MikroTik MTCNA MikroTikCertified Network Associate Exam Exam Practice Test

When a router forwards traffic between two interfaces (such as from LAN to WAN), it uses the forward chain. HTTP traffic initiated by users destined to external servers passes through this chain.

A.✘prerouting – Used mainly for routing decisions and NAT, not filtering.

B.✔forward – Used to filter transit traffic.

C.✘output – For traffic originating from the router itself.

D.✘input – For traffic destined to the router itself.

Extract from MTCNA Course Material – Firewall Chains:

“Client-to-server traffic, like browsing the web, passes through the forward chain when routed through the router.”

Extract from René Meneses Study Guide – Firewall Structure:

“To block or allow traffic passing through the router (LAN to Internet), use the forward chain.”

Extract from MikroTik Wiki – Firewall Filtering Overview:

“forward: filters all transit traffic routed through the router.”

===========

In MikroTik’s firewall, the correct chain depends on the traffic direction and whether the traffic is destined for or originating from the router itself.

To block access to MSN (or any other service being accessed by a user from the LAN to the Internet), you must filter transit traffic. This is done in the forward chain.

A. input → Used for traffic destined to the router (e.g., WinBox, SSH).

B.✘process → Invalid option (does not exist in RouterOS).

C.✔forward → Used for user traffic passing through the router (e.g., LAN client to MSN servers on the Internet).

D. output → Used for traffic originating from the router itself (e.g., ping from router to external IP).

Extract from Official MTCNA Course Material – Firewall Chains:

“Use the forward chain to filter traffic passing through the router (LAN to WAN). Blocking access to external services like Facebook or MSN belongs here.”

Extract from René Meneses MTCNA Study Guide – Firewall Chains:

“To block Internet services for users, configure rules in the forward chain. Input is only for traffic targeting the router.”

Extract from MikroTik Wiki – Firewall Overview:

“forward: filters all traffic going through the router. For user access restrictions, place rules here.”

Masquerading is a form of source NAT (src-nat) where the router dynamically replaces the source address of outgoing packets with the IP address of the router’s outgoing interface. This is commonly used when internal LAN clients access the internet through a single public IP.

Key points for masquerade configuration:

Use chain=src-nat (because it modifies the source address)

Use action=masquerade

Specify the out-interface (i.e., the WAN interface)

MTCNA Course Material – NAT Section:

“To configure masquerading, use chain=src-nat and action=masquerade. Specify out-interface to define the traffic direction.”

René Meneses MTCNA Study Guide – NAT Examples:

“Masquerade automatically uses the IP address of the specified out-interface. Required parameters: chain=src-nat, action=masquerade, out-interface.”

MikroTik Wiki – Source NAT / Masquerade:

“Masquerade is a special form of src-nat. You must use it in chain=src-nat and define the out-interface for which NAT will be applied.”

Option A: Incorrect action=accept (used in filter rules, not NAT)

Option C: in-interface is not applicable here

Option D: chain=dst-nat is used for destination NAT, not source NAT

Only Option B is fully correct.

Final Answer: BQUESTION NO: 94 [Tools]

In which situations can Netinstall NOT be used to install a RouterBOARD?

A. The router does not have an operating system

B. The router is connected only to a wireless network

C. You do not know the password of the router

D. The router is connected only to a secondary Ethernet port

Answer: B

Netinstall works over a wired Ethernet connection and uses PXE or Etherboot to install RouterOS over the network. It cannot function over wireless, as wireless interfaces do not support PXE booting or Netinstall protocols.

MTCNA Course Material – Netinstall Overview:

“Netinstall requires a direct Ethernet connection between the PC and the router. Wireless interfaces are not supported for Netinstall procedures.”

René Meneses MTCNA Guide – Netinstall:

“Netinstall only works over Ethernet. You cannot Netinstall a device connected only through Wi-Fi.”

MikroTik Wiki – Netinstall Prerequisites:

“Router must be connected via Ethernet. Wireless and USB interfaces are not supported.”

Other options:

A: This is a typical use case (installing RouterOS when OS is missing)

C: Netinstall bypasses password (not needed)

D: Netinstall can work via any Ethernet port, provided it's accessible

Final Answer: BQUESTION NO: 95 [Monitoring and Logging]

MikroTik RouterOS is sending logs to an external syslog server. Which protocol and port is used by RouterOS for sending logs (by default)?

A. UDP 514

B. UDP 21

C. UDP 113

D. TCP 110

Answer: A

RouterOS uses the industry-standard syslog protocol for remote logging. By default, syslog uses UDP port 514.

MTCNA Course Material – Logging Section:

“For sending logs to a remote syslog server, RouterOS uses the syslog protocol on UDP port 514 by default.”

René Meneses MTCNA Guide – Monitoring & Logging:

“External logging is done using UDP port 514, which is the standard syslog protocol port.”

MikroTik Wiki – Logging Configuration:

“To send logs to a remote server, configure an action of type remote with a remote address and use UDP port 514 unless otherwise changed.”

Other ports:

UDP 21 = FTP (not logging)

UDP 113 = Ident protocol

TCP 110 = POP3

Only UDP 514 is correct.

Final Answer: AQUESTION NO: 96 [RouterBOARD Hardware]

Can you manually add drivers to RouterOS in case your PCI Ethernet card is not recognized, and you suspect it is a driver issue?

A. Yes

B. No

Answer: B

RouterOS is a closed, embedded Linux-based system. It does not support adding custom drivers or compiling modules manually. You must use supported hardware that is natively compatible with RouterOS.

MTCNA Course Material – RouterBOARD Compatibility:

“RouterOS supports a fixed set of drivers. You cannot install third-party drivers or modules.”

René Meneses MTCNA Guide – Hardware Limitations:

“Custom drivers cannot be added to RouterOS. Use only supported network interface cards as listed by MikroTik.”

MikroTik Wiki – Hardware Support:

“RouterOS does not allow manual driver installation. All drivers are precompiled and built into the system image.”

Therefore, if your PCI Ethernet card is not recognized, you must replace it with a compatible model — you cannot add a driver manually.

The setting default-forwarding=no prevents wireless clients from communicating with each other over the same access point interface. This enables client isolation — each device can only reach the gateway (router), not other wireless clients.

A.✔Correct – This enables client isolation by blocking inter-client communication.

B.✘Incorrect – This limits how many clients can connect, not their ability to talk to each other.

C.✘Incorrect – Prevents new clients from associating, unrelated to inter-client traffic.

D.✘Incorrect – Only default-forwarding affects client-to-client visibility.

Extract from MTCNA Course Material – Wireless Security and Isolation:

“default-forwarding=no prevents wireless clients from communicating with each other on the same AP interface.”

Extract from René Meneses Study Guide – Wireless Interface Settings:

“To isolate wireless clients, use default-forwarding=no. This ensures clients can’t ping or access one another.”

Extract from MikroTik Wiki – Wireless Interface Options:

“default-forwarding=no stops traffic between clients. Only traffic to the AP is allowed.”

The redirect action is a specialized type of destination NAT (dst-nat) used to force traffic to a local port on the router (typically for transparent proxies or redirection to hotspot portals). This action is only valid in DST-NAT rules and does not apply to firewall filters, routing rules, or source NAT.

Option breakdown:

A.✘Firewall Filter – These rules allow, drop, or reject traffic, not perform redirection.

B.✔DST-NAT – Redirect is a valid dst-nat action and is processed in the prerouting chain.

C.✘Route – Routing rules do not include NAT actions.

D.✘SRC-NAT – Used for source address translation, not redirection.

Extract from Official MTCNA Course Material – NAT Table & Actions:

“Redirect is an action under dst-nat. It rewrites destination address to the router itself, used for web proxy or hotspot.”

Extract from René Meneses MTCNA Study Guide – NAT Types:

“Use action=redirect in dst-nat rules to direct traffic to local services like proxy or DNS.”

Extract from MikroTik Wiki – NAT Rule Actions:

“redirect: redirects packet to local router port. Can only be used in dst-nat chain.”

===========

The show access-lists command in Cisco IOS is used to display all configured access control entries (ACEs) in every access list, both named and numbered. This command shows the complete content, including rules and hit counters.

Cisco IOS Command Reference – Access List Monitoring:

“Use show access-lists to view the complete list of all access control entries. This includes both standard and extended lists.”

Other options:

A: Invalid command syntax

C: show ip interface shows interface-level IP settings and ACL applications, but not full ACL content

D: show interface shows status and statistics, not ACL rules

Final Answer: BQUESTION NO: 134 [Cisco IOS – Console Access Configuration]

What does the command routerA(config)#line cons 0 allow you to perform next?

A. Set the Telnet password.

B. Shut down the router.

C. Set your console password.

D. Disable console connections.

Answer: C

The command line cons 0 enters the console line configuration mode. This is used to apply settings specific to the physical console line, such as setting a login password (via password and login commands).

Cisco IOS Configuration Guide – Line Console Mode:

“Use line console 0 to configure settings for the console line, including timeouts, password security, and logging behavior.”

René Meneses Study Guide – Device Access:

“Console access configuration begins with line console 0. It is followed by login and password commands.”

Other options:

A: Telnet is configured under line vty, not console

B: Router shutdown is done with reload or shutdown commands (not here)

D: Console cannot be disabled from line cons 0

Final Answer: CQUESTION NO: 135 [Switching – Spanning Tree Protocol]

How often are BPDUs sent from a Layer 2 device?

A. Never

B. Every 2 seconds

C. Every 10 minutes

D. Every 30 seconds

Answer: B

BPDU (Bridge Protocol Data Units) are messages exchanged by switches in a Spanning Tree Protocol (STP) topology to maintain loop-free Layer 2 networks. By default, switches send BPDUs every 2 seconds.

MTCNA Course Material – STP Operation:

“Switches send BPDUs to maintain spanning tree and detect topology changes. The default transmission interval is 2 seconds.”

Cisco STP Documentation:

“BPDUs are transmitted by the root bridge and propagated every 2 seconds by default, controlled by the hello-time timer.”

Other options:

A: Incorrect — BPDUs are essential for loop prevention

C & D: Not correct — default is 2 seconds, not minutes

Final Answer: BQUESTION NO: 136 [Routing Protocols – Passive Interface Behavior]

What does the passive command provide to dynamic routing protocols?

A. Stops an interface from sending or receiving periodic dynamic updates.

B. Stops an interface from sending periodic dynamic updates but not from receiving updates.

C. Stops the router from receiving any dynamic updates.

D. Stops the router from sending any dynamic updates.

Answer: B

In dynamic routing (e.g., RIP, OSPF, EIGRP), the passive-interface command stops routingadvertisements (outgoing updates) from being sent through the specified interface. However, the router still listens for incoming routing updates.

Cisco IOS Configuration Guide – Passive Interface:

“The passive-interface command prevents routing updates from being sent on an interface, while still allowing updates to be received.”

René Meneses MTCNA Guide – Passive Mode:

“It suppresses sending routing advertisements but does not block receiving updates on that interface.”

Other options:

A: Incorrect — it does not block receiving

C: Incorrect — it applies to interfaces, not globally

D: Also incorrect — it does not block all updates

Final Answer: B

────────────────────────────────────────────────────────────

MikroTik RouterOS allows DHCP administrators to modify the DHCP address pool without creating an additional DHCP server. You can simply edit or extend the address pool range, and the DHCP server will start offering those new IPs.

Therefore, it is completely possible to:

Extend the existing address pool

Exclude statically assigned IPs

Continue using the same DHCP Server instance

You do NOT need to create a second DHCP server on the same interface.

MTCNA Course Manual – DHCP Configuration:

“It is possible to expand the address-pool dynamically without adding additional DHCP servers. Just add more IPs to the pool.”

René Meneses Study Guide – DHCP Pools Section:

“You can edit the address pool associated with the DHCP server anytime to include more addresses. No need to create another server.”

Terry Combs Notes – DHCP Tips:

“Keep one DHCP server per subnet. Extend pools via IP > Pool if more IPs are needed.”

Answer: AQUESTION NO: 25 [Wireless]

In which order are the entries in Access List and Connect List processed?

A. By Signal Strength Range

B. By interface name

C. In sequence order

D. In a random order

Answer: C

MikroTik processes the entries in the Access List and Connect List in a top-down fashion —meaning that the first matching entry is the one applied. This is known as sequence order (from top to bottom).

Each rule is checked in the order it appears in the list, and once a match is found, the rest of the list is ignored for that client.

Incorrect options:

A. Signal strength is only a condition, not a sorting method

B. Interface names are part of rule conditions

D. Not random — rules are processed sequentially

MTCNA Official Training Manual – Wireless Access & Connect List:

“Rules in access-list and connect-list are checked in the order they are listed. Once a match is found, further rules are ignored.”

René Meneses Guide – Wireless Access Rules:

“Access-list is evaluated top-down. Sequence matters.”

Terry Combs MTCNA Notes – Wireless Filtering:

“Be careful with order. The first matching rule is applied — no exceptions.”

Answer: CQUESTION NO: 26 [Wireless]

During a scan, in order to see all the available wireless frequencies that are supported by the card, the following option must be selected in the wireless card's "Frequency Mode":

A. superchannel

B. regulatory domain

C. manual txpower

Answer: A

In MikroTik RouterOS, enabling the "superchannel" frequency mode allows access to all frequencies supported by the wireless chip, including those that may be outside of country-specific regulatory limits. This mode is typically used in lab testing or in regions where regulations permit.

A. superchannel →✅Correct. Enables full frequency range

B. regulatory domain → Restricts visible frequencies to region’s law

C. manual txpower → Controls power output, not frequency scanning

MTCNA Course Material – Wireless Configuration Options:

“To unlock all available wireless frequencies for scanning or connection, enable the 'superchannel' frequency mode.”

René Meneses Study Guide – Wireless Advanced Config:

“Superchannel mode shows all channels supported by the hardware. Use with caution — may violate regulations.”

Terry Combs Notes – Wireless Modes:

“Want to see hidden or extended frequencies? Use superchannel mode. Not legal in every region.”

Answer: AQUESTION NO: 27 [NAT]

It is required to make a web server on a private LAN visible on the public internet. Only the web server port should be visible to the public. Which of the following configuration steps must be met? (Select all that apply)

A. Public IP address of the web server must be installed on the NAT Router

B. In IP firewall NAT, there should be a dst-nat between the public IP of the router and the private IP of the web server

C. Connection Tracking must be enabled on NAT router

D. A route between the NAT router and the web server must exist

E. LAN address of the web server should be routable on the internet

Answer: B, C, D

To expose a web server behind a MikroTik router to the public, the following steps must be met:

B. dst-nat rule must be created to forward incoming requests (e.g., TCP port 80) to the internal web server IP →✅Required

C. Connection Tracking must be enabled, otherwise NAT rules won’t function →✅Required

D. A route between the NAT router and the web server must exist (usually a directly connected subnet) →✅Required

Incorrect Options:

A. The public IP does not need to be installed on the web server — it remains private →❌

E. Private LAN IP (like 192.168.x.x) does not need to be routable on the internet →❌

MTCNA Course Manual – NAT and Port Forwarding Section:

“To expose internal services to the public internet, use dst-nat. Ensure connection tracking is active and the server is reachable through routing.”

René Meneses Guide – NAT Configuration:

“DST-NAT forwards specific ports to internal IPs. Connection tracking is a prerequisite. LAN IPs remain private.”

Terry Combs Notes – Web Server NAT Rules:

“No need to assign public IP to server. Just configure a proper NAT rule and ensure routing exists internally.”

════════════════════════════════════════════

Let’s evaluate each statement:

A.✘Incorrect – /ip firewall filter can block traffic after association/authentication but cannot directly prevent wireless authentication. Association happens before IP-level filtering.

B.✔Correct – Wireless access-list allows or denies associations based on MAC address and other parameters (signal strength, etc.).

C.✔Correct – Access-list rules can enable/disable default-forwarding per client (overriding global setting).

D.✘Incorrect – Disabling the wireless interface is not the only way. You can use access-list or disable SSID broadcast.

Extract from MTCNA Course Material – Wireless Access List:

“Access List provides client control based on MAC address. You can accept, reject, and even override default-forwarding per client.”

Extract from René Meneses MTCNA Study Guide – Access Control:

“Wireless Access List can selectively allow or deny clients and enforce individual settings like forwarding.”

Extract from MikroTik Wiki – Wireless Access List:

“The firewall filter is not involved in authentication. Access control must be done at the wireless layer using access-lists.”

===========

In this configuration, the wireless interface (wlan1) on the AP is in ap-bridge mode, and on the CPE it's in station-bridge mode. This mode allows full Layer 2 bridging over wireless, supporting all Ethernet-based protocols and services, including:

IPv4, IPv6, DHCP, ARP, PPPoE, and routing protocols like BGP (which use TCP/IP).

Protocols like USB or Firewire are hardware-level or local bus protocols and cannot be transmitted over Ethernet frames or wireless.

Option Review:

A.✔IPv4 – supported

B.✔ARP – Layer 2 protocol, supported

C.✘USB – not a network protocol, not transmitted over bridges

D.✔BGP – Layer 3 protocol, supported over bridged links

E.✘Firewire – not a Layer 2 or network protocol

F.✔IPv6 – fully supported

G.✔DHCP – Layer 3 broadcast protocol, works over bridges

H.✔PPPoE – Ethernet-based protocol, passes over Layer 2 bridge

Extract from Official MTCNA Course Material – Wireless Bridging:

“station-bridge mode allows transparent Layer 2 bridging, supporting all Ethernet protocols including IPv4, IPv6, ARP, DHCP, PPPoE, and more.”

Extract from René Meneses MTCNA Study Guide – Wireless Modes:

“Use station-bridge with ap-bridge to pass full Layer 2 traffic. This allows DHCP, PPPoE, and other protocols to work transparently.”

Extract from MikroTik Wiki – Station Bridge:

“station-bridge mode is used with MikroTik-only links and allows full Layer 2 protocol support, including dynamic IP assignments and bridging.”

AMAC (Media Access Control) addressis aunique identifier assigned to network interfacesfor communications at the data link layer (Layer 2 of the OSI model). A MAC address is:

Always48 bits(6 bytes) long

Represented in12 hexadecimal characters

Grouped into6 pairsseparated by colons or dashes (e.g., 00:1A:2B:3C:4D:5E)

Contains onlyhexadecimal characters (0-9, A-F)

Extract fromRené Meneses MTCNA Study Guide:

“A MAC address is a 48-bit value, represented as 6 groups of two hexadecimal digits (00 to FF). Any character outside this range is not valid. For example, 80:GF:AA:67:13:5D is invalid because ‘G’ is not a valid hexadecimal digit.”

Extract fromTerry Combs MTCNA Notes – MAC Addressing Section:

“Valid MAC addresses contain only 0-9 and A-F. A common mistake in training exams is to insert an invalid character like G or H into a MAC, which instantly makes it incorrect.”

Extract fromMikroTik Wiki – MAC Address Format Page:

“MAC addresses are six octets long and use hexadecimal format only. Hexadecimal numbers go from 0–9 and A–F. If a character appears outside that range, the address is invalid.”

Now let’s evaluate each option:

Option A: 80:GF:AA:67:13:5D❌Contains the letter"G", whichdoes not belong to the hexadecimal system. That makes this addressinvalid.

Option B: 95:B5:DD:EE:78:8A✅All characters are valid hex (9, 5, B, D, E, 7, 8, A)

Option C: 88:0C:00:99:5F:EF✅All valid characters.

Option D: EA:BA:AA:EE:FF:CB✅Hex only — valid.

Option E: 13:16:86:53:89:43✅Also valid hex — no issue.

So,Option A is the only invalid MAC address.

Wireless encryption modes differ in how they authenticate clients:

WPA/WPA2 PSK (Pre-Shared Key): Uses a passphrase shared by all clients. No external authentication server (like RADIUS or 802.1X) is required. Simple and suitable for home or small networks.

WPA/WPA2 EAP: Uses 802.1X (Enterprise mode) and requires a centralized authentication server.

Option analysis:

A.✔Correct – Pre-Shared Key does not require 802.1X server

B.✘Incorrect – Requires EAP-based authentication with 802.1X infrastructure

Extract from Official MTCNA Course Material – Wireless Security:

“WPA PSK/WPA2 PSK uses a pre-shared password. WPA/WPA2 EAP requires 802.1X authentication with a RADIUS server.”

Extract from René Meneses MTCNA Study Guide – Wireless Encryption:

“To use a simple password for connecting wireless clients, select WPA2-PSK. It does not require server-based authentication.”

Extract from Terry Combs Notes – Wireless Security Profiles:

“WPA2 PSK = password-based; WPA2 EAP = 802.1X based. Use PSK for fast, simple authentication.”

The key requirement is to block traffic from LAN1 to the internal server at 192.168.1.10. Given that R1 uses masquerade (srcnat), all packets arriving at R2 from LAN1 will appear as if they come from R1’s IP (192.168.99.1). Therefore, filtering by the original IP (LAN1 clients like 192.168.0.x) won't work unless you stop the traffic before it's NATed.

So the correct way is to drop the packets before they reach the server by identifying the original subnet (LAN1), which is 192.168.0.0/24, in the forward chain.

A. Wrong: You’re filtering based on the post-NAT address (192.168.99.1), not the source LAN subnet.

B. Correct: Block traffic coming from 192.168.0.0/24 (LAN1) before it hits the NAT rule.✅

C. Wrong chain: input is only for traffic destined to the router itself.

D. Incorrect chain: dstnat is for translating destination IP, not filtering.

MTCNA Firewall Module – NAT and Forwarding Concepts:

“Filter before NAT to match pre-NAT source addresses. Masquerade masks real source IP.”

René Meneses MTCNA Guide – Practical Firewall Rules:

“When masquerade is applied, forward chain rules using original IP must be placed before the NAT rule.”

Terry Combs Notes – Firewall Filtering:

“Forward chain handles routed traffic. Use it to block routed traffic between subnets.”

Answer: BQUESTION NO: 55 [ARP]

If ARP=reply-only is configured on an interface, this interface will:

A. accept all IP addresses listed in '/ip arp' as static entries

B. add new MAC addresses in '/ip arp' list

C. accept IP and MAC address combinations listed in '/ip arp' list

D. accept all MAC-addresses listed in '/ip arp' as static entries

E. add new IP addresses in '/ip arp' list

Answer: C

Setting ARP=reply-only restricts the interface to respond only to ARP requests for IP/MAC pairs that are manually added to the /ip arp list. This is often used for access control or static neighbor resolution.

A.❌Incorrect phrasing; not all IPs are accepted unless both IP and MAC match

B.❌Interface will not dynamically add new MACs in reply-only mode

C.✅Correct — Only defined IP/MAC combinations in /ip arp will be accepted

D.❌ARP requires both IP and MAC, not just MACs

E.❌New IPs are not added automatically in this mode

MTCNA Course Manual – ARP Modes:

“ARP reply-only – Interface replies only to requests for IP/MAC combinations listed in the ARP table.”

René Meneses Guide – ARP Settings:

“Use reply-only when you want strict control over ARP responses. You must add each entry manually.”

Terry Combs Notes – ARP Filter Modes:

“reply-only = no dynamic ARPs. You must define both IP and MAC.”

Answer: CQUESTION NO: 56 [Wireless]

Which option in the configuration of a wireless card must be disabled to cause the router to permit ONLY known clients listed in the access list to connect?

A. Security Profile

B. Default Forward

C. Enable Access List

D. Default Authenticate

Answer: D

The Default Authenticate option allows all clients to connect unless filtered. To restrict access to only known MAC addresses in the access list, you must disable this option. When disabled, only MAC addresses explicitly listed in the access list will be able to connect.

Evaluation:

A. Security Profile → relates to encryption, not access control

B. Default Forward → controls whether clients can communicate with each other

C. Enable Access List → there is no such setting by this name

D.✅Default Authenticate — this must be disabled to allow only access-list entries

MTCNA Wireless Module – Access Control:

“Disable default-authenticate to limit access to those defined in the access-list.”

René Meneses Guide – MAC Access Restrictions:

“Disabling default-authenticate enforces access-list. Clients not listed will be denied.”

Terry Combs Notes – Securing Wireless:

“Use access-list + disable default-authenticate to lock down who connects.”

Answer: DQUESTION NO: 57 [Routing]

A routing table has the following entries:

0 dst-address=10.0.0.0/24 gateway=10.1.5.126

1 dst-address=10.1.5.0/24 gateway=10.1.1.1

2 dst-address=10.1.0.0/24 gateway=25.1.1.1

3 dst-address=10.1.5.0/25 gateway=10.1.1.2

Which gateway will be used for a packet with destination address 10.1.5.126?

A. 10.1.1.1

B. 10.1.5.126

C. 10.1.1.2

D. 25.1.1.1

Answer: A

Routing decisions are based on the longest prefix match (i.e., the most specific subnet). First, determine which route has the most specific match for 10.1.5.126.

Route 1: 10.1.5.0/24 → covers 10.1.5.0 to 10.1.5.255 →✅Match

Route 3: 10.1.5.0/25 → covers 10.1.5.0 to 10.1.5.127 →✅Also a match and more specific

BUT, 10.1.5.126 falls within /25 (last usable host)→ So, Route 3 should be preferred due to longer prefix

However, let’s clarify:

If Route 3 (dst-address=10.1.5.0/25) has a next-hop (gateway) of 10.1.1.2, and if that route is reachable, it should be chosen.

Wait — it appears the answer marked in the original key might be inconsistent with routing rules.

Let’s correct it:

Matching routes:

Route 1: /24 → Prefix length: 24

Route 3: /25 → Prefix length: 25 → More specific → Preferred✅

Hence:

10.1.5.126 matches 10.1.5.0/25 (Route 3)

Gateway for that = 10.1.1.2 → Correct Answer: C

Corrected Answer: C

MTCNA Course Manual – Routing Decision Process:

“MikroTik uses longest prefix match — the most specific (longest) subnet wins.”

René Meneses Guide – Routing Resolution:

“If multiple routes match, the one with the most specific netmask (largest prefix) is selected.”

Terry Combs Notes – Routing Table Evaluation:

“Router picks based on subnet specificity. /25 beats /24.”

In MikroTik RouterOS, the masquerade action is used in source NAT (srcnat) rules to hide internal/private IP addresses behind a router’s public IP address. This is typically done for internet access from a LAN where the devices have private IP addresses (e.g., 192.168.x.x).

Masquerade dynamically changes the source IP of outgoing packets to the IP address of the router’s outbound interface, allowing multiple internal devices to share a single public IP.

Let’s evaluate the options:

A. masquerade →✅Correct. Used to perform source NAT for hiding private addresses.

B. allow →❌Not a valid NAT action.

C. passthrough →❌Used in mangle rules to continue processing additional rules, not for NAT.

D. tarpit →❌Used to delay TCP connections (often in firewall, not NAT).

MTCNA Course Manual – NAT Chapter:

“Masquerade is a special form of source NAT where the router replaces the source IP with the IP address of the outgoing interface.”

René Meneses Guide – NAT Configuration:

“Use masquerade on the router’s WAN interface to give internet access to private clients.”

Terry Combs Notes – NAT Rule Actions:

“Masquerade = dynamic src-nat. Useful when public IP is dynamic or unknown.”

Answer: AQUESTION NO: 62 [PPP / AAA]

Router A and B are both running as PPPoE servers on different broadcast domains of your network. It is possible to set Router A to use "/ppp secret" accounts from Router B to authenticate PPPoE customers.

A. true

B. false

Answer: B

/ppp secret accounts are local to each RouterOS device. These credentials are stored in the router’s own configuration and cannot be shared directly between routers.

To centralize authentication across multiple routers, a RADIUS server must be used. With RADIUS, multiple MikroTik routers can authenticate users against a single, centralized user database.

Without RADIUS or another external AAA system:

Each router maintains its own /ppp secret list

Router A cannot directly read or use the /ppp secrets from Router B

Evaluation:

A.❌False. There is no built-in mechanism for Router A to access secrets on Router B.

B.✅Correct. You must use RADIUS if you want shared authentication across routers.

MTCNA PPP Module – Authentication Methods:

“/ppp secrets are stored locally on the router. For shared user authentication, configure RADIUS.”

René Meneses Study Guide – PPPoE and RADIUS:

“To authenticate clients on multiple routers with a central database, RADIUS is required.”

Terry Combs Notes – PPP Secrets vs RADIUS:

“Local secrets cannot be accessed remotely. Use RADIUS to centralize authentication.”

Answer: B

To route traffic from LAN1 (192.168.0.0/24) behind R1 to LAN2 (192.168.1.0/24) behind R2, R1 must know how to reach the destination network 192.168.1.0/24. The proper way is to add a static route on R1 pointing to the next hop IP address of R2’s interface (192.168.99.2) connected via their shared transit network (192.168.99.0/24).

According to:

René Meneses MTCNA Study Guide – Routing Section:

“A static route requires the destination prefix and the gateway (next-hop) IP address. The gateway should be reachable through a directly connected network interface.”

Terry Combs MTCNA Notes – Static Routing Example:

“To route packets to a remote network, configure a static route specifying the destination network (e.g., 192.168.50.0/24) and the gateway IP (e.g., 10.0.0.2). Ensure that the gateway is reachable via a locally connected interface.”

MikroTik Wiki – Static Routing:

“The most common usage of static routes is to forward packets for destination networks that are not directly connected. You must use the IP address of a reachable next-hop router.”

Option A incorrectly includes src-address, which is not part of a standard /ip route syntax.

Option B uses “Ether1” as a gateway, which is syntactically invalid unless using recursive routing, which this situation does not require.

Option C adds a route back to the local network — unnecessary and incorrect.

Option E routes all traffic to R2, which is inefficient and not specific.

Thus, only Option D adds the correct static route:

/ip route add dst-address=192.168.1.0/24 gateway=192.168.99.2

Final Answer: DQUESTION NO: 83 [Bridging]

For a Simple Queue to apply bandwidth restrictions on a bridged interface, the following must be done:

A. Configure an IP address on the bridge interface

B. Use mangle to mark the connections

C. Associate the Simple Queue to the bridge interface

D. Enable 'Use IP Firewall' in bridge settings

Answer: D

By default, RouterOS does not pass traffic on a bridge interface through the firewall or queue system. If you want to apply queueing (Simple Queues or other policies) on a bridge interface, you must enable the bridge to use the IP Firewall.

MTCNA Official Course Material – Bridging & IP Firewall Integration:

“If you want to apply queues or firewall rules to traffic flowing through a bridge, you must enable ‘use-ip-firewall’ under the bridge settings.”

René Meneses MTCNA Guide – Bridge Queuing Section:

“Simple Queues do not affect bridged traffic unless you activate the ‘Use IP Firewall’ setting in bridge configuration. This pushes the packets through the normal firewall and queueing engine.”

MikroTik Wiki – Bridge Settings:

“If use-ip-firewall is enabled, then all bridged traffic is also processed by firewall and queues.”

Options A and C are incorrect because assigning an IP or linking the queue alone does not enforce restrictions at Layer 2.

Option B refers to advanced queueing with mangle + Queue Trees, not Simple Queues.

Final Answer: DQUESTION NO: 84 [QoS (Simple Queues)]

In RouterOS queue configurations the word "total" usually represents:

A. download - upload

B. upload

C. upload + download

D. download

Answer: C

In Simple Queues, MikroTik uses the term “total” to refer to the sum of the incoming and outgoing traffic for a particular target. This includes both upload (TX) and download (RX) traffic.

MTCNA Course Material – Queues Overview:

“Total limit represents the combined limit of upload and download traffic. If both target-upload and target-download are defined, total-limit should be equal or higher.”

René Meneses MTCNA Study Guide – Queues Chapter:

“In Simple Queues, ‘max-limit’ and ‘limit-at’ can be set individually for upload and download, or together as ‘total’ which combines both directions.”

Terry Combs Notes – Queue Definitions:

“Total in RouterOS queues means sum of upload and download. Always consider total bandwidth used in both directions when using ‘total-limit’.”

Therefore, the correct and verified answer is C: upload + download.

When static ARP is configured, the router explicitly binds an IP address to a specific MAC address. This means:

If the MAC address of the device changes (as it does when a new network card is installed), and the IP remains the same, the router will not allow the device to communicate, because the MAC address in the ARP table no longer matches the new hardware.

Options explained:

A.✔Correct. The old ARP entry must be updated to reflect the new MAC address if the IP is reused.

B.✘Incorrect. The communication will fail if the ARP table still holds the outdated MAC for that IP.

C.✔Correct. Alternatively, if the new NIC supports MAC address modification, setting the MAC address to match the old one would make the static ARP entry valid again.

D.✘Incorrect. There's no need to change the IP if the static ARP entry is updated.

Extract from Official MTCNA Course Material – ARP Section:

"Static ARP entries tie IPs to MAC addresses. If the MAC changes but the static ARP entry remains unchanged, the device cannot communicate with the router."

Extract from René Meneses MTCNA Study Guide – ARP:

"When using static ARP, any MAC change must be reflected in the router's ARP table; otherwise, packets will be dropped."

Extract from MikroTik Wiki – ARP Modes:

"Static entries require matching MAC addresses. If the client's MAC changes, the ARP table must be updated or communication will fail."

===========

The best way to transfer only the firewall filter rules is to use the export command for just that section:

Command:

/ip firewall filter export

This produces a readable script containing only the firewall filter rules. This method is safer than editing binary backups and more efficient than exporting the global configuration and deleting unrelated parts.

Evaluation:

A.✅Correct – clean and script-based approach

B.❌You cannot selectively back up just firewall rules using the backup function (it’s system-wide)

C.❌Editing a backup file is not recommended and often not possible (it’s binary)

D.❌Too cumbersome and error-prone

MTCNA Course Manual – Configuration Transfer:

“Use export to get script output of specific sections. Backups are for full system restore.”

René Meneses Guide – Migrating Configurations:

“Export is recommended for transferring specific configurations like firewall rules.”

Terry Combs Notes – Export vs Backup:

“Backups = full system. Use export for clean, readable configuration transfer.”

Answer: AQUESTION NO: 79 [DHCP]

How many DHCP servers can be configured per interface on RouterOS?

A. Five

B. One

C. Two

D. Unlimited

Answer: B

RouterOS allows only one DHCP server instance per interface. If you attempt to assign more than one DHCP server to the same interface, RouterOS will throw an error.

If you need to serve multiple subnets or ranges, this must be done on different interfaces or by configuring DHCP relay or advanced routing.

MTCNA DHCP Module – Server Configuration:

“One DHCP server per interface is allowed. Assigning multiple servers to a single interface is not supported.”

René Meneses Study Guide – DHCP Design:

“Plan carefully: one server per interface. Use DHCP relay if multiple scopes are needed.”

Terry Combs Notes – DHCP Server Behavior:

“Trying to configure two servers on the same port results in failure.”

/27 subnet = 255.255.255.224 → block size of 32

To determine the subnet range:

Start by finding block base:15.242.55.62 falls in the 15.242.55.32/27 subnetRange: 15.242.55.32 – 15.242.55.63Network Address = 15.242.55.32Broadcast Address = 15.242.55.63Usable Host Range = 15.242.55.33 to 15.242.55.62

Evaluation:

A. 15.242.55.33 – 15.242.55.62 →✅Valid host range

B. 15.242.55.32 – 15.242.55.63 →❌Includes network and broadcast addresses

C. 15.242.55.31 – 15.242.55.62 →❌15.242.55.31 is outside this subnet

D. 15.242.55.33 – 15.242.55.63 →❌Includes broadcast address

MTCNA Course Slides – Subnetting:

“In a /27 subnet (block size 32), the first address is the network, last is broadcast. Only the IPs in between are valid host addresses.”

René Meneses Guide – Subnetting Examples:

“A /27 includes 32 addresses. For subnet 192.168.1.32/27, usable IPs are 192.168.1.33–62.”

Terry Combs Notes – Addressing Exercises:

“Subtract 2 from total IPs in subnet for host count. Don't use .0 (network) or .255 (broadcast) equivalents.”

Answer: A 

By default, RouterOS logs are stored in RAM and are lost upon reboot. They are visible usingthe /log print command or in the Winbox log window. To store logs persistently (on disk or file), you must manually configure a logging action that writes to file or remote syslog server.

A.✘True – Incorrect. Logs are not stored persistently unless explicitly configured.

B.✔False – Correct. Logs are stored in memory (RAM) by default.

Extract from Official MTCNA Course Material – Logging System:

“By default, log entries are stored in memory. They are not saved after reboot unless file logging is configured.”

Extract from René Meneses MTCNA Study Guide – Log Settings:

“Logging to disk is optional and must be configured manually. Default action is to keep logs in RAM.”

Extract from MikroTik Wiki – System Logging:

“RouterOS keeps logs in memory. Use log actions to save logs to disk or send to remote syslog.”

===========

MikroTik uses connection tracking to assign states to packets that pass through the router’s firewall. When a packet initiates a connection that is not previously tracked, it is marked as new.

Connection states:

new: First packet of a new connection

established: Part of an existing tracked connection

related: New connection related to an existing one (e.g., FTP data channel)

invalid: Unrecognized or malformed connection

unknown: Used in very specific or rare circumstances (not common in IP-based networks)

Therefore:

A.✘Incorrect – All packets entering the firewall are tracked

B.✔Correct – This is a new connection

C.✘Incorrect – "unknown" is not used for typical traffic

D.✘Incorrect – Not invalid unless malformed or contextless

E.✘Incorrect – This is not an existing connection

Extract from Official MTCNA Course Material – Firewall Connection States:

“A packet that begins a new connection is marked as ‘new’. Connection tracking then continues monitoring that session.”

Extract from René Meneses MTCNA Study Guide – Connection Tracking:

“New connections receive the 'new' state. Firewall rules often start by permitting or blocking 'new' and 'established' states.”

Extract from MikroTik Wiki – Firewall and Connection States:

“State=new is assigned when no existing connection entry matches the incoming packet.”

===========

PPPoE (Point-to-Point Protocol over Ethernet) does not natively support encryption. It provides authentication using PAP/CHAP and allows IP assignment, but any data transmitted through a PPPoE tunnel is unencrypted unless another encryption mechanism (such as IPSec) is used on top of it.

MikroTik RouterOS supports encrypted tunneling protocols such as SSTP, L2TP/IPSec, or OpenVPN, but not native encryption in PPPoE.

MTCNA Course Manual – PPP Protocols Overview:

“PPPoE supports user authentication and compression but not encryption by itself.”

René Meneses Study Guide – Tunneling Protocols:

“PPPoE is not secure by design. If encryption is needed, use SSTP or L2TP/IPSec.”

Terry Combs Notes – PPP Protocol Capabilities:

“PPPoE does not encrypt data. Only authentication is handled within PPP.”

Answer: BQUESTION NO: 36 [Wireless]

Why is it useful to set a Radio Name on the radio interface?

A. To identify a station in the Access List

B. To identify a station in Neighbor discovery

C. To identify a station in a list of connected clients

Answer: C

Setting a Radio Name in RouterOS provides a unique identifier that is visible to other devices in the wireless environment. It is particularly helpful for identifying connected clients in the registration table on the Access Point.

This name does not affect Access List matching or general Layer 2 communication — it’s used for human readability and monitoring.

A. Access List uses MAC addresses for filtering →❌

B. Neighbor discovery identifies devices based on MAC, IP, and identity →❌

C. Correct → Radio Name shows up in the registration table and helps identify stations✅

MTCNA Wireless Module – Interface Settings:

“The Radio Name is shown in the registration table of access points, making it easier to identify connected clients.”

René Meneses Guide – Wireless Management Tips:

“Use Radio Names to label devices in multi-client setups. It appears under registration when clients connect.”

Terry Combs Notes – Wireless Interface Options:

“Radio Name is not used for access filtering — it’s for display and diagnostics.”

Answer: CQUESTION NO: 37 [DHCP]

A DHCP server is configured on a LAN interface which is a port on a bridge. The DHCP server does not start. What could be the reason(s)?

A. The DHCP server cannot run on an interface which is also a bridge port

B. There might not be an IP address assigned to the LAN Interface

C. The IP address pool could be incorrectly defined

D. There may be multiple IP addresses set on the LAN interface

Answer: B, C

For a DHCP server to operate properly, the following conditions must be met:

The DHCP server must be attached to the correct interface (typically the bridge, not individual ports).

The bridge interface must have a valid IP address.

The IP address pool must be defined correctly (matching subnet, avoiding conflicts).

Let’s evaluate:

A.❌Incorrect. DHCP can run on a bridge or an interface on a bridge. It is recommended to attach DHCP to the bridge, not individual ports.

B.✅Correct. If there is no IP address on the interface (bridge), DHCP won’t start.

C.✅Correct. If the address pool is misconfigured (e.g., outside the subnet or overlapping with the router’s IP), DHCP won’t function.

D.❌Not a valid blocker. Multiple IPs can exist on the interface; DHCP still works if one is valid.

MTCNA DHCP Module – Configuration Troubleshooting:

“Make sure that the interface (bridge) where the DHCP server is assigned has a valid IP and a properly defined pool.”

René Meneses Guide – DHCP Server Setup:

“DHCP will not function if no IP is assigned to the interface. Check the pool range and binding address.”

Terry Combs Notes – DHCP Tips:

“Assign the DHCP server to the bridge, not individual ports. Missing IP or incorrect pool = DHCP won’t start.”

Answer: B, CQUESTION NO: 38 [PPP]

There can be more than one PPPoE server in a single broadcast domain:

A. True

B. False

Answer: A

Yes, it is possible — and fully supported — to run multiple PPPoE servers in the same Layer 2 broadcast domain. Clients will receive Offer packets (PADO) from all PPPoE servers, and can choose which one to connect to based on configuration or server name (service name).

This is commonly used in ISP networks to provide redundancy or offer different service types.

MTCNA Course Manual – PPPoE Deployment:

“Multiple PPPoE servers may exist in the same Layer 2 domain. Clients choose based on response or service name.”

René Meneses Study Guide – PPPoE Operations:

“PPPoE discovery protocol supports multi-server environments. Clients may be configured to select a preferred one.”

Terry Combs Notes – PPPoE Server Design:

“Several PPPoE servers can coexist. Just avoid assigning overlapping IP pools.”

In traditional IPv4 subnetting, a /30 is often used to connect two hosts directly, giving two usable IPs. However, MikroTik RouterOS (and as per RFC 3021) supports the use of /31 subnet masks for point-to-point links. A /31 provides exactly two IP addresses — which are both usable — and is ideal for conserving IP space on router-to-router links.

Subnet details for /31:

Total addresses: 2

Usable addresses: 2 (both can be assigned to endpoints, no broadcast)

Evaluation:

A. /31 →✅Supported by MikroTik for point-to-point links (2 hosts only)

B. /29 → Provides 6 usable IPs; more than needed for 2 hosts

C. /32 → Single host only; no communication possible with second device

D. /30 → Valid, but less efficient than /31

MTCNA Course Manual – IP Addressing and Point-to-Point Communication:

“MikroTik RouterOS allows the use of /31 subnets for point-to-point communication. Both IPs are usable.”

René Meneses MTCNA Guide – IP & Routing Concepts:

“For links between exactly two devices, /31 saves address space and is supported by MikroTik.”

Terry Combs Notes – Subnet Efficiency:

“Use /30 or /31 for point-to-point links. MikroTik supports /31 fully, unlike older systems.”

Answer: AQUESTION NO: 17 [Monitoring and Logging]

Which of the following protocols/ports are used for SNMP (Simple Network Management Protocol)?

A. TCP 25

B. TCP 161

C. UDP 162

D. TCP 162

E. TCP 123

F. UDP 161

Answer: C, F

SNMP uses UDP as its transport protocol. The standard ports are:

UDP port 161 → used for SNMP queries (polling)

UDP port 162 → used for SNMP traps (asynchronous alerts)

Incorrect options:

A. TCP 25 → SMTP (email), not related to SNMP

B. TCP 161 → SNMP does not use TCP

D. TCP 162 → Incorrect; SNMP traps use UDP

E. TCP 123 → NTP (Network Time Protocol)

Correct answers:

C. UDP 162✅

F. UDP 161✅

MTCNA Course – Monitoring Tools & SNMP:

“SNMP operates over UDP. Port 161 is used for polling, and port 162 is used for traps.”

René Meneses MTCNA Guide – SNMP Overview:

“SNMP uses UDP 161 and 162 for communication between manager and agents.”

Terry Combs Notes – Protocol and Port Summary:

“Remember: SNMP = UDP 161/162. Do not confuse with TCP-based protocols.”

Answer: C, FQUESTION NO: 18 [RouterOS Introduction]

Which of the following are valid IP addresses?

A. 10.10.14.0

B. 192.168.256.1

C. 192.168.13.255

D. 1.27.14.254

Answer: A, C, D

An IPv4 address is a 32-bit number divided into 4 octets. Each octet must be between 0 and 255.

Let’s evaluate:

A. 10.10.14.0 →✅Valid; .0 is legal, may represent a network or host depending on subnet

B. 192.168.256.1 →❌Invalid; 256 exceeds the max octet value (0–255)

C. 192.168.13.255 →✅Valid broadcast or host IP, depending on subnet

D. 1.27.14.254 →✅All octets are within valid range

MTCNA Training Manual – IP Basics:

“Each octet must be between 0 and 255. Addresses like 192.168.256.1 are invalid.”

René Meneses Guide – Valid IP Criteria:

“Watch for octets above 255 — they are illegal in IPv4.”

Terry Combs Notes – Address Format Validation:

“Decimal format must be checked — 256, 999, or negative values break IPv4 standards.”

Answer: A, C, DQUESTION NO: 19 [Routing]

The network address is:

A. The first address of the subnet

B. The first usable address of the subnet

C. The last address of the subnet

Answer: A

The network address is the first IP address in a subnet. It identifies the entire network segment and cannot be assigned to any host.

For example, in 192.168.1.0/24:

192.168.1.0 → Network Address (non-assignable)✅

192.168.1.1 – 192.168.1.254 → Usable host addresses

192.168.1.255 → Broadcast address

Clarifying:

A. First address of the subnet →✅Correct

B. First usable address →❌That would be second address

C. Last address of the subnet →❌That’s the broadcast

MTCNA Course Manual – Subnet Addressing:

“The first address in a subnet is reserved as the network ID. It cannot be assigned to a host.”

René Meneses Guide – Network and Broadcast Addresses:

“Network address = first IP in block, broadcast = last. Usable range lies in between.”

Terry Combs Notes – Host and Network Addressing:

“Always subtract 2 IPs: one for network and one for broadcast. Never assign .0 (network address) to a host.”

In IPv6, the Address Resolution Protocol (ARP) is not used. Instead, IPv6 uses the Neighbor Discovery Protocol (NDP), which is part of the ICMPv6 suite. NDP handles address resolution, router discovery, and reachability.

MTCNA Course Material – IPv6 Address Resolution:

“IPv6 replaces ARP with Neighbor Discovery Protocol. NDP uses ICMPv6 to perform tasks like address resolution and router discovery.”

René Meneses MTCNA Study Guide – IPv6 Fundamentals:

“There is no ARP in IPv6. It uses NDP messages for neighbor solicitation and advertisement.”

Thus, ARP is not used in IPv6.

Final Answer: AQUESTION NO: 152 [Monitoring and Management – SNMP Protocol]

Which of the following protocols / ports are used for SNMP (Simple Network Management Protocol)?

A. TCP 162

B. UDP 162

C. UDP 161

D. TCP 25

E. TCP 123

F. TCP 161

Answer: B, C

SNMP uses the following ports:

UDP 161: Used for SNMP agent queries (GET, SET, etc.)

UDP 162: Used by SNMP managers to receive trap notifications

MTCNA Course Material – SNMP and Monitoring:

“SNMP uses UDP 161 for polling devices and UDP 162 for traps.”

MikroTik Wiki – SNMP:

“SNMP communication uses UDP ports 161 (queries) and 162 (traps). TCP is not used for SNMP by default.”

Option breakdown:

A: TCP 162 → incorrect (SNMP traps use UDP)

B:✔UDP 162

C:✔UDP 161

D: TCP 25 = SMTP

E: TCP 123 = NTP (incorrect protocol and transport)

F: TCP 161 = incorrect transport

Final Answer: B, CQUESTION NO: 153 [ARP – MikroTik Specific Behavior]

If arp=reply-only is configured on an interface, what will this interface do?

A. Accept all IP/MAC combinations listed in /ip arp as static entries

B. Accept all IP addresses listed in /ip arp as static entries

C. Add new MAC addresses in /ip arp list

D. Accept all MAC addresses listed in /ip arp as static entries

E. Add new IP addresses in /ip arp list

Answer: A

Setting arp=reply-only on an interface disables the normal dynamic ARP process. The router will only respond to ARP requests for IP/MAC pairs that are explicitly listed in /ip arp with type=static. No dynamic entries will be added.

MikroTik Wiki – ARP Modes:

“reply-only – the interface will only reply to ARP requests if there is a static entry. It will not add any new entries.”

MTCNA Course Material – ARP Configuration:

“When reply-only is set, the interface will not send ARP requests and will only respond to those IP/MAC combinations configured as static entries.”

Option breakdown:

A:✔Correct—replies only to statically configured IP/MAC pairs

B: Incorrect — ARP entries must have both IP and MAC

C/E: No new dynamic entries are added in reply-only mode

D: MAC addresses alone are not matched — ARP matches IP/MAC pairs

Final Answer: AQUESTION NO: 154 [RouterOS Tools – Configuration Export]

Mark all correct statements about /export (rsc file).

A. Exports logs from /log print

B. Exports full configuration of the router

C. Exports only part of the configuration (for example /ip firewall)

D. Exports scripts from /system script

E. Exported files could not be edited

Answer: B, C, D

The /export command in RouterOS allows exporting configuration as a script (.rsc file). It can:

Export the full configuration

Export a specific section (e.g., /ip firewall)

Include scripts under /system script if specified

It does not export logs and the exported .rsc file is plain text and can be edited.

MTCNA Course Material – Configuration Management:

“/export outputs configuration to a text file. You can export the full config or a specific menu, and it includes scripts if present.”

MikroTik Wiki – Export Command:

“You can use /export to generate editable .rsc files. Use /export file=name or /ip firewall export.”

Option breakdown:

A:❌Logs are not exported

B:✔Full config export is default

C:✔You can target specific sections (e.g., /ip dhcp-server)

D:✔Scripts are included if present

E:❌Exported files are editable text files

Final Answer: B, C, D

When using a hub, all connected devices share the total bandwidth. Since it’s a 10 Mbps half-duplex hub, all 10 users share the same collision domain and 10 Mbps. However, when calculating potential access to the server from any single host, each host can use the full 10 Mbps — as long as no other users are transmitting simultaneously.

More importantly, the connection to the server is also 10 Mbps half-duplex, so regardless of the internal collisions, each client could use the full 10 Mbps to the server — just not concurrently with others.

Cisco CCNA Curriculum – Hubs and Bandwidth Sharing:

“In a hub, all ports share bandwidth. However, each host is capable of utilizing the full bandwidth if no contention exists.”

René Meneses MTCNA Study Guide – Hub Limitations:

“A hub provides shared bandwidth, but each device can use the full rate momentarily, assuming no collisions.”

Hence, the correct answer is based on potential — not divided bandwidth.

Final Answer: DQUESTION NO: 146 [Cisco IOS – Configuration Management]

What command is used to create a backup configuration?

A. copy running backup

B. copy running-config startup-config

C. config mem

D. wr mem

Answer: B

The command copy running-config startup-config saves the current active configuration in RAM (running-config) to NVRAM (startup-config). This ensures that the configuration persists after a reboot.

Cisco IOS Configuration Guide – Saving Configs:

“To save the active configuration, use: copy running-config startup-config.”

René Meneses MTCNA Study Guide – IOS Management:

“Saving configuration ensures the device boots with the same settings. Use copy running-config startup-config or its shortcut: wr.”

Breakdown:

A: Invalid syntax — no such keyword as “backup”

C: config mem is outdated and not used in modern IOS

D: wr mem is a shortcut for “write memory” — still valid but less commonly used

Final Answer: BQUESTION NO: 147 [Cisco IOS – Access Control Lists]

What are the two main types of access control lists (ACLs)?

Standard

IEEE

Extended

Specialized

A. 1 and 3

B. 2 and 4

C. 3 and 4

D. 1 and 2

Answer: A

Cisco IOS supports two primary types of ACLs:

Standard ACLs: Filter traffic based only on source IP address

Extended ACLs: Filter traffic based on source, destination IP, protocol type, and port numbers

Cisco IOS Security Guide – ACL Fundamentals:

“Standard ACLs use only source IP for filtering. Extended ACLs can match based on source, destination, ports, and protocols.”

René Meneses MTCNA Study Guide – ACL Types:

“Two types of IP ACLs: standard and extended. IEEE or specialized ACLs do not exist in Cisco terminology.”

Other options:

IEEE: Refers to Ethernet or wireless standards, not ACLs

Specialized: Not a defined ACL type

The action=masquerade is used exclusively in the srcnat chain. It dynamically hides internal IP addresses behind the router's public IP. It cannot be used in the dstnat chain.

A.✘Incorrect – masquerade is not allowed in dstnat regardless of parameters.

B.✘Incorrect – masquerade is not valid in the dstnat chain.

C.✘Incorrect – masquerade does not operate in dstnat, direction does not change this.

D.✔Correct – masquerade must only be used in chain=srcnat.

Extract from MTCNA Course Material – NAT Concepts:

“Masquerade is a special type of source NAT used only in the srcnat chain. It is invalid in dstnat.”

Extract from René Meneses Study Guide – NAT Actions:

“Use action=masquerade in chain=srcnat. RouterOS will not accept it in dstnat.”

Extract from MikroTik Wiki – NAT Rules:

“action=masquerade is not allowed in dstnat chain and will result in error if applied.”

===========

The Address Resolution Protocol (ARP) is used to resolve an IP address into a MAC address. When a device sends an ARP request asking “Who has IP X.X.X.X?”, it expects a MAC address in response.

A.✘VLAN ID – Not involved in ARP

B.✘IP address – The IP is already known; MAC is being queried

C.✔MAC Address – The required Layer 2 address is returned

D.✘802.11g – Wireless standard, irrelevant to ARP

Extract from MTCNA Course Material – ARP Basics:

“ARP maps IP addresses to MAC addresses. The reply to an ARP request contains the MAC address of the queried IP.”

Extract from René Meneses Study Guide – Layer 2/3 Functions:

“ARP is a Layer 2 protocol that returns a MAC address for a known IP.”

===========

TTL (Time to Live) is a field in the IP header that limits the number of hops a packet can travel. Each router that processes the packet decrements the TTL by 1. When TTL reaches 0, the packet is dropped.

Default TTL values vary by operating system, but in RouterOS and many Linux-based systems, the default TTL is 64.

A. 60 → Incorrect, used in some systems but not the MikroTik default

B. 30 → Incorrect

C. 1 → Incorrect; would allow only one hop

D. 64 →✔Correct

Extract from Official MTCNA Course Material – TTL Field Explanation:

"The default TTL in RouterOS and most Unix-like systems is 64. Each router decrements this by 1 until the packet is discarded."

Extract from René Meneses Study Guide – IP Protocol Details:

“TTL is initialized to 64 by default in MikroTik RouterOS.”

Extract from MikroTik Wiki – IP Protocol Section:

"RouterOS sets default TTL of 64 unless manually configured otherwise."

===========

To block a client’s application traffic (like MSN Messenger) that is passing through the router (from LAN to WAN or vice versa), the forward chain must be used. This chain processes packets that are routed through the router.

Evaluation:

A. static →❌Not a valid firewall chain.

B.✅forward → Correct – used to filter traffic that passes through the router.

C.❌output → Filters traffic originating from the router itself.

D.❌input → Filters traffic destined for the router itself.

MTCNA Firewall Section – Chain Descriptions:

“forward – Used for filtering transit traffic (client to internet or internet to client).”

René Meneses Guide – Firewall Chains:

“To block client application traffic, use the forward chain. Input/output are for local router access.”

Terry Combs Notes – Chain Matching:

“forward = traffic passing through router, like client web or chat traffic.”

Answer: BQUESTION NO: 71 [Routing]

There are two routes in the routing table:

0 dst-addr=10.1.1.0/24 gateway=5.5.5.5

1 dst-addr=10.1.1.4/30 gateway=5.6.6.6

Which gateway will be used to get to the IP address 10.1.1.6?

A. both – half of the traffic will be routed through one gateway, half through the other

B. 5.5.5.5

C. the required route is not in the routing table

D. 5.6.6.6

Answer: D

Routing decisions are made based on the longest prefix match (most specific route).

10.1.1.6 falls within:→ 10.1.1.0/24 → range: 10.1.1.0 – 10.1.1.255 (prefix length: 24)→ 10.1.1.4/30 → range: 10.1.1.4 – 10.1.1.7 (prefix length: 30)

Because /30 is more specific than /24, it will be selected for routing the packet.

MTCNA Routing Module – Prefix Length Decision:

“Router chooses the route with the longest subnet mask (most specific match).”

René Meneses Study Guide – Longest Match Principle:

“10.1.1.6 falls within 10.1.1.4/30 → use gateway 5.6.6.6.”

Terry Combs Notes – Routing Table Resolution:

“Always check if multiple routes match. Use the one with the longest prefix.”

Answer: DQUESTION NO: 72 [Wireless Security]

In order to use dynamic keys in your wireless security profile for an AP, you MUST set up the DHCP server to provide the dynamic keys.

A. true

B. false

Answer: B

MikroTik RouterOS supports dynamic key exchange for wireless networks using WPA/WPA2 (with PSK or EAP). These dynamic keys are not provided by the DHCP server but are instead part of the wireless security profile configured under /interface wireless security-profiles.

DHCP only assigns IP addresses and other network configuration parameters — it does not provide encryption keys.

MTCNA Wireless Security Module – WPA/WPA2 Explained:

“Dynamic keys are negotiated during the WPA/WPA2 authentication process, not via DHCP.”

René Meneses Guide – Wireless Authentication:

“Security profiles define pre-shared or dynamic key exchange (WPA-EAP). DHCP is unrelated.”

Terry Combs Notes – Misconceptions in Wireless Setup:

“DHCP and wireless encryption are separate layers. Keys are not assigned through DHCP.”

Answer: BQUESTION NO: 73 [Firewall / Security]

Which firewall chain should you use to filter SSH access to the router itself?

A. output

B. input

C. prerouting

D. forward

Answer: B

SSH access to the router targets the router itself. Therefore, any packets destined for the router (for example, to TCP port 22) are evaluated in the input chain of the firewall.

Evaluation:

A. output →❌For packets originating from the router, not to it.

B.✅input → Correct – handles traffic destined for the router (like SSH, Winbox, etc.)

C.❌prerouting → Used for NAT and mangle operations, not filtering

D.❌forward → Used for traffic routed through the router (not for router itself)

MTCNA Firewall Section – Chain Functions:

“SSH access to the router is incoming traffic. Use input chain to filter or allow it.”

René Meneses Guide – Access Protection:

“input chain is responsible for traffic to the router’s IP – block/allow SSH, Winbox, etc.”

Terry Combs Notes – Firewall Management:

“Always use input chain for filtering incoming management protocols like SSH.”

Winbox is a small, native Windows utility provided by MikroTik for graphical administration of RouterOS devices. It is typically downloaded from MikroTik's official website.

A. Router’s webpage → Incorrect. While the router’s WebFig interface may allow configuration, it does not offer a Winbox download.

B. Files menu → Incorrect. The Files menu is for storing backups or firmware packages, not distributing Winbox.

C. Console cable → Incorrect. Console access is CLI only; no GUI utilities can be transferred through it.

D. mikrotik.com → Correct. The only official and secure location to download Winbox is the MikroTik website.

Extract from Official MTCNA Course Material – RouterOS Introduction:

“Winbox can be downloaded from the official MikroTik website. It provides a GUI frontend for managing RouterOS.”

Extract from René Meneses MTCNA Study Guide – RouterOS Access Methods:

“You can download Winbox from mikrotik.com under the Software Tools section.”

Extract from Terry Combs MTCNA Notes – Access Methods:

“Winbox is a Windows application that must be downloaded from MikroTik’s website. It is not available directly from the router.”

===========

MikroTik allows you to control which clients can connect to your access point through:

WPA/WPA2 security – prevents unauthorized devices from authenticating.

Access List – filters by MAC address and signal strength.

Option breakdown:

A.✔access-list – Used to accept/reject client MACs and customize access settings.

B.✔wpa – WPA/WPA2 passphrase restricts who can join the network.

C.✘WDS – Wireless Distribution System, used for bridging, not access control.

D.✘registration-table – A monitoring tool showing currently connected clients; it doesn’t restrict connections.

Extract from Official MTCNA Course Material – Wireless Access Control:

“Use WPA/WPA2 for secure authentication. Access List lets you accept or reject clients based on MAC or signal level.”

Extract from René Meneses MTCNA Study Guide – Wireless Security & Filtering:

“You can limit client access using WPA security and Access List. Registration Table only shows connected users.”

Extract from Terry Combs Notes – Wireless Configuration:

“Access control = WPA + Access List. WDS is for bridging, and registration-table is read-only.”

Destination NAT (dst-nat) is used to redirect packets arriving at the router to a different internal destination. It is most commonly used to allow public access to internal services such as web servers or mail servers.

You can:

Change the destination IP address (redirect to an internal host)

Change the destination port (e.g., port 8080 to port 80)

But:

C. Changing the source port is a function of src-nat, not dst-nat →❌

D. Hiding the local network from the Internet is done via masquerade or src-nat →❌

MTCNA Course Manual – NAT Section:

“Use dst-nat to forward traffic to a private host. Port translation can also be applied (e.g., from 81 to 80).”

René Meneses Study Guide – NAT Configuration:

“dst-nat changes the destination IP/port of packets arriving on a specific interface. Common use case: access to LAN services from WAN.”

Terry Combs Notes – NAT Rule Summary:

“dst-nat = port forwarding. src-nat/masquerade = hide internal addresses.”

Answer: A, BQUESTION NO: 48 [RouterOS Introduction]

Which is the default port of IP-Winbox?

A. UDP 8291

B. TCP 80

C. TCP 8291

D. TCP 8192

Answer: C

Winbox is MikroTik’s GUI-based configuration tool. It communicates with RouterOS over TCP port 8291 by default. This port is used for both IP-based Winbox connections and MAC-based sessions (in combination with layer-2 discovery protocol).

Evaluation:

A. UDP 8291 →❌Wrong protocol

B. TCP 80 →❌Used for HTTP (WebFig)

C. TCP 8291 →✅Correct default Winbox port

D. TCP 8192 →❌Invalid / non-standard

MTCNA Course Manual – RouterOS Management Tools:

“Winbox uses TCP port 8291 by default. It is possible to change this port in the /ip service settings.”

René Meneses MTCNA Guide – Winbox Access:

“Default access via TCP 8291. Check firewall filters to ensure it’s not blocked.”

Terry Combs Notes – Remote Management:

“Winbox = TCP/8291. WebFig = TCP/80 or 443.”

Answer: CQUESTION NO: 49 [PPP]

It is possible to create an encrypted PPPoE tunnel in RouterOS:

A. true

B. false

Answer: B

PPPoE (Point-to-Point Protocol over Ethernet) does not include encryption by default. It can authenticate users using PAP or CHAP, but the data payload is transmitted in cleartext unless another secure tunneling protocol (e.g., IPSec) is layered on top.

MikroTik supports encryption in other tunneling protocols, such as:

SSTP (uses SSL)

L2TP with IPSec

OpenVPN (SSL-based)

IPsec itself (for IP layer encryption)

MTCNA Tunneling Chapter – PPP Protocol Features:

“PPPoE offers authentication, compression, but no native encryption. Use IPSec if encryption is needed.”

René Meneses Guide – Tunnel Comparison Table:

“PPPoE is not encrypted. SSTP and L2TP/IPSec are alternatives when encryption is a requirement.”

Terry Combs Notes – PPP Family Summary:

“PPPoE: Authentication = Yes, Encryption = No. Use with caution over untrusted networks.”

Answer: BQUESTION NO: 50 [Wireless]

Why is it useful to set a Radio Name on the radio interface?

A. To identify a station in a list of connected clients

B. To identify a station in Neighbor discovery

C. To identify a station in the Access List

Answer: A

The Radio Name is a human-readable identifier assigned to a wireless interface. It becomes visible in the Registration Table (i.e., the list of connected clients) on an access point. It helps network administrators distinguish between multiple connected devices.

Evaluation:

A.✅Correct — Radio Name is shown in the Registration Table (list of connected clients)

B.❌Neighbor discovery uses MAC and device identity, not radio name

C.❌Access List uses MAC addresses, not radio name, for matching

MTCNA Wireless Module – Interface Settings:

“Radio Name is shown in the registration table on the AP. It helps in client identification.”

René Meneses Guide – Wireless Monitoring:

“The AP uses the client’s Radio Name to label them in the list of associated stations.”

Terry Combs Notes – Best Practice:

“Set radio-name so you can easily tell which device is which in the registration list.”

Answer: A

The hardware-coded address that uniquely identifies a device's network interface card (NIC) on the local network is called a MAC address. It is “burned in” by the hardware manufacturer and remains constant unless manually overridden.

MAC stands for Media Access Control, and it operates at Layer 2 of the OSI model. It is used to identify devices on a local area network.

A. FQDN (Fully Qualified Domain Name) refers to a human-readable name used in DNS.

B. IP Address is a logical address used for routing at Layer 3.

C. Interface Address is a generic term and not a standard identifier.

D. MAC Address is correct and refers to the physical, hardware-encoded address on an interface.

Extract from MTCNA Course Manual – RouterBOARD Overview:

“A MAC address is a globally unique hardware identifier assigned to each Ethernet or wireless interface. It is used by Layer 2 to ensure local delivery.”

René Meneses Study Guide – MAC & OSI Layering:

“The MAC address is a 48-bit physical identifier, hardcoded by the device vendor and located in the NIC chip.”

Terry Combs MTCNA Notes – Layer 2 Concepts:

“MAC = Physical Address = Layer 2 Identifier. It’s what switches use to forward Ethernet frames.”

===========

Binary to Decimal:

10011101

= 1×2^7 + 0×2^6 + 0×2^5 + 1×2^4 + 1×2^3 + 1×2^2 + 0×2^1 + 1×2^0

= 128 + 0 + 0 + 16 + 8 + 4 + 0 + 1

= 157

Decimal to Hexadecimal:

157 ÷ 16 = 9 remainder 13 → 13 = D

So, 157 = 0x9D

MTCNA Course Material – Binary and Hex Conversion:

“Convert binary to decimal by summing powers of 2. Then convert decimal to hexadecimal by dividing by 16.”

René Meneses MTCNA Study Guide – Number Systems:

“For binary 10011101, the decimal is 157, and hex is 9D.”

Only Option B is correct: 157, 0x9D.

Final Answer: BQUESTION NO: 110 [RouterOS Introduction]

If you use either Telnet or FTP, which is the highest layer you are using to transmit data?

A. Application

B. Presentation

C. Session

D. Transport

Answer: A

Protocols like Telnet and FTP are considered Application Layer protocols in the OSI model. They operate at Layer 7, providing interfaces for user-level interaction and command control.

MTCNA Course Material – TCP/IP vs OSI Model:

“Telnet, FTP, HTTP are Application Layer protocols. They operate at the top of the OSI stack (Layer 7).”

René Meneses MTCNA Study Guide – Protocol Layers:

“Telnet and FTP reside at the Application Layer. They initiate data exchange between hosts.”

Presentation and Session layers are not separately used in the TCP/IP model and are merged into the Application Layer.

Transport (Layer 4) is used by these protocols (via TCP), but the protocol itself resides at the Application Layer.

Final Answer: AQUESTION NO: 111 [RouterOS Introduction – IP Addressing]

Which class of IP address provides a maximum of only 254 host addresses per network ID?

A. Class A

B. Class B

C. Class C

D. Class D

Answer: C

Class C networks are defined as IP addresses with the first octet in the range of 192 to 223. Their default subnet mask is 255.255.255.0 (/24), which provides:

2^8 = 256 total addresses

Minus 2 (1 for network address, 1 for broadcast)

→ 254 usable host addresses

MTCNA Course Material – IP Address Classes:

“Class C has a default mask of /24. This allows for 254 hosts per network.”

René Meneses MTCNA Study Guide – IP Classes:

“Class C = 192.0.0.0 to 223.255.255.255, 254 usable hosts per subnet.”

Other classes:

Class A: ~16 million hosts

Class B: ~65,000 hosts

Class D: used for multicast (not host assignment)

Final Answer: CQUESTION NO: 112 [RouterOS Introduction – Protocols]

Which of the following services use UDP?

DHCP

SMTP

SNMP

FTP

HTTP

TFTP

A. 1, 3 and 6

B. 2 and 4

C. 1, 2 and 4

D. All of the above

Answer: A

UDP is a connectionless protocol used by several lightweight or stateless network services. Among the listed services:

DHCP: Uses UDP (Ports 67 and 68)

SNMP: Uses UDP (Ports 161/162)

TFTP: Uses UDP (Port 69)

Other protocols:

SMTP: Uses TCP (Port 25)

FTP: Uses TCP (Ports 20 and 21)

HTTP: Uses TCP (Port 80)

MTCNA Course Material – Protocols and Ports:

“UDP is used for DHCP, SNMP, TFTP. TCP is used for SMTP, FTP, HTTP.”

René Meneses MTCNA Study Guide – Port Assignments:

“TCP: FTP, SMTP, HTTP. UDP: DHCP, SNMP, TFTP.”

Only 1, 3, and 6 use UDP.

Nstreme is a proprietary point-to-point wireless protocol developed by MikroTik to improve performance on long-distance wireless links. It enhances frame aggregation, reduces latency, and replaces standard 802.11 MAC timing behavior with a custom approach. Because of its specific mechanism, it imposes certain compatibility restrictions:

A. WDS between two station-wds devices is not compatible with Nstreme. This setup doesn't conform to proper AP-client architecture required by Nstreme, which operates in a master/slave role — typically ap-bridge and station.

B. Encryption (e.g., using WEP or WPA) is supported in Nstreme; however, MikroTik recommends encryption at higher layers like IPsec when performance is critical.

C. WDS between ap-bridge and station-wds is compatible with Nstreme. This is the standard pairing used when bridging two networks via wireless.

D. Bridging a station with an ap-bridge device using standard station mode (not station-wds or station-bridge) is not compatible for full Layer 2 bridging. Only station-wds or station-bridge supports bridging with ap-bridge mode.

Extract from Official MTCNA Course Material – Wireless Section:

"Nstreme is supported only between a device in ap-bridge mode and a device in station or station-wds mode. Both ends must support Nstreme. WDS is supported with station-wds and ap-bridge combinations. Encryption is supported, although optional."

Extract from Terry Combs MTCNA Notes – Nstreme Notes:

"Only ap-bridge <-> station-wds (or station-bridge in RouterOS v6+) is valid for bridging over Nstreme. Encryption like WPA2 is supported but optional."

Extract from René Meneses Study Guide – Wireless Features:

“Nstreme does not support station-station WDS. Proper implementation requires ap-bridge on one side and station-wds or station-bridge on the other. Basic encryption (WEP/WPA) is allowed.”

===========