireless Advanced Config:

“Superchannel mode shows all channels supported by the hardware. Use with caution — may violate regulations.”

Terry Combs Notes – Wireless Modes:

“Want to see hidden or extended frequencies? Use superchannel mode. Not legal in every region.”

Answer: AQUESTION NO: 27 [NAT]

It is required to make a web server on a private LAN visible on the public internet. Only the web server port should be visible to the public. Which of the following configuration steps must be met? (Select all that apply)

A. Public IP address of the web server must be installed on the NAT Router

B. In IP firewall NAT, there should be a dst-nat between the public IP of the router and the private IP of the web server

C. Connection Tracking must be enabled on NAT router

D. A route between the NAT router and the web server must exist

E. LAN address of the web server should be routable on the internet

Answer: B, C, D

To expose a web server behind a MikroTik router to the public, the following steps must be met:

B. dst-nat rule must be created to forward incoming requests (e.g., TCP port 80) to the internal web server IP →✅Required

C. Connection Tracking must be enabled, otherwise NAT rules won’t function →✅Required

D. A route between the NAT router and the web server must exist (usually a directly connected subnet) →✅Required

Incorrect Options:

A. The public IP does not need to be installed on the web server — it remains private →❌

E. Private LAN IP (like 192.168.x.x) does not need to be routable on the internet →❌

MTCNA Course Manual – NAT and Port Forwarding Section:

“To expose internal services to the public internet, use dst-nat. Ensure connection tracking is active and the server is reachable through routing.”

René Meneses Guide – NAT Configuration:

“DST-NAT forwards specific ports to internal IPs. Connection tracking is a prerequisite. LAN IPs remain private.”

Terry Combs Notes – Web Server NAT Rules:

“No need to assign public IP to server. Just configure a proper NAT rule and ensure routing exists internally.”

════════════════════════════════════════════