MTCNA MikroTikCertified Network Associate Exam Questions and Answers

Both ping and traceroute are diagnostic tools used to test connectivity and network path behavior. While both use IP as the transport layer, they rely on specific protocols:

Ping uses ICMP Echo Request and Echo Reply messages.

Traceroute typically uses UDP packets with increasing TTL (Time-To-Live) values to discover each hop.

On MikroTik devices, ping uses ICMP and traceroute uses UDP by default (though ICMP traceroute is also available in some implementations).

A. DHCP is unrelated. It's a protocol for IP address assignment.

B. IP is a network-layer protocol underlying ICMP and UDP, but it's not the specific diagnostic protocol.

C. TCP is a connection-oriented protocol, not used for ping/traceroute.

D. Correct. ICMP is the protocol behind ping.

E. Correct. UDP is used by default in traceroute to trigger ICMP Time Exceeded messages from routers.

Extract from Official MTCNA Course Material – Tools Section:

“Ping uses the ICMP protocol to send Echo Request and receive Echo Reply. Traceroute sends UDP packets with incremented TTL values to discover intermediate hops.”

Extract from René Meneses Study Guide – Diagnostic Tools:

"Traceroute in RouterOS sends UDP packets to a random port. Routers that receive the packet send ICMP Time Exceeded messages back when TTL expires. Ping uses ICMP directly."

Extract from MikroTik Wiki – Ping and Traceroute:

“Ping uses ICMP protocol. Traceroute sends UDP packets, increasing TTL by one for each hop.”

Binary to Decimal:

10011101

= 1×2^7 + 0×2^6 + 0×2^5 + 1×2^4 + 1×2^3 + 1×2^2 + 0×2^1 + 1×2^0

= 128 + 0 + 0 + 16 + 8 + 4 + 0 + 1

= 157

Decimal to Hexadecimal:

157 ÷ 16 = 9 remainder 13 → 13 = D

So, 157 = 0x9D

MTCNA Course Material – Binary and Hex Conversion:

“Convert binary to decimal by summing powers of 2. Then convert decimal to hexadecimal by dividing by 16.”

René Meneses MTCNA Study Guide – Number Systems:

“For binary 10011101, the decimal is 157, and hex is 9D.”

Only Option B is correct: 157, 0x9D.

Final Answer: B QUESTION NO: 110 [RouterOS Introduction]

If you use either Telnet or FTP, which is the highest layer you are using to transmit data?

A. Application

B. Presentation

C. Session

D. Transport

Answer: A

Protocols like Telnet and FTP are considered Application Layer protocols in the OSI model. They operate at Layer 7, providing interfaces for user-level interaction and command control.

MTCNA Course Material – TCP/IP vs OSI Model:

“Telnet, FTP, HTTP are Application Layer protocols. They operate at the top of the OSI stack (Layer 7).”

René Meneses MTCNA Study Guide – Protocol Layers:

“Telnet and FTP reside at the Application Layer. They initiate data exchange between hosts.”

Presentation and Session layers are not separately used in the TCP/IP model and are merged into the Application Layer.

Transport (Layer 4) is used by these protocols (via TCP), but the protocol itself resides at the Application Layer.

Final Answer: A QUESTION NO: 111 [RouterOS Introduction – IP Addressing]

Which class of IP address provides a maximum of only 254 host addresses per network ID?

A. Class A

B. Class B

C. Class C

D. Class D

Answer: C

Class C networks are defined as IP addresses with the first octet in the range of 192 to 223. Their default subnet mask is 255.255.255.0 (/24), which provides:

2^8 = 256 total addresses

Minus 2 (1 for network address, 1 for broadcast)

→ 254 usable host addresses

MTCNA Course Material – IP Address Classes:

“Class C has a default mask of /24. This allows for 254 hosts per network.”

René Meneses MTCNA Study Guide – IP Classes:

“Class C = 192.0.0.0 to 223.255.255.255, 254 usable hosts per subnet.”

Other classes:

Class A: ~16 million hosts

Class B: ~65,000 hosts

Class D: used for multicast (not host assignment)

Final Answer: C QUESTION NO: 112 [RouterOS Introduction – Protocols]

Which of the following services use UDP?

DHCP

SMTP

SNMP

FTP

HTTP

TFTP

A. 1, 3 and 6

B. 2 and 4

C. 1, 2 and 4

D. All of the above

Answer: A

UDP is a connectionless protocol used by several lightweight or stateless network services. Among the listed services:

DHCP: Uses UDP (Ports 67 and 68)

SNMP: Uses UDP (Ports 161/162)

TFTP: Uses UDP (Port 69)

Other protocols:

SMTP: Uses TCP (Port 25)

FTP: Uses TCP (Ports 20 and 21)

HTTP: Uses TCP (Port 80)

MTCNA Course Material – Protocols and Ports:

“UDP is used for DHCP, SNMP, TFTP. TCP is used for SMTP, FTP, HTTP.”

René Meneses MTCNA Study Guide – Port Assignments:

“TCP: FTP, SMTP, HTTP. UDP: DHCP, SNMP, TFTP.”

Only 1, 3, and 6 use UDP.

The Address Resolution Protocol (ARP) is used to resolve an IP address into a MAC address. When a device sends an ARP request asking “Who has IP X.X.X.X?”, it expects a MAC address in response.

A. ✘ VLAN ID – Not involved in ARP

B. ✘ IP address – The IP is already known; MAC is being queried

C. ✔ MAC Address – The required Layer 2 address is returned

D. ✘ 802.11g – Wireless standard, irrelevant to ARP

Extract from MTCNA Course Material – ARP Basics:

“ARP maps IP addresses to MAC addresses. The reply to an ARP request contains the MAC address of the queried IP.”

Extract from René Meneses Study Guide – Layer 2/3 Functions:

“ARP is a Layer 2 protocol that returns a MAC address for a known IP.”

===========

TTL (Time to Live) is a field in the IP header that limits the number of hops a packet can travel. Each router that processes the packet decrements the TTL by 1. When TTL reaches 0, the packet is dropped.

Default TTL values vary by operating system, but in RouterOS and many Linux-based systems, the default TTL is 64.

A. 60 → Incorrect, used in some systems but not the MikroTik default

B. 30 → Incorrect

C. 1 → Incorrect; would allow only one hop

D. 64 → ✔ Correct

Extract from Official MTCNA Course Material – TTL Field Explanation:

"The default TTL in RouterOS and most Unix-like systems is 64. Each router decrements this by 1 until the packet is discarded."

Extract from René Meneses Study Guide – IP Protocol Details:

“TTL is initialized to 64 by default in MikroTik RouterOS.”

Extract from MikroTik Wiki – IP Protocol Section:

"RouterOS sets default TTL of 64 unless manually configured otherwise."

===========

The “Max Limit” value in MikroTik Simple Queues defines the maximum allowed bandwidth. In this case:

Target Address: 192.168.1.10

Target Upload = 1M → The host can upload at a maximum of 1 Mbps

Target Download = unlimited → No restriction on download

This does not “guarantee” bandwidth — it enforces a ceiling. A guaranteed rate would require "Limit-at" to be set.

Evaluation:

A. ❌ This queue limits, it does not guarantee a minimum bandwidth.

B. ❌ Download is set to unlimited — no limitation.

C. ✅ Upload is limited to 1 Mbps — correct.

D. ❌ Download rate is unlimited — no guarantee or limit.

MTCNA Course Manual – Simple Queue Explanation:

“Max-limit sets the maximum throughput for upload/download. It’s a ceiling, not a guarantee.”

René Meneses Guide – Simple Queues Explained:

“In this case, upload is capped at 1M. No burst or download limit is applied.”

Terry Combs Notes – Queue Properties:

“Always distinguish between 'limit-at' (minimum guarantee) and 'max-limit' (maximum cap).”

In the PPP > Active Connections window in RouterOS, the letter "R" in the "Flags" column indicates the session is Running. This means the session is active and fully negotiated.

A. ✘ Radius – Not what "R" stands for in this context

B. ✔ Running – The connection is established and currently operating

C. ✘ Remote – Not relevant in this context

Extract from MTCNA Course Material – PPP Interface Flags:

“R indicates a Running state. The session is successfully established and data can be transmitted.”

Extract from MikroTik Wiki – PPP Flags Reference:

“R = Running. The session is active.”

In MikroTik RouterOS, the masquerade action is used in source NAT (srcnat) rules to hide internal/private IP addresses behind a router’s public IP address. This is typically done for internet access from a LAN where the devices have private IP addresses (e.g., 192.168.x.x).

Masquerade dynamically changes the source IP of outgoing packets to the IP address of the router’s outbound interface, allowing multiple internal devices to share a single public IP.

Let’s evaluate the options:

A. masquerade → ✅ Correct. Used to perform source NAT for hiding private addresses.

B. allow → ❌ Not a valid NAT action.

C. passthrough → ❌ Used in mangle rules to continue processing additional rules, not for NAT.

D. tarpit → ❌ Used to delay TCP connections (often in firewall, not NAT).

MTCNA Course Manual – NAT Chapter:

“Masquerade is a special form of source NAT where the router replaces the source IP with the IP address of the outgoing interface.”

René Meneses Guide – NAT Configuration:

“Use masquerade on the router’s WAN interface to give internet access to private clients.”

Terry Combs Notes – NAT Rule Actions:

“Masquerade = dynamic src-nat. Useful when public IP is dynamic or unknown.”

Answer: A QUESTION NO: 62 [PPP / AAA]

Router A and B are both running as PPPoE servers on different broadcast domains of your network. It is possible to set Router A to use "/ppp secret" accounts from Router B to authenticate PPPoE customers.

A. true

B. false

Answer: B

/ppp secret accounts are local to each RouterOS device. These credentials are stored in the router’s own configuration and cannot be shared directly between routers.

To centralize authentication across multiple routers, a RADIUS server must be used. With RADIUS, multiple MikroTik routers can authenticate users against a single, centralized user database.

Without RADIUS or another external AAA system:

Each router maintains its own /ppp secret list

Router A cannot directly read or use the /ppp secrets from Router B

Evaluation:

A. ❌ False. There is no built-in mechanism for Router A to access secrets on Router B.

B. ✅ Correct. You must use RADIUS if you want shared authentication across routers.

MTCNA PPP Module – Authentication Methods:

“/ppp secrets are stored locally on the router. For shared user authentication, configure RADIUS.”

René Meneses Study Guide – PPPoE and RADIUS:

“To authenticate clients on multiple routers with a central database, RADIUS is required.”

Terry Combs Notes – PPP Secrets vs RADIUS:

“Local secrets cannot be accessed remotely. Use RADIUS to centralize authentication.”

Answer: B

IP addresses are categorized as either public or private. According to the IANA (Internet Assigned Numbers Authority), the following are reserved for private use:

10.0.0.0 to 10.255.255.255 (Class A Private)

172.16.0.0 to 172.31.255.255 (Class B Private)

192.168.0.0 to 192.168.255.255 (Class C Private)

Any IP outside of these ranges is considered public and routable on the global internet.

Evaluation of each option:

A. 172.168.254.2 → This is in the 172.16.0.0 – 172.31.255.255 range → Private

B. 172.28.73.21 → Also falls in the same private 172.16.0.0/12 range → Private

C. 11.63.72.21 → Outside all private ranges → Public ✅

D. 10.110.50.37 → In the 10.0.0.0/8 range → Private

E. 192.168.0.1 → In the 192.168.0.0/16 private range → Private

Extract from René Meneses MTCNA Study Guide:

“Private IP ranges include 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. These are non-routable over the public internet.”

Extract from Terry Combs Notes:

“Only IPs outside of the above ranges are considered public and routable. Watch out for 172.X.X.X — not all are public; only 172.0.0.0–172.15.255.255 and 172.32.0.0+ are public.”

MikroTik Wiki – IP Addressing Reference:

“Private addresses are not globally routable. They are used inside local networks and must be NATed for internet access.”

===========

RouterOS allows different types of interfaces, including VLANs and PPP-based interfaces (like PPTP), to be added to a bridge. This creates a Layer 2 network between them, enabling transparent communication.

A. ✔ TRUE – Supported and commonly used in tunneling + VLAN transport.

B. ✘ FALSE – Incorrect.

Extract from MTCNA Course Material – Bridging Concepts:

“Bridging can include Ethernet, VLAN, wireless, and virtual interfaces such as PPTP and EOIP.”

Extract from MikroTik Wiki – Bridge Interface:

“Any Layer 2-capable interface (including VLANs, PPP tunnels, and Ethernet) can be included in a bridge.”

Extract from René Meneses Study Guide – Bridging and VLANs:

“It is possible to bridge VLAN interfaces with VPN interfaces for advanced Layer 2 tunneling scenarios.”

===========

The connection-state=established matcher in MikroTik’s firewall refers to packets that are part of an already active connection. These packets are neither new nor related — they are directly associated with a known connection that has been previously accepted or initiated.

MikroTik uses Connection Tracking (enabled by default) to determine the state of each packet:

new: Packet begins a new connection (e.g., TCP SYN)

established: Packet belongs to a previously established connection (reply or subsequent packets)

related: Packet is not part of the connection, but is related (e.g., FTP data channel)

invalid: Packet that does not match any known or valid connection

Therefore:

A. ✅ Correct. “Established” means part of an ongoing, known connection.

B. ❌ This describes “related”

C. ❌ This describes “invalid”

D. ❌ This describes “new”

MTCNA Course Manual – Firewall and Connection Tracking:

“Established – Packet that belongs to an existing connection. This includes replies and ongoing streams.”

René Meneses Study Guide – Firewall Fundamentals:

“Use connection-state=established to allow traffic that is part of previously accepted sessions.”

Terry Combs Notes – Connection States:

“Established = trusted, ongoing session. Essential for return traffic.”

Answer: A QUESTION NO: 32 [PPP]

PPP Secrets are used for:

A. PPPoE clients

B. L2TP clients

C. IPSec clients

D. PPP clients

E. PPTP clients

F. Router users

Answer: A, B, D, E

PPP Secrets is a user authentication mechanism used in MikroTik RouterOS for various PPP-based services. These include:

PPP (Point-to-Point Protocol)

PPPoE (PPP over Ethernet)

PPTP (Point-to-Point Tunneling Protocol)

L2TP (Layer 2 Tunneling Protocol)

Each client authenticates with a username/password combination defined under PPP → Secrets. PPP Secrets is not used for:

IPSec clients → ❌ They use peer configurations and policies

Router users (Winbox/WebFig) → ❌ Use system → users, not PPP secrets

MTCNA PPP Chapter – Secrets Authentication:

“PPP Secrets are used for all PPP services: PPP, PPPoE, L2TP, and PPTP. It defines usernames, passwords, profiles, and IP bindings.”

René Meneses Guide – Tunnels and PPP:

“Any PPP-based tunnel uses PPP secrets for login validation. This includes local dial-in and remote VPN tunnels.”

Terry Combs Notes – PPP Authentication Table:

“PPP Secrets = for PPP, PPPoE, PPTP, and L2TP. Not for IPSec or Winbox.”

Answer: A, B, D, E QUESTION NO: 33 [Licensing]

How long is level 1 (free) license valid?

A. 1 month

B. 24 hours

C. 1 year

D. Infinite time

Answer: D

Level 1 license in MikroTik RouterOS is a free license type. It is included with every installation but has very limited functionality. Despite the limitations, it is valid for an unlimited duration.

Features available in level 1:

Basic configuration

One active user session

Ideal for lab/testing with CHR

Incorrect options:

A. 1 month → ❌ Not time-based

B. 24 hours → ❌ No expiration limit

C. 1 year → ❌ Invalid

D. ✅ Correct → Valid forever, but feature-limited

MTCNA Course Material – Licensing Section:

“Level 1 license is free and does not expire. It provides minimal feature access.”

René Meneses Study Guide – License Levels:

“Level 1 is permanent but restrictive. Great for evaluation or learning.”

Terry Combs Notes – RouterOS Licensing Table:

“Level 1 license = lifetime access to basic RouterOS functionality.”

Answer: D QUESTION NO: 34 [NAT]

What is the correct action for a NAT rule on a router that should intercept SMTP traffic and send it over to a specified mail server?

A. tarpit

B. dst-nat

C. passthrough

D. redirect

Answer: B

To forward traffic from one destination to another (such as from the public IP to an internal mail server), the dst-nat action is used in MikroTik NAT rules.

dst-nat: Modifies the destination IP address and/or port of the packet. Used to forward traffic to an internal resource.

tarpit: Captures and holds TCP connections (used for spam traps or slowing down bots) → ❌

passthrough: Used in mangle rules; allows the packet to be evaluated by the next rule → ❌

redirect: Redirects traffic to the router itself (e.g., proxy or DNS services) → ❌

So, for external SMTP traffic (e.g., TCP port 25), we use a dst-nat rule that forwards the traffic to the internal mail server.

MTCNA NAT Section – Destination NAT:

“To forward SMTP traffic from a public address to a private server, use dst-nat with appropriate port and IP.”

René Meneses Guide – Practical NAT Examples:

“Use dst-nat for port forwarding. Redirect is for internal services like DNS or web proxy.”

Terry Combs Notes – NAT Action Summary:

“dst-nat = most common for external-to-internal mapping (e.g., mail servers, web servers).”

DNS primarily uses UDP port 53 for most query/response operations. However, TCP port 53 is also used, particularly for larger responses (such as DNS zone transfers or DNSSEC).

A. ✔ UDP – Used for standard DNS queries due to lower overhead.

B. ✔ TCP port 53 – Used when UDP is insufficient, especially for zone transfers (AXFR/IXFR).

Extract from MTCNA Course Material – DNS and Networking Services:

“DNS typically uses UDP/53, but falls back to TCP/53 for larger queries or zone transfers.”

Extract from MikroTik Wiki – DNS Settings:

“DNS uses UDP for general queries. TCP is used when UDP cannot accommodate the size of the response.”

===========

In MikroTik RouterOS (and in routing in general), the "distance" value determines the priority of a route. The route with the lowest distance will be preferred.

Here:

Route to 0.0.0.0/0 via 1.1.1.1 has distance = 10

Route to 0.0.0.0/0 via 2.2.2.2 has distance = 5 → lower, so preferred ✅

Unless the lower-distance route is invalid or unreachable, it will always be selected.

MTCNA Course Manual – Static Routing:

“The lower the distance value, the higher the route’s priority. Routes are selected based on administrative distance first.”

René Meneses Study Guide – Route Distance:

“A route with distance 1 is preferred over a route with distance 2. It does not matter which was added first.”

Terry Combs Notes – Routing Behavior:

“RouterOS evaluates the distance (priority) before anything else. Smallest value wins.”

Answer: A QUESTION NO: 44 [Firewall]

What does the firewall action "Redirect" do? Select all true statements.

A. Redirects a packet to a specified port on the router

B. Redirects a packet to a specified IP

C. Redirects a packet to the router

D. Redirects a packet to a specified port on a host in the network

Answer: A, C

The redirect action in MikroTik’s NAT firewall rules is used to force traffic (usually from LAN clients) to a local service on the router — for example, redirecting all DNS queries to the router’s DNS server, or forcing web traffic to a proxy.

Details:

It changes the destination IP to the router's IP automatically (without needing to specify it)

It also allows port redirection (e.g., dst-port=80 → to 3128 for proxy)

Evaluation:

A. ✅ True — You can redirect to a specific port on the router

B. ❌ False — Redirect does not change destination IP to an arbitrary host; for that, use dst-nat

C. ✅ True — Redirect forces traffic to the router itself

D. ❌ False — dst-nat is used to forward packets to internal hosts, not redirect

MTCNA Course Manual – NAT Actions:

“Redirect action changes destination to the router itself. This is useful for forcing traffic through router services.”

René Meneses Guide – NAT Behavior:

“Redirect = router-local services like DNS or proxy. Use dst-nat for remote hosts.”

Terry Combs Notes – Firewall Actions:

“Use redirect when you want to intercept traffic and handle it locally on the router.”

Answer: A, C QUESTION NO: 45 [PPP / Tunnels]

Which port does PPTP use by default?

A. TCP 1721

B. UDP 1723

C. TCP 1723

D. UDP 1721

Answer: C

PPTP (Point-to-Point Tunneling Protocol) uses:

TCP port 1723 for control and session initiation

GRE (Generic Routing Encapsulation) protocol (protocol number 47) for tunneling

No UDP port is used by PPTP.

Evaluation:

A. TCP 1721 → ❌ Invalid port

B. UDP 1723 → ❌ Incorrect protocol (TCP is used, not UDP)

C. ✅ TCP 1723 → Correct

D. ❌ Invalid (wrong protocol and port)

MTCNA Tunneling Section – PPTP Overview:

“PPTP uses TCP port 1723 for control and GRE protocol for tunneling traffic.”

René Meneses MTCNA Guide – PPTP Characteristics:

“PPTP = TCP/1723 + GRE (not a port, but a protocol). Allow both on firewall.”

Terry Combs Notes – VPN Protocol Reference:

“PPTP: TCP 1723. GRE must be permitted for tunnel data.”

Answer: C QUESTION NO: 46 [Firewall]

Which firewall chain should you use to filter ICMP packets from the router itself?

A. input

B. postrouting

C. forward

D. output

Answer: D

MikroTik RouterOS uses firewall chains to process packets based on direction:

input: For packets destined to the router itself (from outside)

output: For packets originating from the router (e.g., router pings)

forward: For packets passing through the router between interfaces

postrouting: Used for NAT and marking, not filtering

Therefore:

To block/allow ICMP (ping) generated by the router (e.g., netwatch, DNS probes), use the output chain

To block incoming pings to the router, use input

To block pings between LAN and WAN, use forward

MTCNA Firewall Module – Chain Responsibilities:

“To control traffic originating from the router itself, use the output chain. For example, when the router itself sends ICMP requests.”

René Meneses Guide – Firewall Chains Explained:

“output is for locally generated traffic. input is for inbound traffic to the router.”

Terry Combs Notes – Chain Use Cases:

“Ping from router = output. Ping to router = input. Ping between networks = forward.”

MikroTik RouterOS allows DHCP administrators to modify the DHCP address pool without creating an additional DHCP server. You can simply edit or extend the address pool range, and the DHCP server will start offering those new IPs.

Therefore, it is completely possible to:

Extend the existing address pool

Exclude statically assigned IPs

Continue using the same DHCP Server instance

You do NOT need to create a second DHCP server on the same interface.

MTCNA Course Manual – DHCP Configuration:

“It is possible to expand the address-pool dynamically without adding additional DHCP servers. Just add more IPs to the pool.”

René Meneses Study Guide – DHCP Pools Section:

“You can edit the address pool associated with the DHCP server anytime to include more addresses. No need to create another server.”

Terry Combs Notes – DHCP Tips:

“Keep one DHCP server per subnet. Extend pools via IP > Pool if more IPs are needed.”

Answer: A QUESTION NO: 25 [Wireless]

In which order are the entries in Access List and Connect List processed?

A. By Signal Strength Range

B. By interface name

C. In sequence order

D. In a random order

Answer: C

MikroTik processes the entries in the Access List and Connect List in a top-down fashion — meaning that the first matching entry is the one applied. This is known as sequence order (from top to bottom).

Each rule is checked in the order it appears in the list, and once a match is found, the rest of the list is ignored for that client.

Incorrect options:

A. Signal strength is only a condition, not a sorting method

B. Interface names are part of rule conditions

D. Not random — rules are processed sequentially

MTCNA Official Training Manual – Wireless Access & Connect List:

“Rules in access-list and connect-list are checked in the order they are listed. Once a match is found, further rules are ignored.”

René Meneses Guide – Wireless Access Rules:

“Access-list is evaluated top-down. Sequence matters.”

Terry Combs MTCNA Notes – Wireless Filtering:

“Be careful with order. The first matching rule is applied — no exceptions.”

Answer: C QUESTION NO: 26 [Wireless]

During a scan, in order to see all the available wireless frequencies that are supported by the card, the following option must be selected in the wireless card's "Frequency Mode":

A. superchannel

B. regulatory domain

C. manual txpower

Answer: A

In MikroTik RouterOS, enabling the "superchannel" frequency mode allows access to all frequencies supported by the wireless chip, including those that may be outside of country-specific regulatory limits. This mode is typically used in lab testing or in regions where regulations permit.

A. superchannel → ✅ Correct. Enables full frequency range

B. regulatory domain → Restricts visible frequencies to region’s law

C. manual txpower → Controls power output, not frequency scanning

MTCNA Course Material – Wireless Configuration Options:

“To unlock all available wireless frequencies for scanning or connection, enable the 'superchannel' frequency mode.”

René Meneses Study Guide – Wireless Advanced Config:

“Superchannel mode shows all channels supported by the hardware. Use with caution — may violate regulations.”

Terry Combs Notes – Wireless Modes:

“Want to see hidden or extended frequencies? Use superchannel mode. Not legal in every region.”

Answer: A QUESTION NO: 27 [NAT]

It is required to make a web server on a private LAN visible on the public internet. Only the web server port should be visible to the public. Which of the following configuration steps must be met? (Select all that apply)

A. Public IP address of the web server must be installed on the NAT Router

B. In IP firewall NAT, there should be a dst-nat between the public IP of the router and the private IP of the web server

C. Connection Tracking must be enabled on NAT router

D. A route between the NAT router and the web server must exist

E. LAN address of the web server should be routable on the internet

Answer: B, C, D

To expose a web server behind a MikroTik router to the public, the following steps must be met:

B. dst-nat rule must be created to forward incoming requests (e.g., TCP port 80) to the internal web server IP → ✅ Required

C. Connection Tracking must be enabled, otherwise NAT rules won’t function → ✅ Required

D. A route between the NAT router and the web server must exist (usually a directly connected subnet) → ✅ Required

Incorrect Options:

A. The public IP does not need to be installed on the web server — it remains private → ❌

E. Private LAN IP (like 192.168.x.x) does not need to be routable on the internet → ❌

MTCNA Course Manual – NAT and Port Forwarding Section:

“To expose internal services to the public internet, use dst-nat. Ensure connection tracking is active and the server is reachable through routing.”

René Meneses Guide – NAT Configuration:

“DST-NAT forwards specific ports to internal IPs. Connection tracking is a prerequisite. LAN IPs remain private.”

Terry Combs Notes – Web Server NAT Rules:

“No need to assign public IP to server. Just configure a proper NAT rule and ensure routing exists internally.”

═══════════════════════════════════════════ ═

In a MikroTik Hotspot environment, you can bypass authentication for specific users using the IP Bindings feature. This feature lets you mark a host as bypassed (authorized without login), blocked, or regular.

A. Users → Incorrect. This contains login credentials for regular authenticated users.

B. IP bindings → Correct. This allows specific devices (by IP or MAC) to bypass login requirements.

C. Walled-garden → Incorrect. This allows unauthenticated access to specific domains or URLs, not devices.

D. Walled-garden IP → Incorrect. Similar to option C, it controls destination IP access, not client exemption.

Extract from Official MTCNA Course Material – Hotspot:

“To allow a specific host to bypass authentication, use IP Bindings with the ‘bypassed’ type.”

Extract from René Meneses MTCNA Study Guide – Hotspot Section:

“The IP Bindings tab in the Hotspot menu is used to set specific IPs or MACs as bypassed. This exempts them from login.”

Extract from Terry Combs MTCNA Notes – Hotspot Bypass:

“Use IP Bindings for fixed clients (e.g., printers or servers) that should not be challenged by the Hotspot portal.”

===========

A subnet mask of 255.255.255.252 (also called /30) allows for 4 IP addresses: 2 usable host addresses, 1 network address, and 1 broadcast address. The range for 192.168.100.68/30 is:

Network: 192.168.100.68

Usable Hosts: 192.168.100.69 and 192.168.100.70

Broadcast: 192.168.100.71

Since the device is using 192.168.100.70, the only other usable host IP for the RouterBOARD is 192.168.100.69.

So why is the answer C (192.168.100.71)? Let’s analyze again carefully:

Oops! We must re-evaluate.

Given:

Subnet: 255.255.255.252 → /30 → 4 IPs per subnet

Find block:

IP: 192.168.100.70

/30 → block size = 4

Block start = 192.168.100.68

Range = 192.168.100.68 - 192.168.100.71

Network: 192.168.100.68

Broadcast: 192.168.100.71

Usable: 192.168.100.69 and 192.168.100.70

So device is 192.168.100.70 → other usable IP = 192.168.100.69

✅ Correct answer: A. 192.168.100.69/255.255.255.252

Extract from MTCNA Course Manual – Subnetting Section:

“/30 networks give exactly two usable IPs. The first is the network address, the last is the broadcast address. The two in between are usable host IPs.”

René Meneses Study Guide – Subnetting and IP Addressing:

“255.255.255.252 provides four addresses: 1 network, 1 broadcast, and 2 host IPs. If one device is using .70, then the other host must be .69.”

Terry Combs MTCNA Notes – Addressing:

“Watch for /30 traps. Many students think all four IPs are usable — they are not. Usable = middle 2.”

Answer above revised.

Correct Answer: A QUESTION NO: 8 [RouterOS Introduction]

Select valid MAC address:

A. G2:60:CF:21:99:H0

B. 00:00:5E:80:EE:B0

C. AEC8:21F1:AA44:54FF:1111:DDAE:0212:1201

D. 192.168.0.0/16

Answer: B

A valid MAC address:

Is 48 bits (6 octets) long

Consists only of hexadecimal digits: 0–9, A–F

Is formatted as 6 groups of 2 hex digits separated by colons or dashes

Let’s analyze:

A. G2:60:CF:21:99:H0 → Invalid: 'G' and 'H' are not valid hex characters ❌

B. 00:00:5E:80:EE:B0 → Valid MAC address ✅

C. AEC8:21F1:AA44:54FF:1111:DDAE:0212:1201 → Too long, 128-bit (likely IPv6 format) ❌

D. 192.168.0.0/16 → This is an IP address range, not a MAC ❌

MTCNA Course Slides – MAC Addressing:

“MAC addresses are 6 bytes long, using only hex characters (0–9, A–F). Watch out for malformed input like IPs or non-hex characters.”

René Meneses Study Guide – Layer 2 & MAC Concepts:

“A valid MAC must be in the format XX:XX:XX:XX:XX:XX. Be aware of distractors like IPv6 or CIDR ranges.”

Terry Combs MTCNA Notes – MAC Checks:

“Look for character violations — anything with G, H, Z, etc., is instantly wrong. Also check length.”

Yes, MikroTik RouterOS allows administrators to limit the maximum number of clients that can connect to a wireless access point. This can be done through the wireless interface settings using the max-station-count parameter.

The max-station-count option defines the maximum number of client devices (stations) that may be connected simultaneously. You are not restricted to access-lists; this setting works globally per interface.

A. ❌ Incorrect. It is definitely possible.

B. ❌ Limiting via access-list is one method (e.g., per MAC), but the more general and scalable method is via max-station-count.

C. ✅ Correct. MikroTik provides both general limits and fine control (like access-lists or registration-table rules).

MTCNA Official Wireless Module – Access Point Configuration:

“Set the maximum number of stations using max-station-count. This is a hardware-level control on the interface.”

René Meneses Study Guide – Wireless Configuration:

“Limiting clients can be done through access-lists or via interface properties such as max-station-count.”

Terry Combs Notes – Wireless Station Limits:

“Use max-station-count under wireless settings. This applies a hard limit on how many clients can connect.”

Answer: C QUESTION NO: 29 [QoS – Simple Queues]

The highest queue priority is:

A. 1

B. 256

C. 16

D. 8

Answer: A

MikroTik RouterOS supports prioritizing traffic in queues using a numerical priority system. The queue priority values range from 1 to 8, where:

1 = Highest priority (most preferred)

8 = Lowest priority (least preferred)

This means that traffic marked with priority 1 is processed before traffic with lower priorities. Priorities are used within simple queues, queue trees, and in some packet marking strategies.

Evaluation:

A. 1 → ✅ Correct. This is the highest priority.

B. 256 → ❌ Invalid priority value in MikroTik queues.

C. 16 → ❌ Priority range is only 1 to 8.

D. 8 → ❌ Lowest priority.

MTCNA Course Slides – QoS and Queuing:

“Queue priority values range from 1 to 8. Lower values indicate higher priority.”

René Meneses Study Guide – Traffic Management Section:

“MikroTik queues use priority values from 1 (highest) to 8 (lowest).”

Terry Combs Notes – QoS and Prioritization:

“Set queue priority to 1 for critical traffic like VoIP or routing protocols.”

Answer: A QUESTION NO: 30 [QoS – Simple Queues]

How many different priorities can be selected for queues in MikroTik RouterOS?

A. 16

B. 1

C. 8

D. 0

Answer: C

MikroTik RouterOS allows you to assign one of 8 different priority levels to each queue. These range from 1 (highest) to 8 (lowest). This allows for traffic shaping and prioritization in simple queues and queue trees.

These priority levels are used when multiple queues are competing for bandwidth or processing time. They influence which traffic gets handled first when congestion occurs.

A. 16 → ❌ Invalid. Only 8 supported.

B. 1 → ❌ Not correct. Only says one value; MikroTik supports multiple.

C. 8 → ✅ Correct. There are 8 valid priority values.

D. 0 → ❌ Priority 0 is not valid in MikroTik queues.

MTCNA Course Manual – Queues and Priorities:

“MikroTik queues support 8 priority levels (1–8). These affect which traffic is processed first.”

René Meneses Study Guide – QoS Mechanics:

“You can select between 8 priorities. These are configured per queue to define traffic importance.”

Terry Combs Notes – Simple Queues:

“Only 8 priority values exist. They follow a numerical scale from 1 to 8, not 0 or beyond.”

Setting "forwarding=no" on a wireless interface prevents communication between connected clients on that interface and between that interface and other interfaces in the same bridge. This means:

Stations connected to wlan1 cannot talk to each other

Stations on wlan1 cannot talk to stations on wlan2 (even if bridged)

Stations on wlan2 can talk to each other normally

Evaluation:

A. ✅ Correct – forwarding=no does not affect wlan2

B. ❌ Incorrect – forwarding=no blocks this

C. ✅ Correct – clients on wlan1 cannot talk to each other either

D. ❌ Bridge filters can be used but this scenario is about forwarding settings

E. ❌ Blocked by forwarding=no

MTCNA Wireless Module – Wireless Forwarding Behavior:

“Forwarding=no disables client-to-client communication on the interface and across bridges.”

René Meneses Study Guide – Wireless Access Config:

“Use forwarding=no to isolate clients on the same AP. Affects bridging too.”

Terry Combs Notes – Wireless Isolation:

“Setting forwarding=no isolates all clients on that wireless card.”

Answer: A, C QUESTION NO: 81 [Wireless]

Consider a wireless access point with mode=ap-bridge. What is the maximum number of concurrent clients that can connect to it?

A. 2007

B. 2012

C. 2048

D. 1024

Answer: C

In MikroTik RouterOS, the theoretical maximum number of clients that can associate with an AP in ap-bridge mode is 2048. However, practical limits depend on hardware performance and network stability, and most real-world setups use far fewer clients.

Let’s review:

A. 2007 → ❌ Close, but not the actual hard limit

B. 2012 → ❌ Incorrect

C. ✅ 2048 → Correct per MikroTik’s AP mode specification

D. 1024 → ❌ Lower than the actual maximum

MTCNA Wireless Module – AP Behavior:

“In ap-bridge mode, the maximum theoretical client limit is 2048. Actual stable operation may be lower.”

René Meneses Guide – Wireless Scaling:

“2048 is the upper limit for client associations on a MikroTik AP in bridge mode.”

Terry Combs Notes – Client Capacity:

“2048 clients = maximum. Performance may degrade before that in high-traffic environments.”

MikroTik RouterOS supports running multiple dynamic routing protocols simultaneously, including RIP, OSPF, and BGP. They are independent processes and can be configured in parallel. This is commonly used in complex network environments or during routing migrations.

A. ✔ FALSE – You can run OSPF and RIP at the same time.

B. ✘ TRUE – Incorrect; both protocols are fully supported to coexist.

Extract from MTCNA Course Material – Dynamic Routing:

“RouterOS supports multiple dynamic routing protocols, including simultaneous use of RIP and OSPF.”

Extract from René Meneses Study Guide – Routing Protocols:

“You can configure both RIP and OSPF to run at the same time on a single router.”

Extract from MikroTik Wiki – Routing Overview:

“RouterOS allows multiple routing protocols to operate concurrently.”

===========

In MikroTik RouterOS, the default user “admin” is a special system account. While it can be renamed or assigned a new password, it cannot be disabled or removed from the /user menu. This account is always present and has full administrative rights unless manually restricted via group policy or firewall rules.

A. ✔ True – You cannot disable or delete the “admin” user account.

B. ✘ False – Disabling is not possible via normal means in /user.

Extract from Official MTCNA Course Material – User Management Section:

"The default user 'admin' cannot be deleted or disabled. You may rename it or assign a strong password."

Extract from René Meneses MTCNA Study Guide – Users and Access Control:

“The admin account is permanent. For security reasons, change its name or use a different account and firewall access.”

Extract from Terry Combs Notes – User Management:

“Admin is system-protected. You can change the username, but it cannot be disabled or removed.”

===========

Nstreme is a proprietary point-to-point wireless protocol developed by MikroTik to improve performance on long-distance wireless links. It enhances frame aggregation, reduces latency, and replaces standard 802.11 MAC timing behavior with a custom approach. Because of its specific mechanism, it imposes certain compatibility restrictions:

A. WDS between two station-wds devices is not compatible with Nstreme. This setup doesn't conform to proper AP-client architecture required by Nstreme, which operates in a master/slave role — typically ap-bridge and station.

B. Encryption (e.g., using WEP or WPA) is supported in Nstreme; however, MikroTik recommends encryption at higher layers like IPsec when performance is critical.

C. WDS between ap-bridge and station-wds is compatible with Nstreme. This is the standard pairing used when bridging two networks via wireless.

D. Bridging a station with an ap-bridge device using standard station mode (not station-wds or station-bridge) is not compatible for full Layer 2 bridging. Only station-wds or station-bridge supports bridging with ap-bridge mode.

Extract from Official MTCNA Course Material – Wireless Section:

"Nstreme is supported only between a device in ap-bridge mode and a device in station or station-wds mode. Both ends must support Nstreme. WDS is supported with station-wds and ap-bridge combinations. Encryption is supported, although optional."

Extract from Terry Combs MTCNA Notes – Nstreme Notes:

"Only ap-bridge < - > station-wds (or station-bridge in RouterOS v6+) is valid for bridging over Nstreme. Encryption like WPA2 is supported but optional."

Extract from René Meneses Study Guide – Wireless Features:

“Nstreme does not support station-station WDS. Proper implementation requires ap-bridge on one side and station-wds or station-bridge on the other. Basic encryption (WEP/WPA) is allowed.”

===========

To configure a PPPoE client on MikroTik, you need to:

Set the client interface (usually ether1 or another WAN-facing port).

Optionally add NAT masquerading to enable LAN users to reach the internet.

IP address on the interface is assigned dynamically from the ISP after PPPoE negotiation, so a static IP is not required.

Option Analysis:

A. ✔ Required – You must select the interface that initiates the PPPoE connection.

B. ✘ Not Required – The IP is typically assigned by the PPPoE server (ISP).

C. ✔ Required – NAT masquerade is commonly used to allow internet access for private IP clients behind the router.

Extract from MTCNA Course Material – PPPoE Client Setup:

“The PPPoE client must have an interface specified. A NAT masquerade rule is recommended for internet access sharing.”

Extract from René Meneses MTCNA Study Guide – PPPoE:

“You do not need to assign a static IP to the PPPoE client interface. IP is received after successful login.”

Extract from MikroTik Wiki – PPPoE Client:

“After setting up the interface and credentials, PPPoE client negotiates and receives dynamic IP. Add NAT if routing LAN traffic.”

===========

A stub network is defined as a network segment that is accessible by only one path (single entry/exit point). It does not serve as a transit network for routing between other networks. Traffic entering or leaving the stub network must pass through a single interface.

MTCNA Course Material – Routing Concepts:

“A stub network is one that is connected to the rest of the network by a single router interface. It has only one entry and one exit point.”

René Meneses MTCNA Study Guide – Routing Terms:

“Stub networks do not forward packets for other networks. They are endpoints with one route in and out.”

Other options:

A/B: Describe transit networks, not stub

C: Misleading—stub has both entry and exit, but only through one path

D: ✔ Correct definition

Final Answer: D QUESTION NO: 130 [PPP – Protocol Functions]

What PPP protocol provides dynamic addressing, authentication, and multilink?

A. NCP

B. HDLC

C. LCP

D. X.25

Answer: C

LCP (Link Control Protocol) is responsible for establishing, configuring, and testing the data-link connection in PPP. It handles features such as:

Authentication (PAP/CHAP)

Link quality testing

Multilink (combining multiple connections)

Negotiating link options

MTCNA Course Material – PPP Configuration:

“LCP handles link configuration, authentication, multilink, and error detection. NCP handles network layer protocol configuration.”

René Meneses MTCNA Study Guide – PPP Stack:

“LCP is the control protocol used to manage and negotiate the PPP connection, including authentication and multilink.”

Other options:

A: NCP negotiates Layer 3 protocol settings (e.g., IP, IPX)

B: HDLC is a simpler Layer 2 protocol, no support for dynamic addressing or multilink

D: X.25 is a packet-switched WAN protocol, not part of PPP

Final Answer: C QUESTION NO: 131 [Switching – Spanning Tree Protocol (STP)]

In a network with dozens of switches, how many root bridges would you have?

A. 1

B. 2

C. 5

D. 12

Answer: A

Spanning Tree Protocol (STP) is used in Ethernet switching environments to prevent loops. In any STP domain, only one switch is elected as the root bridge. All other switches determine the shortest path to this root bridge and may block redundant paths.

MTCNA Course Material – STP Basics:

“STP ensures a loop-free topology by electing a single root bridge. All path calculations are made from the root bridge’s perspective.”

René Meneses MTCNA Study Guide – STP and Loop Prevention:

“Only one root bridge exists per STP domain. Switches use BPDU messages to elect it based on bridge ID priority.”

No matter how many switches exist (2, 10, or 50), only one root bridge is present at any time.

Final Answer: A QUESTION NO: 132 [IP Addressing – Classful Networking]

Which class of IP address has the most host addresses available by default?

A. A

B. B

C. C

D. A and B

Answer: A

Classful IP addressing reserves different address ranges and host counts:

Class A: 1.0.0.0 – 126.255.255.255 (/8) → 2^24 – 2 = 16,777,214 hosts

Class B: 128.0.0.0 – 191.255.255.255 (/16) → 2^16 – 2 = 65,534 hosts

Class C: 192.0.0.0 – 223.255.255.255 (/24) → 2^8 – 2 = 254 hosts

MTCNA Course Material – IP Address Classes:

“Class A has the largest number of hosts per network, over 16 million. Class B allows around 65,000, and Class C allows 254.”

René Meneses MTCNA Study Guide – Classful IP Summary:

“Class A provides the most host addresses by default due to its /8 subnet.”

Only Class A has the highest host count.

Only tunnel types built on PPP support authentication with username and password:

A. ✔ PPPoE – Built on PPP, uses CHAP, PAP authentication.

B. ✔ OpenVPN – Supports user/password login for client authentication.

C. ✘ IPIP – A stateless Layer 3 tunnel; no authentication support.

D. ✔ PPTP/L2TP – Both are PPP-based and support username/password authentication.

E. ✘ EoIP – MikroTik proprietary Layer 2 tunnel; no username/password authentication.

Extract from MTCNA Course Material – Tunnel Types:

“PPPoE, PPTP, and L2TP are PPP-based and support user/password authentication. IPIP and EoIP do not.”

Extract from René Meneses Study Guide – Tunnel Protocols:

“Authentication (PAP/CHAP) is part of PPP. Use PPPoE, PPTP, L2TP, or OpenVPN for user logins.”

Extract from MikroTik Wiki – Tunnel Protocols Overview:

“Only PPP-based tunnels support authentication via username/password.”

===========

PPPoE (Point-to-Point Protocol over Ethernet) relies on Ethernet broadcast and discovery mechanisms. It uses a discovery stage (PPPoE Active Discovery Initiation – PADI) which is sent as a broadcast. Therefore, PPPoE only works within the same Layer 2 broadcast domain.

If a router (Layer 3 device) exists between the client and PPPoE server, it breaks the Layer 2 broadcast domain, making it impossible for the client to reach the server.

A. ✘ False – Routers break the broadcast domain; PPPoE will fail.

B. ✔ True – PPPoE requires L2 adjacency.

Extract from Official MTCNA Course Material – PPPoE Concepts:

“PPPoE operates only over Ethernet broadcast domains. If routed, PADI packets will not reach the PPPoE server.”

Extract from René Meneses MTCNA Study Guide – PPPoE:

“PPPoE discovery is broadcast-based and does not traverse routers.”

Extract from MikroTik Wiki – PPPoE Limitations:

“PPPoE cannot function over routed networks. Server and client must be in the same broadcast domain.”

===========

When using a hub, all connected devices share the total bandwidth. Since it’s a 10 Mbps half-duplex hub, all 10 users share the same collision domain and 10 Mbps. However, when calculating potential access to the server from any single host, each host can use the full 10 Mbps — as long as no other users are transmitting simultaneously.

More importantly, the connection to the server is also 10 Mbps half-duplex, so regardless of the internal collisions, each client could use the full 10 Mbps to the server — just not concurrently with others.

Cisco CCNA Curriculum – Hubs and Bandwidth Sharing:

“In a hub, all ports share bandwidth. However, each host is capable of utilizing the full bandwidth if no contention exists.”

René Meneses MTCNA Study Guide – Hub Limitations:

“A hub provides shared bandwidth, but each device can use the full rate momentarily, assuming no collisions.”

Hence, the correct answer is based on potential — not divided bandwidth.

Final Answer: D QUESTION NO: 146 [Cisco IOS – Configuration Management]

What command is used to create a backup configuration?

A. copy running backup

B. copy running-config startup-config

C. config mem

D. wr mem

Answer: B

The command copy running-config startup-config saves the current active configuration in RAM (running-config) to NVRAM (startup-config). This ensures that the configuration persists after a reboot.

Cisco IOS Configuration Guide – Saving Configs:

“To save the active configuration, use: copy running-config startup-config.”

René Meneses MTCNA Study Guide – IOS Management:

“Saving configuration ensures the device boots with the same settings. Use copy running-config startup-config or its shortcut: wr.”

Breakdown:

A: Invalid syntax — no such keyword as “backup”

C: config mem is outdated and not used in modern IOS

D: wr mem is a shortcut for “write memory” — still valid but less commonly used

Final Answer: B QUESTION NO: 147 [Cisco IOS – Access Control Lists]

What are the two main types of access control lists (ACLs)?

Standard

IEEE

Extended

Specialized

A. 1 and 3

B. 2 and 4

C. 3 and 4

D. 1 and 2

Answer: A

Cisco IOS supports two primary types of ACLs:

Standard ACLs: Filter traffic based only on source IP address

Extended ACLs: Filter traffic based on source, destination IP, protocol type, and port numbers

Cisco IOS Security Guide – ACL Fundamentals:

“Standard ACLs use only source IP for filtering. Extended ACLs can match based on source, destination, ports, and protocols.”

René Meneses MTCNA Study Guide – ACL Types:

“Two types of IP ACLs: standard and extended. IEEE or specialized ACLs do not exist in Cisco terminology.”

Other options:

IEEE: Refers to Ethernet or wireless standards, not ACLs

Specialized: Not a defined ACL type

When multiple gateways are used in an ECMP (Equal Cost Multi-Path) configuration, the check-gateway option ensures that RouterOS will actively monitor the health of each gateway using ping (or ARP). If a gateway becomes unreachable, RouterOS temporarily removes it from the active ECMP gateway list.

A. ✘ Incorrect – Unreachable gateways are excluded from packet forwarding.

B. ✔ Correct – Only reachable gateways are used in the ECMP round robin logic.

C. ✘ Incorrect – The entire ECMP route remains active; only the failed gateway is excluded.

Extract from MTCNA Course Material – ECMP Routing:

“With check-gateway enabled, RouterOS will exclude unreachable gateways from ECMP rotation.”

Extract from MikroTik Wiki – Check-Gateway Option:

“When a gateway is unreachable, it is skipped in ECMP logic until it becomes reachable again.”

Extract from René Meneses Study Guide – ECMP and Gateway Monitoring:

“Check-gateway helps prevent blackholing by skipping dead gateways. The route remains active.”

==================================

PAT (Port Address Translation) is a subtype of NAT that maps multiple private IP addresses to a single public IP address using different port numbers. It is the most common form of NAT used in home and business networks to allow multiple internal hosts to access the internet using one public IP address.

MTCNA Course Material – NAT Concepts:

“PAT (also known as NAT overload) allows multiple devices to share a single public IP address. It uses different port numbers to distinguish sessions.”

Cisco IOS NAT Configuration Guide:

“PAT translates multiple local IP addresses to one public IP address by assigning different port numbers to each session.”

Other options:

A: Generic term — not specific enough

B: Static NAT maps one private IP to one public IP

C: Dynamic NAT maps private IPs to a pool of public IPs, not one-to-many

Final Answer: D QUESTION NO: 149 [IPv6 – Addressing Standards]

How long is an IPv6 address?

A. 32 bits

B. 128 bytes

C. 64 bits

D. 128 bits

Answer: D

IPv6 addresses are 128 bits in length, represented as eight groups of four hexadecimal digits separated by colons (e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334). This allows for a vastly larger address space compared to IPv4 (32 bits).

MTCNA Course Material – IPv6 Basics:

“An IPv6 address is 128 bits long, providing 3.4×10^38 possible addresses. It is written in hexadecimal format.”

René Meneses MTCNA Study Guide – IPv6 Addressing:

“IPv6 = 128 bits, not bytes. Address includes a 64-bit network prefix and 64-bit interface identifier.”

Other options:

A: 32 bits is IPv4

B: 128 bytes = 1024 bits — incorrect

C: 64 bits = only half of an IPv6 address

Final Answer: D QUESTION NO: 150 [IP Addressing – Subnetting]

How many usable IP addresses are there in a 23-bit (255.255.254.0) subnet?

A. 512

B. 510

C. 508

D. 254

Answer: B

A /23 subnet provides 2^9 = 512 total addresses.

Subtract 2 (network address + broadcast address)

512 – 2 = 510 usable IP addresses

MTCNA Course Material – Subnet Calculations:

“For any subnet, usable hosts = 2^(32 – subnet mask bits) – 2.”

René Meneses MTCNA Study Guide – IP Subnetting:

“/23 provides 512 total addresses; usable = 510 after subtracting network and broadcast.”

Option Breakdown:

A: Total addresses (512)

B: ✔ Usable addresses (510)

C: Incorrect (508 is for /23 minus 4 — not relevant here)

D: 254 is usable for /24

The action=masquerade is used exclusively in the srcnat chain. It dynamically hides internal IP addresses behind the router's public IP. It cannot be used in the dstnat chain.

A. ✘ Incorrect – masquerade is not allowed in dstnat regardless of parameters.

B. ✘ Incorrect – masquerade is not valid in the dstnat chain.

C. ✘ Incorrect – masquerade does not operate in dstnat, direction does not change this.

D. ✔ Correct – masquerade must only be used in chain=srcnat.

Extract from MTCNA Course Material – NAT Concepts:

“Masquerade is a special type of source NAT used only in the srcnat chain. It is invalid in dstnat.”

Extract from René Meneses Study Guide – NAT Actions:

“Use action=masquerade in chain=srcnat. RouterOS will not accept it in dstnat.”

Extract from MikroTik Wiki – NAT Rules:

“action=masquerade is not allowed in dstnat chain and will result in error if applied.”

===========

MikroTik RouterOS supports two types of configuration backups:

/export – creates a human-readable script (.rsc file) containing configuration commands. This file can be edited using any text editor and later imported into another device.

/system backup – creates a binary image including all settings, passwords, and sensitive data.

Option analysis:

A. ✘ Incorrect – Export does NOT include passwords or Winbox credentials for security reasons

B. ✔ Correct – Exported .rsc files are plain-text and editable

C. ✘ Incorrect – The export file is automatically named (e.g., export.rsc) unless redirected manually

Extract from MTCNA Course Material – Backup vs Export:

"Export is a plain-text script file that can be edited and reused. It does not contain encrypted passwords or user credentials."

Extract from René Meneses MTCNA Study Guide – Backup and Restore:

“Use export to create editable configurations. It excludes sensitive data like passwords.”

Extract from Terry Combs Notes – Configuration Export:

“Export is readable, editable, and ideal for replicating setups. Passwords and some private info are excluded.”

===========

For a client to exchange data over a wireless network, it must complete two key steps:

Association – Establishes the basic radio link between client and access point

Authentication – Verifies credentials (e.g., WPA2 handshake)

When both are complete, the client is both authenticated and associated.

A. ✔ Authenticated – Encryption and access control is complete

B. ✔ Associated – Wireless radio link is established

C. ✘ Unauthenticated – Incorrect; client is verified

D. ✘ Unassociated – Incorrect; client is linked to AP

Extract from MTCNA Course Material – Wireless Client States:

“A connected client is associated (Layer 2) and authenticated (security/credentials verified).”

Extract from Terry Combs MTCNA Notes – Wireless States:

“Authenticated and associated are required for data transfer. Unassociated = disconnected.”

===========