MTCNA MikroTikCertified Network Associate Exam Question and Answers

Let’s evaluate each statement:

A.✘Incorrect – /ip firewall filter can block traffic after association/authentication but cannot directly prevent wireless authentication. Association happens before IP-level filtering.

B.✔Correct – Wireless access-list allows or denies associations based on MAC address and other parameters (signal strength, etc.).

C.✔Correct – Access-list rules can enable/disable default-forwarding per client (overriding global setting).

D.✘Incorrect – Disabling the wireless interface is not the only way. You can use access-list or disable SSID broadcast.

Extract from MTCNA Course Material – Wireless Access List:

“Access List provides client control based on MAC address. You can accept, reject, and even override default-forwarding per client.”

Extract from René Meneses MTCNA Study Guide – Access Control:

“Wireless Access List can selectively allow or deny clients and enforce individual settings like forwarding.”

Extract from MikroTik Wiki – Wireless Access List:

“The firewall filter is not involved in authentication. Access control must be done at the wireless layer using access-lists.”

===========

PPP (Point-to-Point Protocol) uses a modular architecture consisting of two main components:

LCP (Link Control Protocol): Establishes, configures, and tests the data-link connection

NCP (Network Control Protocol): Identifies and configures protocols at the Network Layer (e.g., IP, IPX)

NCP allows multiple protocols to be used over the same PPP link by negotiating and identifying the type of Layer 3 protocol.

MTCNA Course Material – PPP Components:

“NCP handles Layer 3 protocol negotiation and support. For example, IPCP (IP Control Protocol) is a type of NCP used for IP.”

René Meneses MTCNA Study Guide – PPP Protocol Stack:

“PPP uses NCP to identify and configure multiple Layer 3 protocols such as IP, IPX, AppleTalk.”

Other options:

B: ISDN is a WAN access technology, not part of PPP stack

C: HDLC is a data-link layer protocol, not used for identifying Layer 3

D: LCP configures link parameters, not network layer protocols

Final Answer: AQUESTION NO: 142 [Cisco IOS – IOS Backup Procedure]

To back up an IOS, what command will you use?

A. backup IOS disk

B. copy ios tftp

C. copy tftp flash

D. copy flash tftp

Answer: D

To back up the Cisco IOS image from the router’s flash memory to an external TFTP server, the correct command is:

copy flash tftp

This command initiates a transfer from flash memory to a TFTP server and is the standard procedure for backing up IOS images.

Cisco IOS Configuration Guide – Image Backup:

“To back up your IOS image, use the command copy flash tftp and follow the prompts for file name and TFTP server IP.”

René Meneses MTCNA Study Guide – IOS Management:

“copy flash tftp is the correct syntax to save a router’s current IOS to a TFTP server.”

Other options:

A: Invalid syntax

B: Invalid command (copy ios does not exist)

C: copy tftp flash is for installing, not backing up

Final Answer: DQUESTION NO: 143 [IP Addressing – Subnet Calculation]

Which of the following is the valid host range for the subnet on which the IP address 192.168.168.188 255.255.255.192 resides?

A. 192.168.168.129–190

B. 192.168.168.129–191

C. 192.168.168.128–190

D. 192.168.168.128–192

Answer: B

IP address: 192.168.168.188

Subnet mask: 255.255.255.192 → /26 → Block size = 64

Subnets:

192.168.168.0/26 → 192.168.168.0 – 63

192.168.168.64/26 → 192.168.168.64 – 127

192.168.168.128/26 → 192.168.168.128 – 191 ← Contains 192.168.168.188

192.168.168.192/26 → 192.168.168.192 – 255

Valid host range = 192.168.168.129 – 190

(Broadcast = 191, Network address = 128)

MTCNA Course Material – Subnetting Practice:

“To find valid hosts, exclude the subnet and broadcast address. In /26, each block is 64 addresses.”

René Meneses MTCNA Study Guide – IP Addressing:

“For /26 subnetting, calculate block size as 2^(32–26) = 64. Subnet starts at multiples of 64.”

Final Answer: BQUESTION NO: 144 [Wireless – IEEE 802.11 Standards]

Which WLAN IEEE specification allows up to 54 Mbps at 2.4 GHz?

A. A

B. B

C. G

D. N

Answer: C

802.11g operates in the 2.4 GHz band and supports data rates up to 54 Mbps. It is backward-compatible with 802.11b and was a significant improvement in speed while maintaining wide compatibility.

MTCNA Course Material – Wireless Standards:

“802.11g operates at 2.4 GHz and supports up to 54 Mbps. It is widely used in legacy devices.”

René Meneses MTCNA Study Guide – WLAN Specifications:

“802.11g = 2.4 GHz, 54 Mbps.

802.11a = 5 GHz, 54 Mbps

802.11b = 2.4 GHz, 11 Mbps

802.11n = 2.4/5 GHz, up to 600 Mbps (MIMO)”

Option Breakdown:

A: 802.11a = 54 Mbps at 5 GHz

B: 802.11b = 11 Mbps at 2.4 GHz

C: 802.11g =✔54 Mbps at 2.4 GHz

D: 802.11n = supports 2.4/5 GHz, speeds up to 600 Mbps (depending on MIMO)

fundamentals.

────────────────────────────────────────────────────────────

The “Area” parameter is a user-defined tag in the wireless interface configuration that works with the Access List in MikroTik RouterOS. It allows grouping of clients or APs for filtering or configuration logic.

When an Access List rule includes an area name, it will only apply to devices matching that area.

Option breakdown:

A. Connect List → Incorrect. Area is not used here.

B. Access List →✔Correct. “Area” is matched directly in Access List rules.

C. None of these → Incorrect.

D. Security Profile → Incorrect. Security Profiles control authentication/encryption, not area filtering.

Extract from Official MTCNA Course Material – Wireless Access List:

"The Area field allows you to group wireless interfaces and filter clients based on Access List rules that include this tag."

Extract from Terry Combs Notes – Wireless Configuration:

“Area is a label that can be referenced in Access List rules to apply rules selectively.”

Extract from MikroTik Wiki – Wireless Access List Section:

"Area is used in Access List to assign rules based on interface groups or locations."

The hardware-coded address that uniquely identifies a device's network interface card (NIC) on the local network is called a MAC address. It is “burned in” by the hardware manufacturer and remains constant unless manually overridden.

MAC stands for Media Access Control, and it operates at Layer 2 of the OSI model. It is used to identify devices on a local area network.

A. FQDN (Fully Qualified Domain Name) refers to a human-readable name used in DNS.

B. IP Address is a logical address used for routing at Layer 3.

C. Interface Address is a generic term and not a standard identifier.

D. MAC Address is correct and refers to the physical, hardware-encoded address on an interface.

Extract from MTCNA Course Manual – RouterBOARD Overview:

“A MAC address is a globally unique hardware identifier assigned to each Ethernet or wireless interface. It is used by Layer 2 to ensure local delivery.”

René Meneses Study Guide – MAC & OSI Layering:

“The MAC address is a 48-bit physical identifier, hardcoded by the device vendor and located in the NIC chip.”

Terry Combs MTCNA Notes – Layer 2 Concepts:

“MAC = Physical Address = Layer 2 Identifier. It’s what switches use to forward Ethernet frames.”

===========

Winbox is the graphical configuration utility for MikroTik routers. By default, Winbox connects to RouterOS over TCP port 8291.

A.✘UDP/5678 – Used for Winbox neighbor discovery, not for connecting.

B.✘TCP/22 – SSH service.

C.✔TCP/8291 – Default and official port for Winbox connections.

D.✘TCP/8080 – Often used for HTTP proxy; unrelated to Winbox.

Extract from MTCNA Course Material – RouterOS Access Methods:

“Winbox uses TCP port 8291 to establish connections to RouterOS.”

Extract from René Meneses MTCNA Study Guide – Access Tools:

“Winbox connects via TCP 8291. Neighbor discovery uses UDP 5678.”

Extract from MikroTik Wiki – Winbox Port Info:

“TCP/8291 is the default port for Winbox. Ensure it is not blocked by firewall.”

Subnet masks are used in IP networking to define the boundary between the network portion and the host portion of an IP address. A valid subnet mask must consist of a contiguous block of 1s followed by a contiguous block of 0s in its binary representation.

Let’s analyze the given options:

A. 255.192.0.0– This isnot a standard or valid subnet maskbecause the 1s are not contiguous beyond the second octet. This is typically used in class A subnetting but is not commonly considered valid in CIDR or MTCNA context. While technically binary-valid, it’s not recommended or standard for practical subnetting.

B. 255.255.192.255–Invalid, because the last octet is255, which implies all bits are 1s, but in the third octet only partial bits are set (192is11000000). This breaks the required rule of contiguous 1s followed by contiguous 0s.

C. 192.0.0.0–Invalid, as it doesn’t represent a valid subnet mask.192in the first octet (11000000) followed by zeros is not a valid mask – it's actually a network address, not a subnet mask.

D. 255.255.224.0–Valid subnet mask. This represents/19in CIDR notation. In binary:11111111.11111111.11100000.00000000, which follows the correct rule of contiguous 1s followed by contiguous 0s.

Extract from MTCNA Study Guide by René Meneses:

Subnet masks must be a continuous string of 1s followed by a continuous string of 0s. Any deviation or split between the blocks renders the mask invalid.

Extract from MTCNA Official Course Manual:

Valid subnet masks include values such as 255.0.0.0 (/8), 255.255.0.0 (/16), 255.255.255.0 (/24), and also non-classful masks like 255.255.224.0 (/19) are allowed and used for more flexible subnetting.

Conclusion:Option D is the only one meeting the criteria for a valid subnet mask as taught in the MTCNA curriculum.

===========

Setting "forwarding=no" on a wireless interface prevents communication between connected clients on that interface and between that interface and other interfaces in the same bridge. This means:

Stations connected to wlan1 cannot talk to each other

Stations on wlan1 cannot talk to stations on wlan2 (even if bridged)

Stations on wlan2 can talk to each other normally

Evaluation:

A.✅Correct – forwarding=no does not affect wlan2

B.❌Incorrect – forwarding=no blocks this

C.✅Correct – clients on wlan1 cannot talk to each other either

D.❌Bridge filters can be used but this scenario is about forwarding settings

E.❌Blocked by forwarding=no

MTCNA Wireless Module – Wireless Forwarding Behavior:

“Forwarding=no disables client-to-client communication on the interface and across bridges.”

René Meneses Study Guide – Wireless Access Config:

“Use forwarding=no to isolate clients on the same AP. Affects bridging too.”

Terry Combs Notes – Wireless Isolation:

“Setting forwarding=no isolates all clients on that wireless card.”

Answer: A, CQUESTION NO: 81 [Wireless]

Consider a wireless access point with mode=ap-bridge. What is the maximum number of concurrent clients that can connect to it?

A. 2007

B. 2012

C. 2048

D. 1024

Answer: C

In MikroTik RouterOS, the theoretical maximum number of clients that can associate with an AP in ap-bridge mode is 2048. However, practical limits depend on hardware performance and network stability, and most real-world setups use far fewer clients.

Let’s review:

A. 2007 →❌Close, but not the actual hard limit

B. 2012 →❌Incorrect

C.✅2048 → Correct per MikroTik’s AP mode specification

D. 1024 →❌Lower than the actual maximum

MTCNA Wireless Module – AP Behavior:

“In ap-bridge mode, the maximum theoretical client limit is 2048. Actual stable operation may be lower.”

René Meneses Guide – Wireless Scaling:

“2048 is the upper limit for client associations on a MikroTik AP in bridge mode.”

Terry Combs Notes – Client Capacity:

“2048 clients = maximum. Performance may degrade before that in high-traffic environments.”

The setting default-forwarding=no prevents wireless clients from communicating with each other over the same access point interface. This enables client isolation — each device can only reach the gateway (router), not other wireless clients.

A.✔Correct – This enables client isolation by blocking inter-client communication.

B.✘Incorrect – This limits how many clients can connect, not their ability to talk to each other.

C.✘Incorrect – Prevents new clients from associating, unrelated to inter-client traffic.

D.✘Incorrect – Only default-forwarding affects client-to-client visibility.

Extract from MTCNA Course Material – Wireless Security and Isolation:

“default-forwarding=no prevents wireless clients from communicating with each other on the same AP interface.”

Extract from René Meneses Study Guide – Wireless Interface Settings:

“To isolate wireless clients, use default-forwarding=no. This ensures clients can’t ping or access one another.”

Extract from MikroTik Wiki – Wireless Interface Options:

“default-forwarding=no stops traffic between clients. Only traffic to the AP is allowed.”

In MikroTik RouterOS, the masquerade action is used in source NAT (srcnat) rules to hide internal/private IP addresses behind a router’s public IP address. This is typically done for internet access from a LAN where the devices have private IP addresses (e.g., 192.168.x.x).

Masquerade dynamically changes the source IP of outgoing packets to the IP address of the router’s outbound interface, allowing multiple internal devices to share a single public IP.

Let’s evaluate the options:

A. masquerade →✅Correct. Used to perform source NAT for hiding private addresses.

B. allow →❌Not a valid NAT action.

C. passthrough →❌Used in mangle rules to continue processing additional rules, not for NAT.

D. tarpit →❌Used to delay TCP connections (often in firewall, not NAT).

MTCNA Course Manual – NAT Chapter:

“Masquerade is a special form of source NAT where the router replaces the source IP with the IP address of the outgoing interface.”

René Meneses Guide – NAT Configuration:

“Use masquerade on the router’s WAN interface to give internet access to private clients.”

Terry Combs Notes – NAT Rule Actions:

“Masquerade = dynamic src-nat. Useful when public IP is dynamic or unknown.”

Answer: AQUESTION NO: 62 [PPP / AAA]

Router A and B are both running as PPPoE servers on different broadcast domains of your network. It is possible to set Router A to use "/ppp secret" accounts from Router B to authenticate PPPoE customers.

A. true

B. false

Answer: B

/ppp secret accounts are local to each RouterOS device. These credentials are stored in the router’s own configuration and cannot be shared directly between routers.

To centralize authentication across multiple routers, a RADIUS server must be used. With RADIUS, multiple MikroTik routers can authenticate users against a single, centralized user database.

Without RADIUS or another external AAA system:

Each router maintains its own /ppp secret list

Router A cannot directly read or use the /ppp secrets from Router B

Evaluation:

A.❌False. There is no built-in mechanism for Router A to access secrets on Router B.

B.✅Correct. You must use RADIUS if you want shared authentication across routers.

MTCNA PPP Module – Authentication Methods:

“/ppp secrets are stored locally on the router. For shared user authentication, configure RADIUS.”

René Meneses Study Guide – PPPoE and RADIUS:

“To authenticate clients on multiple routers with a central database, RADIUS is required.”

Terry Combs Notes – PPP Secrets vs RADIUS:

“Local secrets cannot be accessed remotely. Use RADIUS to centralize authentication.”

Answer: B

RouterOS Level 1 license is the demo license that comes with all RouterOS installations (particularly on x86 or CHR before activation). It is unrestricted in time, meaning it never expires, but functionality is extremely limited.

A. 24 hours → Incorrect. There is no such time-limited restriction.

B. Infinite time → Correct. Level 1 license is perpetual but has limited features.

C. 1 month → Incorrect. MikroTik does not impose monthly timeouts on license levels.

D. 1 year → Incorrect. No temporary time-bound license is assigned by default.

Extract from Official MTCNA Course Material – Licensing Section:

“Level 1 (demo) license is unlimited in time but has very limited functionality. It is designed for testing purposes only.”

Extract from René Meneses MTCNA Study Guide – RouterOS Licensing:

“The Level 1 license is not time-limited, but it cannot be used in production due to its lack of key features.”

Extract from MikroTik Wiki – Licensing Model:

“License level 1 is a free demo license that does not expire.”

===========

RouterBOARD devices (such as RB1000) typically do not have a battery-backed hardware clock (RTC). This means the system time resets after each reboot. To keep time accurate, you must configure the router to synchronize with an external NTP (Network Time Protocol) server.

A.✘Inefficient and non-scalable solution.

B.✘The /system ntp server is used to act as an NTP server for others — not for receiving time.

C.✔Correct – You must enable /system ntp client and point to a reachable NTP server to get the correct time on boot.

D.✘Irrelevant – RouterBOARDs do not have CMOS batteries for timekeeping like traditional PCs.

Extract from MTCNA Course Material – Time Synchronization:

“To maintain correct system time, configure NTP client to sync with a public or internal time server after reboot.”

Extract from René Meneses Study Guide – Clock and Scheduler:

“RouterBOARD devices don’t have battery-backed RTC. Use the NTP client to update time after reboot.”

Extract from MikroTik Wiki – NTP Setup:

“Use /system ntp client to sync time. /system clock alone will reset on reboot without NTP.”

===========

In MikroTik RouterOS (and in routing in general), the "distance" value determines the priority of a route. The route with the lowest distance will be preferred.

Here:

Route to 0.0.0.0/0 via 1.1.1.1 has distance = 10

Route to 0.0.0.0/0 via 2.2.2.2 has distance = 5 → lower, so preferred✅

Unless the lower-distance route is invalid or unreachable, it will always be selected.

MTCNA Course Manual – Static Routing:

“The lower the distance value, the higher the route’s priority. Routes are selected based on administrative distance first.”

René Meneses Study Guide – Route Distance:

“A route with distance 1 is preferred over a route with distance 2. It does not matter which was added first.”

Terry Combs Notes – Routing Behavior:

“RouterOS evaluates the distance (priority) before anything else. Smallest value wins.”

Answer: AQUESTION NO: 44 [Firewall]

What does the firewall action "Redirect" do? Select all true statements.

A. Redirects a packet to a specified port on the router

B. Redirects a packet to a specified IP

C. Redirects a packet to the router

D. Redirects a packet to a specified port on a host in the network

Answer: A, C

The redirect action in MikroTik’s NAT firewall rules is used to force traffic (usually from LAN clients) to a local service on the router — for example, redirecting all DNS queries to the router’s DNS server, or forcing web traffic to a proxy.

Details:

It changes the destination IP to the router's IP automatically (without needing to specify it)

It also allows port redirection (e.g., dst-port=80 → to 3128 for proxy)

Evaluation:

A.✅True — You can redirect to a specific port on the router

B.❌False — Redirect does not change destination IP to an arbitrary host; for that, use dst-nat

C.✅True — Redirect forces traffic to the router itself

D.❌False — dst-nat is used to forward packets to internal hosts, not redirect

MTCNA Course Manual – NAT Actions:

“Redirect action changes destination to the router itself. This is useful for forcing traffic through router services.”

René Meneses Guide – NAT Behavior:

“Redirect = router-local services like DNS or proxy. Use dst-nat for remote hosts.”

Terry Combs Notes – Firewall Actions:

“Use redirect when you want to intercept traffic and handle it locally on the router.”

Answer: A, CQUESTION NO: 45 [PPP / Tunnels]

Which port does PPTP use by default?

A. TCP 1721

B. UDP 1723

C. TCP 1723

D. UDP 1721

Answer: C

PPTP (Point-to-Point Tunneling Protocol) uses:

TCP port 1723 for control and session initiation

GRE (Generic Routing Encapsulation) protocol (protocol number 47) for tunneling

No UDP port is used by PPTP.

Evaluation:

A. TCP 1721 →❌Invalid port

B. UDP 1723 →❌Incorrect protocol (TCP is used, not UDP)

C.✅TCP 1723 → Correct

D.❌Invalid (wrong protocol and port)

MTCNA Tunneling Section – PPTP Overview:

“PPTP uses TCP port 1723 for control and GRE protocol for tunneling traffic.”

René Meneses MTCNA Guide – PPTP Characteristics:

“PPTP = TCP/1723 + GRE (not a port, but a protocol). Allow both on firewall.”

Terry Combs Notes – VPN Protocol Reference:

“PPTP: TCP 1723. GRE must be permitted for tunnel data.”

Answer: CQUESTION NO: 46 [Firewall]

Which firewall chain should you use to filter ICMP packets from the router itself?

A. input

B. postrouting

C. forward

D. output

Answer: D

MikroTik RouterOS uses firewall chains to process packets based on direction:

input: For packets destined to the router itself (from outside)

output: For packets originating from the router (e.g., router pings)

forward: For packets passing through the router between interfaces

postrouting: Used for NAT and marking, not filtering

Therefore:

To block/allow ICMP (ping) generated by the router (e.g., netwatch, DNS probes), use the output chain

To block incoming pings to the router, use input

To block pings between LAN and WAN, use forward

MTCNA Firewall Module – Chain Responsibilities:

“To control traffic originating from the router itself, use the output chain. For example, when the router itself sends ICMP requests.”

René Meneses Guide – Firewall Chains Explained:

“output is for locally generated traffic. input is for inbound traffic to the router.”

Terry Combs Notes – Chain Use Cases:

“Ping from router = output. Ping to router = input. Ping between networks = forward.”

MikroTik RouterOS offers several queuing types under /queue type. These queuing algorithms manage how packets are buffered and sent, affecting fairness, delay, and throughput.

Available queue types in RouterOS:

SFQ (Stochastic Fairness Queuing)✔

FIFO (First In First Out – for bytes or packets)✔

PCQ (Per Connection Queuing)✔

RED (Random Early Detection/Drop)✔

Unavailable queue types:

DRR✘– Not supported by RouterOS

LIFO✘– Not supported; not suitable for networking queues

Extract from Official MTCNA Course Material – Queue Types:

"RouterOS supports PCQ, SFQ, RED, FIFO, and more. DRR and LIFO are not implemented."

Extract from René Meneses MTCNA Study Guide – Traffic Management:

“Only PCQ, FIFO, SFQ, RED are listed under /queue type. DRR and LIFO do not appear in the supported list.”

Extract from MikroTik Wiki – Queue Types:

“Supported types include FIFO, PCQ, RED, and SFQ. Each has specific use cases for latency or fairness.”

===========

When using a hub, all connected devices share the total bandwidth. Since it’s a 10 Mbps half-duplex hub, all 10 users share the same collision domain and 10 Mbps. However, when calculating potential access to the server from any single host, each host can use the full 10 Mbps — as long as no other users are transmitting simultaneously.

More importantly, the connection to the server is also 10 Mbps half-duplex, so regardless of the internal collisions, each client could use the full 10 Mbps to the server — just not concurrently with others.

Cisco CCNA Curriculum – Hubs and Bandwidth Sharing:

“In a hub, all ports share bandwidth. However, each host is capable of utilizing the full bandwidth if no contention exists.”

René Meneses MTCNA Study Guide – Hub Limitations:

“A hub provides shared bandwidth, but each device can use the full rate momentarily, assuming no collisions.”

Hence, the correct answer is based on potential — not divided bandwidth.

Final Answer: DQUESTION NO: 146 [Cisco IOS – Configuration Management]

What command is used to create a backup configuration?

A. copy running backup

B. copy running-config startup-config

C. config mem

D. wr mem

Answer: B

The command copy running-config startup-config saves the current active configuration in RAM (running-config) to NVRAM (startup-config). This ensures that the configuration persists after a reboot.

Cisco IOS Configuration Guide – Saving Configs:

“To save the active configuration, use: copy running-config startup-config.”

René Meneses MTCNA Study Guide – IOS Management:

“Saving configuration ensures the device boots with the same settings. Use copy running-config startup-config or its shortcut: wr.”

Breakdown:

A: Invalid syntax — no such keyword as “backup”

C: config mem is outdated and not used in modern IOS

D: wr mem is a shortcut for “write memory” — still valid but less commonly used

Final Answer: BQUESTION NO: 147 [Cisco IOS – Access Control Lists]

What are the two main types of access control lists (ACLs)?

Standard

IEEE

Extended

Specialized

A. 1 and 3

B. 2 and 4

C. 3 and 4

D. 1 and 2

Answer: A

Cisco IOS supports two primary types of ACLs:

Standard ACLs: Filter traffic based only on source IP address

Extended ACLs: Filter traffic based on source, destination IP, protocol type, and port numbers

Cisco IOS Security Guide – ACL Fundamentals:

“Standard ACLs use only source IP for filtering. Extended ACLs can match based on source, destination, ports, and protocols.”

René Meneses MTCNA Study Guide – ACL Types:

“Two types of IP ACLs: standard and extended. IEEE or specialized ACLs do not exist in Cisco terminology.”

Other options:

IEEE: Refers to Ethernet or wireless standards, not ACLs

Specialized: Not a defined ACL type

The connection-state=established matcher in MikroTik’s firewall refers to packets that are part of an already active connection. These packets are neither new nor related — they are directly associated with a known connection that has been previously accepted or initiated.

MikroTik uses Connection Tracking (enabled by default) to determine the state of each packet:

new: Packet begins a new connection (e.g., TCP SYN)

established: Packet belongs to a previously established connection (reply or subsequent packets)

related: Packet is not part of the connection, but is related (e.g., FTP data channel)

invalid: Packet that does not match any known or valid connection

Therefore:

A.✅Correct. “Established” means part of an ongoing, known connection.

B.❌This describes “related”

C.❌This describes “invalid”

D.❌This describes “new”

MTCNA Course Manual – Firewall and Connection Tracking:

“Established – Packet that belongs to an existing connection. This includes replies and ongoing streams.”

René Meneses Study Guide – Firewall Fundamentals:

“Use connection-state=established to allow traffic that is part of previously accepted sessions.”

Terry Combs Notes – Connection States:

“Established = trusted, ongoing session. Essential for return traffic.”

Answer: AQUESTION NO: 32 [PPP]

PPP Secrets are used for:

A. PPPoE clients

B. L2TP clients

C. IPSec clients

D. PPP clients

E. PPTP clients

F. Router users

Answer: A, B, D, E

PPP Secrets is a user authentication mechanism used in MikroTik RouterOS for various PPP-based services. These include:

PPP (Point-to-Point Protocol)

PPPoE (PPP over Ethernet)

PPTP (Point-to-Point Tunneling Protocol)

L2TP (Layer 2 Tunneling Protocol)

Each client authenticates with a username/password combination defined under PPP → Secrets. PPP Secrets is not used for:

IPSec clients →❌They use peer configurations and policies

Router users (Winbox/WebFig) →❌Use system → users, not PPP secrets

MTCNA PPP Chapter – Secrets Authentication:

“PPP Secrets are used for all PPP services: PPP, PPPoE, L2TP, and PPTP. It defines usernames, passwords, profiles, and IP bindings.”

René Meneses Guide – Tunnels and PPP:

“Any PPP-based tunnel uses PPP secrets for login validation. This includes local dial-in and remote VPN tunnels.”

Terry Combs Notes – PPP Authentication Table:

“PPP Secrets = for PPP, PPPoE, PPTP, and L2TP. Not for IPSec or Winbox.”

Answer: A, B, D, EQUESTION NO: 33 [Licensing]

How long is level 1 (free) license valid?

A. 1 month

B. 24 hours

C. 1 year

D. Infinite time

Answer: D

Level 1 license in MikroTik RouterOS is a free license type. It is included with every installation but has very limited functionality. Despite the limitations, it is valid for an unlimited duration.

Features available in level 1:

Basic configuration

One active user session

Ideal for lab/testing with CHR

Incorrect options:

A. 1 month →❌Not time-based

B. 24 hours →❌No expiration limit

C. 1 year →❌Invalid

D.✅Correct → Valid forever, but feature-limited

MTCNA Course Material – Licensing Section:

“Level 1 license is free and does not expire. It provides minimal feature access.”

René Meneses Study Guide – License Levels:

“Level 1 is permanent but restrictive. Great for evaluation or learning.”

Terry Combs Notes – RouterOS Licensing Table:

“Level 1 license = lifetime access to basic RouterOS functionality.”

Answer: DQUESTION NO: 34 [NAT]

What is the correct action for a NAT rule on a router that should intercept SMTP traffic and send it over to a specified mail server?

A. tarpit

B. dst-nat

C. passthrough

D. redirect

Answer: B

To forward traffic from one destination to another (such as from the public IP to an internal mail server), the dst-nat action is used in MikroTik NAT rules.

dst-nat: Modifies the destination IP address and/or port of the packet. Used to forward traffic to an internal resource.

tarpit: Captures and holds TCP connections (used for spam traps or slowing down bots) →❌

passthrough: Used in mangle rules; allows the packet to be evaluated by the next rule →❌

redirect: Redirects traffic to the router itself (e.g., proxy or DNS services) →❌

So, for external SMTP traffic (e.g., TCP port 25), we use a dst-nat rule that forwards the traffic to the internal mail server.

MTCNA NAT Section – Destination NAT:

“To forward SMTP traffic from a public address to a private server, use dst-nat with appropriate port and IP.”

René Meneses Guide – Practical NAT Examples:

“Use dst-nat for port forwarding. Redirect is for internal services like DNS or web proxy.”

Terry Combs Notes – NAT Action Summary:

“dst-nat = most common for external-to-internal mapping (e.g., mail servers, web servers).”

The TCP/IP or DoD model includes the following layers:

Application

Host-to-Host

Internet

Network Access

The Internet layer in the DoD model is responsible for logical addressing and routing — matching the function of the OSI model's Layer 3 (Network Layer), which handles IP addressing and packet forwarding.

MTCNA Course Material – TCP/IP vs OSI Model:

“The Internet layer of the TCP/IP model maps directly to the OSI’s Network Layer and is responsible for logical addressing and routing.”

René Meneses MTCNA Study Guide – Layer Mapping Table:

“TCP/IP Internet Layer = OSI Network Layer. Handles IP routing, addressing.”

Other mappings:

Application = OSI Layers 5–7

Host-to-Host = OSI Layer 4 (Transport)

Network Access = OSI Layers 1–2

Final Answer: CQUESTION NO: 114 [RouterOS Introduction – ARP]

Which of the following allows a router to respond to an ARP request that is intended for a remote host?

A. Gateway DP

B. Reverse ARP (RARP)

C. Proxy ARP

D. Inverse ARP (IARP)

Answer: C

Proxy ARP allows a router to answer ARP requests on behalf of another device. It is often used in networks where hosts don't have proper default gateways but still need to communicate with devices in different subnets.

MTCNA Course Material – ARP Types:

“Proxy ARP allows a router to respond to an ARP request for an IP address that is not on the local subnet, effectively acting as a proxy.”

René Meneses MTCNA Guide – ARP Configuration:

“Proxy ARP is useful for bridging two IP networks or for clients that do not have default gateways defined.”

MikroTik Wiki – ARP Modes:

“When Proxy ARP is enabled, the router replies to ARP requests for hosts that are not on the same subnet.”

Other options:

A: Gateway DP is not a standard term or protocol.

B: RARP maps MAC to IP — outdated and not used in this context.

D: Inverse ARP is used in Frame Relay, not Ethernet/IP networks.

Final Answer: CQUESTION NO: 115 [DHCP]

You want to implement a mechanism that automates the IP configuration, including IP address, subnet mask, default gateway, and DNS information. Which protocol will you use to accomplish this?

A. SMTP

B. SNMP

C. DHCP

D. ARP

Answer: C

DHCP (Dynamic Host Configuration Protocol) is specifically designed to assign IP configuration details automatically to clients on a network, including:

IP address

Subnet mask

Default gateway

DNS servers

MTCNA Course Material – DHCP Server Function:

“DHCP is a service that dynamically assigns IP settings to clients, removing the need for manual configuration.”

René Meneses MTCNA Study Guide – DHCP Operation:

“DHCP provides automatic configuration of network parameters including IP, mask, DNS, and gateway.”

Other options:

A: SMTP is for email

B: SNMP is for monitoring

D: ARP resolves IP-to-MAC addresses

Final Answer: CQUESTION NO: 116 [DHCP]

Which of the following describe the DHCP Discover message?

It uses FF:FF:FF:FF:FF:FF as a layer 2 broadcast.

It uses UDP as the Transport layer protocol.

It uses TCP as the Transport layer protocol.

It does not use a layer 2 destination address.

A. 1 only

B. 1 and 2

C. 3 and 4

D. 4 only

Answer: B

When a client sends a DHCP Discover message:

It does not yet have an IP address, so it sends a Layer 2 broadcast (FF:FF:FF:FF:FF:FF).

DHCP uses UDP, not TCP.

Specifically, it uses UDP port 67 (server) and 68 (client).

Layer 2 destination is broadcast — it certainly does use a Layer 2 address.

MTCNA Course Material – DHCP Process:

“The client broadcasts a DHCP Discover message to FF:FF:FF:FF:FF:FF using UDP ports 67 and 68.”

René Meneses MTCNA Study Guide – DHCP Message Types:

“DHCP uses UDP. Discovery messages are Layer 2 broadcasts to locate a DHCP server.”

MikroTik Wiki – DHCP Protocol Behavior:

“The Discover message uses UDP and broadcast MAC addressing.”

Statements:

1: True (Layer 2 broadcast)

2: True (Uses UDP)

3: False (TCP not used)

4: False (Layer 2 destination address is broadcast)

────────────────────────────────────────────────────────────

Netinstall is a MikroTik tool for reinstalling RouterOS on RouterBOARD devices. It uses the RARP (Reverse ARP) protocol during the boot phase to obtain the host from which to download the OS. It does not rely on DHCP, ARP, or BOOTP in standard Netinstall scenarios.

A.✘arp – Not used by Netinstall for initial boot communication

B.✘bootp – Not used in Netinstall process

C.✘dhcp – Not used for booting RouterBOARD into Netinstall

D.✔rarp – Used by Netinstall to allow the RouterBOARD to request an address and boot image

Extract from MTCNA Course Material – Netinstall Boot Process:

“Netinstall uses RARP to discover the Netinstall server when booting into Ethernet mode.”

Extract from MikroTik Wiki – Netinstall:

“Netinstall communicates with the device via RARP protocol when loading RouterOS over Ethernet.”

Extract from René Meneses MTCNA Study Guide – Netinstall Chapter:

“RARP is used for booting during Netinstall. DHCP is not required for this operation.”

The action=redirect is used only in the dstnat chain to redirect traffic to a local port (e.g., for transparent proxy or DNS capture). It is not valid in the srcnat chain.

A.✘Incorrect – RouterOS will not permit redirect in srcnat.

B.✔Correct – redirect is only supported in dstnat.

Extract from Official MTCNA Course Material – NAT Actions:

“Redirect is used in the dstnat chain to force traffic to a specific port on the local router.”

Extract from MikroTik Wiki – NAT Action Reference:

“Action=redirect is only meaningful in dstnat and is used to redirect traffic to router-local services.”

Extract from René Meneses Study Guide – NAT Table:

“Redirect cannot be used in srcnat. Only valid in dstnat for local service interception.”

===========

The action=masquerade is used exclusively in the srcnat chain. It dynamically hides internal IP addresses behind the router's public IP. It cannot be used in the dstnat chain.

A.✘Incorrect – masquerade is not allowed in dstnat regardless of parameters.

B.✘Incorrect – masquerade is not valid in the dstnat chain.

C.✘Incorrect – masquerade does not operate in dstnat, direction does not change this.

D.✔Correct – masquerade must only be used in chain=srcnat.

Extract from MTCNA Course Material – NAT Concepts:

“Masquerade is a special type of source NAT used only in the srcnat chain. It is invalid in dstnat.”

Extract from René Meneses Study Guide – NAT Actions:

“Use action=masquerade in chain=srcnat. RouterOS will not accept it in dstnat.”

Extract from MikroTik Wiki – NAT Rules:

“action=masquerade is not allowed in dstnat chain and will result in error if applied.”

===========

To bridge two networks over a wireless link (i.e., perform Layer 2 bridging), MikroTik offers several wireless modes that support bridging:

WDS (Wireless Distribution System) is MikroTik’s mechanism to forward Layer 2 frames over wireless

pseudobridge and pseudobridge-clone attempt to mimic Layer 2 bridging, with some limitations

Option analysis:

A.✔Correct–Using AP mode on both ends and enabling WDS allows full Layer 2 bridging

B.✔Correct–pseudobridge-clone allows limited bridging by spoofing the MAC address of the connected host

C.✔Correct–station-pseudobridge enables partial bridging (one client per MAC)

D.✘Incorrect–station mode alone does not support Layer 2 bridging; it performs routing/NAT instead

Extract from MTCNA Course Material – Bridging and Wireless Section:

"To bridge over wireless, you can use WDS or station-pseudobridge(-clone). WDS provides true Layer 2 bridging, while pseudobridge methods simulate it for single hosts."

Extract from René Meneses Study Guide – Wireless Bridging:

“WDS is most reliable for bridging. pseudobridge and pseudobridge-clone work with one client and should be used cautiously.”

Extract from Terry Combs Notes – Wireless Bridging:

“station mode alone is not sufficient for bridging. Use WDS or pseudobridge options.”

===========

To redirect SMTP (port 25) traffic from users to a specific internal or external SMTP server, you must use dst-nat. This modifies the destination address and port to point to the desired mail server.

A.✘passthrough – Allows the packet to be evaluated by other NAT rules; it doesn't alter traffic

B.✔dst-nat – Rewrites destination IP/port; this is what is needed to redirect SMTP to a specific server

C.✘redirect – Sends traffic to the router itself; not suitable for external redirection

D.✘tarpit – Used for slowing down malicious TCP connections, not redirection

Extract from MTCNA Course Material – NAT Types:

“Use dst-nat to change the destination IP address. This is suitable for port forwarding or service redirection.”

Extract from René Meneses Study Guide – NAT Rules:

“To redirect traffic to a specific server, use action=dst-nat and specify the new destination address.”

===========

ICMP (Internet Control Message Protocol) is used for diagnostics and error reporting in IP networks. It is encapsulated directly within IP datagrams and not over UDP or TCP. It does not guarantee delivery — it merely provides feedback about problems (e.g., host unreachable, time exceeded).

MTCNA Course Material – ICMP and Network Tools:

“ICMP is used for error messages and operational queries such as ping and destination unreachable. It is encapsulated in IP and does not use TCP or UDP.”

René Meneses MTCNA Study Guide – ICMP Section:

“ICMP provides diagnostic information. It is a Layer 3 protocol encapsulated directly in IP. It does not provide guaranteed delivery.”

MikroTik Wiki – ICMP Overview:

“ICMP packets are carried in IP packets and used for control messages. They are not transported using TCP or UDP.”

Breakdown:

Statement 1: False – ICMP does not guarantee delivery

Statement 2: True – provides network problem feedback

Statement 3: True – encapsulated in IP

Statement 4: False – ICMP is not encapsulated in UDP

Correct set: 2 and 3

Final Answer: BQUESTION NO: 106 [RouterOS Introduction]

Which Layer 4 protocol is used for a Telnet connection?

A. IP

B. TCP

C. TCP/IP

D. UDP

Answer: B

Telnet is a protocol used to access remote devices via command-line over the network. It operates over TCP at Layer 4, using port 23.

MTCNA Course Material – Layer 4 Protocols:

“Telnet uses TCP port 23 for remote shell access. TCP ensures ordered and reliable delivery of commands and responses.”

René Meneses MTCNA Study Guide – TCP/IP Protocols:

“Telnet is an Application Layer protocol using TCP as its transport protocol.”

MikroTik Wiki – Telnet Access:

“Telnet communicates over TCP. It does not use UDP.”

Other options:

A. IP is a Layer 3 protocol

C. TCP/IP is a model, not a single protocol

D. Telnet does not use UDP

Final Answer: BQUESTION NO: 107 [RouterOS Introduction]

Which of the following are layers in the TCP/IP model?

Application

Session

Transport

Internet

Data Link

Physical

A. 1 and 2

B. 1, 3 and 4

C. 2, 3 and 5

D. 3, 4 and 5

Answer: B

The TCP/IP model has four layers:

Application

Transport

Internet

Network Access (includes Data Link & Physical in OSI terms)

Session is part of the OSI model, not TCP/IP.

MTCNA Course Material – TCP/IP vs OSI Model:

“The TCP/IP model has Application, Transport, Internet, and Network Access layers. Application includes OSI’s Session, Presentation, and Application layers.”

René Meneses MTCNA Guide – Model Comparison:

“The TCP/IP model consists of: Application, Transport, Internet, and Network Access (which covers Data Link and Physical). Session layer is part of OSI.”

So, correct TCP/IP layers from the given list:

Application (✔)

Transport (✔)

Internet (✔)

Session is not part of TCP/IP model.

Final Answer: BQUESTION NO: 108 [RouterOS Introduction]

Which statements are true regarding ICMP packets?

They acknowledge receipt of a TCP segment.

They guarantee datagram delivery.

They can provide hosts with information about network problems.

They are encapsulated within IP datagrams.

A. 1 only

B. 2 and 3

C. 3 and 4

D. 2, 3 and 4

Answer: C

Reiterating from earlier:

ICMP does not acknowledge TCP segments; that’s TCP’s job.

ICMP does not guarantee delivery; it’s an unreliable protocol.

ICMP does provide diagnostics (e.g., unreachable, TTL exceeded).

ICMP is encapsulated directly in IP, not over TCP/UDP.

MTCNA Course Material – ICMP Behavior:

“ICMP is used for control messages like ping and unreachable. It provides feedback and is encapsulated in IP.”

René Meneses MTCNA Study Guide – ICMP & IP Layer:

“ICMP is a Layer 3 protocol, not used to acknowledge TCP, and is wrapped in IP datagrams.”

Correct:

Statement 3: True

Statement 4: True

In MikroTik queues (especially in simple queues), the "total" limit typically refers to the combined rate of upload and download traffic — i.e., the total bandwidth usage. This is useful when you want to control the full traffic flow for a client or subnet.

A.✘Incorrect – Not just download

B.✔Correct – Total = Download + Upload combined

C.✘Incorrect

D.✘Incorrect – Upload alone is not referred to as "total"

Extract from MTCNA Course Material – Simple Queues:

“The total max-limit or total rate represents both upload and download combined.”

Extract from René Meneses MTCNA Study Guide – Queue Types:

“Use total max-limit to limit overall bandwidth. Individual directions can also be configured.”

Extract from MikroTik Wiki – Simple Queue Options:

“total-max-limit defines the sum of incoming and outgoing traffic rates.”

When static ARP is configured, the router explicitly binds an IP address to a specific MAC address. This means:

If the MAC address of the device changes (as it does when a new network card is installed), and the IP remains the same, the router will not allow the device to communicate, because the MAC address in the ARP table no longer matches the new hardware.

Options explained:

A.✔Correct. The old ARP entry must be updated to reflect the new MAC address if the IP is reused.

B.✘Incorrect. The communication will fail if the ARP table still holds the outdated MAC for that IP.

C.✔Correct. Alternatively, if the new NIC supports MAC address modification, setting the MAC address to match the old one would make the static ARP entry valid again.

D.✘Incorrect. There's no need to change the IP if the static ARP entry is updated.

Extract from Official MTCNA Course Material – ARP Section:

"Static ARP entries tie IPs to MAC addresses. If the MAC changes but the static ARP entry remains unchanged, the device cannot communicate with the router."

Extract from René Meneses MTCNA Study Guide – ARP:

"When using static ARP, any MAC change must be reflected in the router's ARP table; otherwise, packets will be dropped."

Extract from MikroTik Wiki – ARP Modes:

"Static entries require matching MAC addresses. If the client's MAC changes, the ARP table must be updated or communication will fail."

===========

To upgrade or install a new Cisco IOS image on a router, you typically copy the IOS image file from a TFTP server into the router’s flash memory. The correct syntax is:

copy tftp flash

This command tells the router to copy the IOS image from a TFTP server into flash storage, where it can be booted.

Cisco IOS Documentation – Image Upgrade Process:

“Use the command copy tftp flash to transfer an IOS image from a TFTP server to the router’s flash memory.”

Other options:

A: copy tftp run – invalid; you cannot copy into the running-config that way

B: copy tftp start – used to copy configuration, not IOS image

C: config net – an older and deprecated command, not for IOS upgrades

Final Answer: DQUESTION NO: 122 [RouterOS Introduction – ICMP and Diagnostics]

Which protocol does Ping use?

A. TCP

B. ARP

C. ICMP

D. BootP

Answer: C

Ping is a diagnostic utility used to test reachability between devices. It sends ICMP Echo Request packets and waits for ICMP Echo Replies. ICMP (Internet Control Message Protocol) is used for these types of control messages and is encapsulated within IP.

MTCNA Course Material – Diagnostic Tools:

“Ping uses ICMP Echo Requests to verify if a destination is reachable. It does not use TCP or UDP.”

René Meneses MTCNA Study Guide – Ping and ICMP:

“Ping uses ICMP, not TCP or ARP. ICMP packets are used to check basic connectivity.”

MikroTik Wiki – Ping Tool Description:

“Ping works by sending ICMP packets. It cannot use TCP.”

Other options:

TCP: Used by protocols like HTTP, FTP

ARP: Resolves IP to MAC, not used for ping

BootP: DHCP-related protocol, not diagnostic

Final Answer: CQUESTION NO: 123 [Cisco – Frame Relay Troubleshooting]

What command will display the line, protocol, DLCI, and LMI information of an interface?

A. sh pvc

B. show interface

C. show frame-relay pvc

D. show run

Answer: C

In Cisco IOS, to display detailed Frame Relay virtual circuit information, including the line status, protocol status, DLCI (Data Link Connection Identifier), and LMI (Local Management Interface) details, the correct command is:

show frame-relay pvc

Cisco IOS Command Reference – Frame Relay:

“The show frame-relay pvc command displays information about PVC status, including DLCI numbers and LMI statistics.”

Breakdown:

A: sh pvc – shorthand and ambiguous, may not be recognized

B: show interface – general interface stats but lacks detailed LMI/DLCI info

C: show frame-relay pvc –✔correct, provides detailed DLCI/LMI info

D: show run – shows current configuration, not real-time PVC status

Final Answer: CQUESTION NO: 124 [Networking Fundamentals – Ethernet and Switching]

How many collision domains are created when you segment a network with a 12-port switch?

A. 1

B. 2

C. 5

D. 12

Answer: D

Each port on a switch creates its own collision domain. Unlike hubs (which extend a single collision domain), switches segment each interface, allowing full-duplex communication and eliminating collisions.

MTCNA Course Material – Ethernet Switching Concepts:

“Each switch port is a separate collision domain. A 24-port switch creates 24 separate collision domains.”

René Meneses MTCNA Study Guide – Collision and Broadcast Domains:

“Switches break up collision domains per port, unlike hubs.”

Therefore, a 12-port switch creates 12 individual collision domains.

The Address Resolution Protocol (ARP) is used to resolve an IP address into a MAC address. When a device sends an ARP request asking “Who has IP X.X.X.X?”, it expects a MAC address in response.

A.✘VLAN ID – Not involved in ARP

B.✘IP address – The IP is already known; MAC is being queried

C.✔MAC Address – The required Layer 2 address is returned

D.✘802.11g – Wireless standard, irrelevant to ARP

Extract from MTCNA Course Material – ARP Basics:

“ARP maps IP addresses to MAC addresses. The reply to an ARP request contains the MAC address of the queried IP.”

Extract from René Meneses Study Guide – Layer 2/3 Functions:

“ARP is a Layer 2 protocol that returns a MAC address for a known IP.”

===========

Bridging loops occur when there are multiple active paths between switches or bridge interfaces, causing broadcast storms or MAC table instability. MikroTik RouterOS supports both STP (Spanning Tree Protocol) and RSTP (Rapid Spanning Tree Protocol) to detect and block redundant paths.

A.✔RSTP – Faster and preferred protocol to prevent loops.

B.✔STP – The original protocol, slower convergence but still effective.

C.✘Connection tracking – Not related to Layer 2 loop prevention.

D.✘UDP filter – Filters specific traffic types, doesn’t handle loops.

E.✘ICMP filter – Not relevant to Layer 2 loop protection.

Extract from Official MTCNA Course Material – Bridging and STP:

“STP or RSTP must be enabled to prevent bridging loops. RSTP is the recommended version due to faster convergence.”

Extract from René Meneses MTCNA Study Guide – Bridging:

“Always enable STP or RSTP when using bridges with multiple paths to prevent Layer 2 loops.”

Extract from MikroTik Wiki – STP / RSTP:

“STP and RSTP are loop prevention mechanisms for bridges. They dynamically block redundant links.”

===========

MikroTik RouterOS supports running multiple dynamic routing protocols simultaneously, including RIP, OSPF, and BGP. They are independent processes and can be configured in parallel. This is commonly used in complex network environments or during routing migrations.

A.✔FALSE – You can run OSPF and RIP at the same time.

B.✘TRUE – Incorrect; both protocols are fully supported to coexist.

Extract from MTCNA Course Material – Dynamic Routing:

“RouterOS supports multiple dynamic routing protocols, including simultaneous use of RIP and OSPF.”

Extract from René Meneses Study Guide – Routing Protocols:

“You can configure both RIP and OSPF to run at the same time on a single router.”

Extract from MikroTik Wiki – Routing Overview:

“RouterOS allows multiple routing protocols to operate concurrently.”

===========

When ARP is set to reply-only on a MikroTik interface, the router will not respond to any ARP requests unless a matching static entry exists in the /ip arp list. It will also not learn new dynamic entries — only pre-defined static IP-MAC pairs will be accepted and responded to.

Option breakdown:

A.✘Incorrect – The router doesn't operate solely based on MAC, but on IP-MAC pairings.

B.✔Correct – Only combinations that match entries in /ip arp are accepted.

C.✘Incorrect – reply-only mode disables dynamic ARP learning.

D.✘Incorrect – Again, no new IPs are dynamically added.

E.✘Incorrect – Static ARP is enforced by IP-MAC pairs, not just IP.

Extract from MTCNA Course Material – ARP Modes:

“Reply-only mode will respond to ARP requests only if a matching static ARP entry exists. No dynamic learning occurs.”

Extract from René Meneses Study Guide – ARP Explanation:

“Use ARP=reply-only to force strict IP-MAC pairing. It prevents spoofing but requires all valid pairs to be preconfigured.”

Extract from MikroTik Wiki – ARP Settings:

“reply-only: Only respond to ARP requests if the requester matches a static /ip arp entry. New dynamic entries are not created.”

===========

Masquerading is a form of source NAT (src-nat) where the router dynamically replaces the source address of outgoing packets with the IP address of the router’s outgoing interface. This is commonly used when internal LAN clients access the internet through a single public IP.

Key points for masquerade configuration:

Use chain=src-nat (because it modifies the source address)

Use action=masquerade

Specify the out-interface (i.e., the WAN interface)

MTCNA Course Material – NAT Section:

“To configure masquerading, use chain=src-nat and action=masquerade. Specify out-interface to define the traffic direction.”

René Meneses MTCNA Study Guide – NAT Examples:

“Masquerade automatically uses the IP address of the specified out-interface. Required parameters: chain=src-nat, action=masquerade, out-interface.”

MikroTik Wiki – Source NAT / Masquerade:

“Masquerade is a special form of src-nat. You must use it in chain=src-nat and define the out-interface for which NAT will be applied.”

Option A: Incorrect action=accept (used in filter rules, not NAT)

Option C: in-interface is not applicable here

Option D: chain=dst-nat is used for destination NAT, not source NAT

Only Option B is fully correct.

Final Answer: BQUESTION NO: 94 [Tools]

In which situations can Netinstall NOT be used to install a RouterBOARD?

A. The router does not have an operating system

B. The router is connected only to a wireless network

C. You do not know the password of the router

D. The router is connected only to a secondary Ethernet port

Answer: B

Netinstall works over a wired Ethernet connection and uses PXE or Etherboot to install RouterOS over the network. It cannot function over wireless, as wireless interfaces do not support PXE booting or Netinstall protocols.

MTCNA Course Material – Netinstall Overview:

“Netinstall requires a direct Ethernet connection between the PC and the router. Wireless interfaces are not supported for Netinstall procedures.”

René Meneses MTCNA Guide – Netinstall:

“Netinstall only works over Ethernet. You cannot Netinstall a device connected only through Wi-Fi.”

MikroTik Wiki – Netinstall Prerequisites:

“Router must be connected via Ethernet. Wireless and USB interfaces are not supported.”

Other options:

A: This is a typical use case (installing RouterOS when OS is missing)

C: Netinstall bypasses password (not needed)

D: Netinstall can work via any Ethernet port, provided it's accessible

Final Answer: BQUESTION NO: 95 [Monitoring and Logging]

MikroTik RouterOS is sending logs to an external syslog server. Which protocol and port is used by RouterOS for sending logs (by default)?

A. UDP 514

B. UDP 21

C. UDP 113

D. TCP 110

Answer: A

RouterOS uses the industry-standard syslog protocol for remote logging. By default, syslog uses UDP port 514.

MTCNA Course Material – Logging Section:

“For sending logs to a remote syslog server, RouterOS uses the syslog protocol on UDP port 514 by default.”

René Meneses MTCNA Guide – Monitoring & Logging:

“External logging is done using UDP port 514, which is the standard syslog protocol port.”

MikroTik Wiki – Logging Configuration:

“To send logs to a remote server, configure an action of type remote with a remote address and use UDP port 514 unless otherwise changed.”

Other ports:

UDP 21 = FTP (not logging)

UDP 113 = Ident protocol

TCP 110 = POP3

Only UDP 514 is correct.

Final Answer: AQUESTION NO: 96 [RouterBOARD Hardware]

Can you manually add drivers to RouterOS in case your PCI Ethernet card is not recognized, and you suspect it is a driver issue?

A. Yes

B. No

Answer: B

RouterOS is a closed, embedded Linux-based system. It does not support adding custom drivers or compiling modules manually. You must use supported hardware that is natively compatible with RouterOS.

MTCNA Course Material – RouterBOARD Compatibility:

“RouterOS supports a fixed set of drivers. You cannot install third-party drivers or modules.”

René Meneses MTCNA Guide – Hardware Limitations:

“Custom drivers cannot be added to RouterOS. Use only supported network interface cards as listed by MikroTik.”

MikroTik Wiki – Hardware Support:

“RouterOS does not allow manual driver installation. All drivers are precompiled and built into the system image.”

Therefore, if your PCI Ethernet card is not recognized, you must replace it with a compatible model — you cannot add a driver manually.