MikroTik MTCNA MikroTikCertified Network Associate Exam Exam Practice Test

In MikroTik queues (especially in simple queues), the "total" limit typically refers to the combined rate of upload and download traffic — i.e., the total bandwidth usage. This is useful when you want to control the full traffic flow for a client or subnet.

A.✘Incorrect – Not just download

B.✔Correct – Total = Download + Upload combined

C.✘Incorrect

D.✘Incorrect – Upload alone is not referred to as "total"

Extract from MTCNA Course Material – Simple Queues:

“The total max-limit or total rate represents both upload and download combined.”

Extract from René Meneses MTCNA Study Guide – Queue Types:

“Use total max-limit to limit overall bandwidth. Individual directions can also be configured.”

Extract from MikroTik Wiki – Simple Queue Options:

“total-max-limit defines the sum of incoming and outgoing traffic rates.”

Winbox is a small, native Windows utility provided by MikroTik for graphical administration of RouterOS devices. It is typically downloaded from MikroTik's official website.

A. Router’s webpage → Incorrect. While the router’s WebFig interface may allow configuration, it does not offer a Winbox download.

B. Files menu → Incorrect. The Files menu is for storing backups or firmware packages, not distributing Winbox.

C. Console cable → Incorrect. Console access is CLI only; no GUI utilities can be transferred through it.

D. mikrotik.com → Correct. The only official and secure location to download Winbox is the MikroTik website.

Extract from Official MTCNA Course Material – RouterOS Introduction:

“Winbox can be downloaded from the official MikroTik website. It provides a GUI frontend for managing RouterOS.”

Extract from René Meneses MTCNA Study Guide – RouterOS Access Methods:

“You can download Winbox from mikrotik.com under the Software Tools section.”

Extract from Terry Combs MTCNA Notes – Access Methods:

“Winbox is a Windows application that must be downloaded from MikroTik’s website. It is not available directly from the router.”

===========

MikroTik RouterOS allows DHCP administrators to modify the DHCP address pool without creating an additional DHCP server. You can simply edit or extend the address pool range, and the DHCP server will start offering those new IPs.

Therefore, it is completely possible to:

Extend the existing address pool

Exclude statically assigned IPs

Continue using the same DHCP Server instance

You do NOT need to create a second DHCP server on the same interface.

MTCNA Course Manual – DHCP Configuration:

“It is possible to expand the address-pool dynamically without adding additional DHCP servers. Just add more IPs to the pool.”

René Meneses Study Guide – DHCP Pools Section:

“You can edit the address pool associated with the DHCP server anytime to include more addresses. No need to create another server.”

Terry Combs Notes – DHCP Tips:

“Keep one DHCP server per subnet. Extend pools via IP > Pool if more IPs are needed.”

Answer: AQUESTION NO: 25 [Wireless]

In which order are the entries in Access List and Connect List processed?

A. By Signal Strength Range

B. By interface name

C. In sequence order

D. In a random order

Answer: C

MikroTik processes the entries in the Access List and Connect List in a top-down fashion —meaning that the first matching entry is the one applied. This is known as sequence order (from top to bottom).

Each rule is checked in the order it appears in the list, and once a match is found, the rest of the list is ignored for that client.

Incorrect options:

A. Signal strength is only a condition, not a sorting method

B. Interface names are part of rule conditions

D. Not random — rules are processed sequentially

MTCNA Official Training Manual – Wireless Access & Connect List:

“Rules in access-list and connect-list are checked in the order they are listed. Once a match is found, further rules are ignored.”

René Meneses Guide – Wireless Access Rules:

“Access-list is evaluated top-down. Sequence matters.”

Terry Combs MTCNA Notes – Wireless Filtering:

“Be careful with order. The first matching rule is applied — no exceptions.”

Answer: CQUESTION NO: 26 [Wireless]

During a scan, in order to see all the available wireless frequencies that are supported by the card, the following option must be selected in the wireless card's "Frequency Mode":

A. superchannel

B. regulatory domain

C. manual txpower

Answer: A

In MikroTik RouterOS, enabling the "superchannel" frequency mode allows access to all frequencies supported by the wireless chip, including those that may be outside of country-specific regulatory limits. This mode is typically used in lab testing or in regions where regulations permit.

A. superchannel →✅Correct. Enables full frequency range

B. regulatory domain → Restricts visible frequencies to region’s law

C. manual txpower → Controls power output, not frequency scanning

MTCNA Course Material – Wireless Configuration Options:

“To unlock all available wireless frequencies for scanning or connection, enable the 'superchannel' frequency mode.”

René Meneses Study Guide – Wireless Advanced Config:

“Superchannel mode shows all channels supported by the hardware. Use with caution — may violate regulations.”

Terry Combs Notes – Wireless Modes:

“Want to see hidden or extended frequencies? Use superchannel mode. Not legal in every region.”

Answer: AQUESTION NO: 27 [NAT]

It is required to make a web server on a private LAN visible on the public internet. Only the web server port should be visible to the public. Which of the following configuration steps must be met? (Select all that apply)

A. Public IP address of the web server must be installed on the NAT Router

B. In IP firewall NAT, there should be a dst-nat between the public IP of the router and the private IP of the web server

C. Connection Tracking must be enabled on NAT router

D. A route between the NAT router and the web server must exist

E. LAN address of the web server should be routable on the internet

Answer: B, C, D

To expose a web server behind a MikroTik router to the public, the following steps must be met:

B. dst-nat rule must be created to forward incoming requests (e.g., TCP port 80) to the internal web server IP →✅Required

C. Connection Tracking must be enabled, otherwise NAT rules won’t function →✅Required

D. A route between the NAT router and the web server must exist (usually a directly connected subnet) →✅Required

Incorrect Options:

A. The public IP does not need to be installed on the web server — it remains private →❌

E. Private LAN IP (like 192.168.x.x) does not need to be routable on the internet →❌

MTCNA Course Manual – NAT and Port Forwarding Section:

“To expose internal services to the public internet, use dst-nat. Ensure connection tracking is active and the server is reachable through routing.”

René Meneses Guide – NAT Configuration:

“DST-NAT forwards specific ports to internal IPs. Connection tracking is a prerequisite. LAN IPs remain private.”

Terry Combs Notes – Web Server NAT Rules:

“No need to assign public IP to server. Just configure a proper NAT rule and ensure routing exists internally.”

════════════════════════════════════════════

MikroTik RouterOS offers several queuing types under /queue type. These queuing algorithms manage how packets are buffered and sent, affecting fairness, delay, and throughput.

Available queue types in RouterOS:

SFQ (Stochastic Fairness Queuing)✔

FIFO (First In First Out – for bytes or packets)✔

PCQ (Per Connection Queuing)✔

RED (Random Early Detection/Drop)✔

Unavailable queue types:

DRR✘– Not supported by RouterOS

LIFO✘– Not supported; not suitable for networking queues

Extract from Official MTCNA Course Material – Queue Types:

"RouterOS supports PCQ, SFQ, RED, FIFO, and more. DRR and LIFO are not implemented."

Extract from René Meneses MTCNA Study Guide – Traffic Management:

“Only PCQ, FIFO, SFQ, RED are listed under /queue type. DRR and LIFO do not appear in the supported list.”

Extract from MikroTik Wiki – Queue Types:

“Supported types include FIFO, PCQ, RED, and SFQ. Each has specific use cases for latency or fairness.”

===========

RouterBOARD devices (such as RB1000) typically do not have a battery-backed hardware clock (RTC). This means the system time resets after each reboot. To keep time accurate, you must configure the router to synchronize with an external NTP (Network Time Protocol) server.

A.✘Inefficient and non-scalable solution.

B.✘The /system ntp server is used to act as an NTP server for others — not for receiving time.

C.✔Correct – You must enable /system ntp client and point to a reachable NTP server to get the correct time on boot.

D.✘Irrelevant – RouterBOARDs do not have CMOS batteries for timekeeping like traditional PCs.

Extract from MTCNA Course Material – Time Synchronization:

“To maintain correct system time, configure NTP client to sync with a public or internal time server after reboot.”

Extract from René Meneses Study Guide – Clock and Scheduler:

“RouterBOARD devices don’t have battery-backed RTC. Use the NTP client to update time after reboot.”

Extract from MikroTik Wiki – NTP Setup:

“Use /system ntp client to sync time. /system clock alone will reset on reboot without NTP.”

===========

ICMP (Internet Control Message Protocol) is used for diagnostics and error reporting in IP networks. It is encapsulated directly within IP datagrams and not over UDP or TCP. It does not guarantee delivery — it merely provides feedback about problems (e.g., host unreachable, time exceeded).

MTCNA Course Material – ICMP and Network Tools:

“ICMP is used for error messages and operational queries such as ping and destination unreachable. It is encapsulated in IP and does not use TCP or UDP.”

René Meneses MTCNA Study Guide – ICMP Section:

“ICMP provides diagnostic information. It is a Layer 3 protocol encapsulated directly in IP. It does not provide guaranteed delivery.”

MikroTik Wiki – ICMP Overview:

“ICMP packets are carried in IP packets and used for control messages. They are not transported using TCP or UDP.”

Breakdown:

Statement 1: False – ICMP does not guarantee delivery

Statement 2: True – provides network problem feedback

Statement 3: True – encapsulated in IP

Statement 4: False – ICMP is not encapsulated in UDP

Correct set: 2 and 3

Final Answer: BQUESTION NO: 106 [RouterOS Introduction]

Which Layer 4 protocol is used for a Telnet connection?

A. IP

B. TCP

C. TCP/IP

D. UDP

Answer: B

Telnet is a protocol used to access remote devices via command-line over the network. It operates over TCP at Layer 4, using port 23.

MTCNA Course Material – Layer 4 Protocols:

“Telnet uses TCP port 23 for remote shell access. TCP ensures ordered and reliable delivery of commands and responses.”

René Meneses MTCNA Study Guide – TCP/IP Protocols:

“Telnet is an Application Layer protocol using TCP as its transport protocol.”

MikroTik Wiki – Telnet Access:

“Telnet communicates over TCP. It does not use UDP.”

Other options:

A. IP is a Layer 3 protocol

C. TCP/IP is a model, not a single protocol

D. Telnet does not use UDP

Final Answer: BQUESTION NO: 107 [RouterOS Introduction]

Which of the following are layers in the TCP/IP model?

Application

Session

Transport

Internet

Data Link

Physical

A. 1 and 2

B. 1, 3 and 4

C. 2, 3 and 5

D. 3, 4 and 5

Answer: B

The TCP/IP model has four layers:

Application

Transport

Internet

Network Access (includes Data Link & Physical in OSI terms)

Session is part of the OSI model, not TCP/IP.

MTCNA Course Material – TCP/IP vs OSI Model:

“The TCP/IP model has Application, Transport, Internet, and Network Access layers. Application includes OSI’s Session, Presentation, and Application layers.”

René Meneses MTCNA Guide – Model Comparison:

“The TCP/IP model consists of: Application, Transport, Internet, and Network Access (which covers Data Link and Physical). Session layer is part of OSI.”

So, correct TCP/IP layers from the given list:

Application (✔)

Transport (✔)

Internet (✔)

Session is not part of TCP/IP model.

Final Answer: BQUESTION NO: 108 [RouterOS Introduction]

Which statements are true regarding ICMP packets?

They acknowledge receipt of a TCP segment.

They guarantee datagram delivery.

They can provide hosts with information about network problems.

They are encapsulated within IP datagrams.

A. 1 only

B. 2 and 3

C. 3 and 4

D. 2, 3 and 4

Answer: C

Reiterating from earlier:

ICMP does not acknowledge TCP segments; that’s TCP’s job.

ICMP does not guarantee delivery; it’s an unreliable protocol.

ICMP does provide diagnostics (e.g., unreachable, TTL exceeded).

ICMP is encapsulated directly in IP, not over TCP/UDP.

MTCNA Course Material – ICMP Behavior:

“ICMP is used for control messages like ping and unreachable. It provides feedback and is encapsulated in IP.”

René Meneses MTCNA Study Guide – ICMP & IP Layer:

“ICMP is a Layer 3 protocol, not used to acknowledge TCP, and is wrapped in IP datagrams.”

Correct:

Statement 3: True

Statement 4: True

IPv4 Class B addresses have their first two bits as 10 in binary. The range for Class B starts at 128.0.0.0 and goes up to 191.255.255.255, which in binary representation begins with 10xxxxxx.

MTCNA Course Material – IP Addressing and Classes:

“Class B IP addresses are identified by the first two bits being 10. This corresponds to IP addresses from 128.0.0.0 to 191.255.255.255.”

René Meneses MTCNA Study Guide – Address Classes:

“Class B: 128.0.0.0 – 191.255.255.255. Binary pattern: 10xxxxxx.”

Terry Combs MTCNA Notes – IP Addressing:

“The first octet of a Class B address starts with binary 10, followed by 6 variable bits.”

Other options:

A. 01xxxxxx: incorrect (used for experimental/reserved ranges)

B. 0xxxxxxx: represents Class A

D. 110xxxxx: indicates Class C

Final Answer: CQUESTION NO: 102 [RouterOS Introduction – Protocols]

Which of the following protocols uses both TCP and UDP?

A. FTP

B. SMTP

C. Telnet

D. DNS

Answer: D

DNS (Domain Name System) can use both UDP and TCP. Typically:

UDP port 53 is used for standard DNS queries due to its lower overhead.

TCP port 53 is used for DNS zone transfers and when DNS responses exceed the UDP packet size (e.g., DNSSEC).

MTCNA Course Material – Protocol Overview:

“DNS uses UDP port 53 for standard queries and TCP port 53 for zone transfers or large responses.”

René Meneses MTCNA Study Guide – Protocol Functions:

“DNS can operate over UDP and TCP. UDP is faster and used for most lookups. TCP is used when the payload is too large or for zone transfers.”

MikroTik Wiki – DNS Protocols:

“DNS primarily uses UDP 53. For zone transfers (AXFR), TCP 53 is used.”

Other options:

A. FTP uses TCP (ports 20/21)

B. SMTP uses TCP (port 25)

C. Telnet uses TCP (port 23)

Only DNS uses both TCP and UDP.

Final Answer: DQUESTION NO: 103 [RouterOS Introduction – IP Fundamentals]

What protocol is used to find the hardware address of a local device?

A. RARP

B. ARP

C. IP

D. ICMP

Answer: B

ARP (Address Resolution Protocol) is used to resolve IP addresses to MAC (hardware) addresses on a local network.

MTCNA Course Material – ARP & Layer 2 Communication:

“ARP translates an IP address to a MAC address on local networks. It is necessary for IP communication within a broadcast domain.”

René Meneses MTCNA Study Guide – ARP Explanation:

“When sending to a local IP, the host first uses ARP to determine the hardware address. This is done through broadcast ARP requests.”

MikroTik Wiki – ARP Functionality:

“RouterOS uses ARP to associate IP addresses with hardware (MAC) addresses in the LAN.”

Other options:

A. RARP is Reverse ARP, outdated and rarely used.

C. IP is the higher-layer addressing protocol.

D. ICMP is used for ping and diagnostics.

Only ARP (Option B) is correct.

Final Answer: BQUESTION NO: 104 [RouterOS Introduction]

Which of the following are TCP/IP protocols used at the Application layer of the OSI model?

IP

TCP

Telnet

FTP

TFTP

A. 1 and 3

B. 1, 3 and 5

C. 3, 4 and 5

D. All of the above

Answer: C

In the OSI model:

Application layer protocols include Telnet, FTP, and TFTP.

IP is a Network Layer (Layer 3) protocol.

TCP is a Transport Layer (Layer 4) protocol.

MTCNA Course Material – OSI Model and Protocols:

“Application layer protocols provide services to user applications. Examples include FTP, TFTP, Telnet. TCP and IP operate at lower layers.”

René Meneses MTCNA Study Guide – TCP/IP Stack:

“Telnet, FTP, and TFTP are Application layer protocols. IP belongs to Layer 3. TCP is at Layer 4.”

Terry Combs MTCNA Notes – OSI Reference Model:

“Layer 7 (Application): FTP, HTTP, Telnet, TFTP.

Layer 4: TCP, UDP

Layer 3: IP”

Only Options 3 (Telnet), 4 (FTP), and 5 (TFTP) are Application layer protocols.

────────────────────────────────────────────────────────────

RouterOS allows different types of interfaces, including VLANs and PPP-based interfaces (like PPTP), to be added to a bridge. This creates a Layer 2 network between them, enabling transparent communication.

A.✔TRUE – Supported and commonly used in tunneling + VLAN transport.

B.✘FALSE – Incorrect.

Extract from MTCNA Course Material – Bridging Concepts:

“Bridging can include Ethernet, VLAN, wireless, and virtual interfaces such as PPTP and EOIP.”

Extract from MikroTik Wiki – Bridge Interface:

“Any Layer 2-capable interface (including VLANs, PPP tunnels, and Ethernet) can be included in a bridge.”

Extract from René Meneses Study Guide – Bridging and VLANs:

“It is possible to bridge VLAN interfaces with VPN interfaces for advanced Layer 2 tunneling scenarios.”

===========

When multiple gateways are used in an ECMP (Equal Cost Multi-Path) configuration, the check-gateway option ensures that RouterOS will actively monitor the health of each gateway using ping (or ARP). If a gateway becomes unreachable, RouterOS temporarily removes it from the active ECMP gateway list.

A.✘Incorrect – Unreachable gateways are excluded from packet forwarding.

B.✔Correct – Only reachable gateways are used in the ECMP round robin logic.

C.✘Incorrect – The entire ECMP route remains active; only the failed gateway is excluded.

Extract from MTCNA Course Material – ECMP Routing:

“With check-gateway enabled, RouterOS will exclude unreachable gateways from ECMP rotation.”

Extract from MikroTik Wiki – Check-Gateway Option:

“When a gateway is unreachable, it is skipped in ECMP logic until it becomes reachable again.”

Extract from René Meneses Study Guide – ECMP and Gateway Monitoring:

“Check-gateway helps prevent blackholing by skipping dead gateways. The route remains active.”

==================================

A hub is a simple Layer 1 (Physical Layer) device that does not understand MAC addresses or IP addresses. It simply repeats electrical signals to all connected ports without inspection or filtering.

MTCNA Course Material – OSI Layer Device Roles:

“Hubs operate at the Physical Layer. They do not process frames or packets and function purely as repeaters.”

René Meneses MTCNA Study Guide – OSI Devices:

“Hubs are Layer 1 devices. They send bits — not frames — and have no concept of MAC addresses.”

Other options:

A: Session layer is Layer 5, handles sessions between applications

C: Switches/bridges operate at the Data Link layer (Layer 2)

D: Application layer (Layer 7) is for user-level software like HTTP, FTP, etc.

Final Answer: BQUESTION NO: 138 [Cisco IOS – Access List Verification]

Which command is used to determine if an IP access list is enabled on a particular interface?

A. show access-lists

B. show interface

C. show ip interface

D. show interface access-lists

Answer: C

The command show ip interface displays the status of IP-level interface parameters, including whether an access list (ACL) is applied inbound or outbound.

Cisco IOS Command Reference – Interface ACL Check:

“Use show ip interface to verify whether an access list is applied to the interface and in which direction (in or out).”

René Meneses MTCNA Study Guide – Cisco Access List Monitoring:

“To verify ACL assignment to an interface, use show ip interface. It provides ACL status along with IP addressing info.”

Breakdown:

A: show access-lists → shows ACL contents, not interface bindings

B: show interface → shows interface stats, not ACL usage

D: Invalid syntax in Cisco IOS

Final Answer: CQUESTION NO: 139 [RouterOS Introduction – Transport Protocols]

Which protocol does DHCP use at the Transport layer?

A. IP

B. TCP

C. UDP

D. ARP

Answer: C

DHCP (Dynamic Host Configuration Protocol) operates over UDP:

Client uses UDP port 68

Server uses UDP port 67

It is a connectionless protocol, and because clients typically do not yet have IP addresses, UDP is used due to its simplicity.

MTCNA Course Material – DHCP Protocol Layering:

“DHCP uses UDP for communication between clients and servers. TCP is not used due to the stateless, broadcast nature of DHCP discovery.”

René Meneses MTCNA Study Guide – Port Assignments:

“UDP 67/68 are used by DHCP. TCP is not used because clients lack IPs initially.”

Other options:

A: IP is the network layer, not transport

B: TCP is used by reliable services (FTP, HTTP)

D: ARP resolves IP-to-MAC; unrelated to DHCP transport

Final Answer: CQUESTION NO: 140 [Cisco IOS – Remote Access Configuration]

Which of the following commands will allow you to set your Telnet password on a Cisco router?

A. line telnet 0 4

B. line aux 0 4

C. line vty 0 4

D. line con 0

Answer: C

The correct line configuration for remote Telnet (or SSH) access in Cisco IOS is via the virtual terminal (vty) lines. Typically, Cisco routers reserve 5 lines: vty 0 4. You then apply the password and login commands under this context.

Cisco IOS Configuration Guide – Telnet/VTY Setup:

“Use line vty 0 4 to configure access for Telnet sessions. Then use password and login to enforce authentication.”

René Meneses MTCNA Study Guide – Cisco Access Configuration:

“VTY lines (virtual terminal) handle Telnet and SSH sessions. Console and aux lines are for local access.”

Other options:

A: line telnet is not a valid command

B: line aux → used for modem or auxiliary port access

D: line con 0 → used for console (local) access, not remote

────────────────────────────────────────────────────────────

To route traffic from LAN1 (192.168.0.0/24) behind R1 to LAN2 (192.168.1.0/24) behind R2, R1 must know how to reach the destination network 192.168.1.0/24. The proper way is to add a static route on R1 pointing to the next hop IP address of R2’s interface (192.168.99.2) connected via their shared transit network (192.168.99.0/24).

According to:

René Meneses MTCNA Study Guide – Routing Section:

“A static route requires the destination prefix and the gateway (next-hop) IP address. The gateway should be reachable through a directly connected network interface.”

Terry Combs MTCNA Notes – Static Routing Example:

“To route packets to a remote network, configure a static route specifying the destination network (e.g., 192.168.50.0/24) and the gateway IP (e.g., 10.0.0.2). Ensure that the gateway is reachable via a locally connected interface.”

MikroTik Wiki – Static Routing:

“The most common usage of static routes is to forward packets for destination networks that are not directly connected. You must use the IP address of a reachable next-hop router.”

Option A incorrectly includes src-address, which is not part of a standard /ip route syntax.

Option B uses “Ether1” as a gateway, which is syntactically invalid unless using recursive routing, which this situation does not require.

Option C adds a route back to the local network — unnecessary and incorrect.

Option E routes all traffic to R2, which is inefficient and not specific.

Thus, only Option D adds the correct static route:

/ip route add dst-address=192.168.1.0/24 gateway=192.168.99.2

Final Answer: DQUESTION NO: 83 [Bridging]

For a Simple Queue to apply bandwidth restrictions on a bridged interface, the following must be done:

A. Configure an IP address on the bridge interface

B. Use mangle to mark the connections

C. Associate the Simple Queue to the bridge interface

D. Enable 'Use IP Firewall' in bridge settings

Answer: D

By default, RouterOS does not pass traffic on a bridge interface through the firewall or queue system. If you want to apply queueing (Simple Queues or other policies) on a bridge interface, you must enable the bridge to use the IP Firewall.

MTCNA Official Course Material – Bridging & IP Firewall Integration:

“If you want to apply queues or firewall rules to traffic flowing through a bridge, you must enable ‘use-ip-firewall’ under the bridge settings.”

René Meneses MTCNA Guide – Bridge Queuing Section:

“Simple Queues do not affect bridged traffic unless you activate the ‘Use IP Firewall’ setting in bridge configuration. This pushes the packets through the normal firewall and queueing engine.”

MikroTik Wiki – Bridge Settings:

“If use-ip-firewall is enabled, then all bridged traffic is also processed by firewall and queues.”

Options A and C are incorrect because assigning an IP or linking the queue alone does not enforce restrictions at Layer 2.

Option B refers to advanced queueing with mangle + Queue Trees, not Simple Queues.

Final Answer: DQUESTION NO: 84 [QoS (Simple Queues)]

In RouterOS queue configurations the word "total" usually represents:

A. download - upload

B. upload

C. upload + download

D. download

Answer: C

In Simple Queues, MikroTik uses the term “total” to refer to the sum of the incoming and outgoing traffic for a particular target. This includes both upload (TX) and download (RX) traffic.

MTCNA Course Material – Queues Overview:

“Total limit represents the combined limit of upload and download traffic. If both target-upload and target-download are defined, total-limit should be equal or higher.”

René Meneses MTCNA Study Guide – Queues Chapter:

“In Simple Queues, ‘max-limit’ and ‘limit-at’ can be set individually for upload and download, or together as ‘total’ which combines both directions.”

Terry Combs Notes – Queue Definitions:

“Total in RouterOS queues means sum of upload and download. Always consider total bandwidth used in both directions when using ‘total-limit’.”

Therefore, the correct and verified answer is C: upload + download.

PPPoE (Point-to-Point Protocol over Ethernet) uses a discovery stage before establishing the actual PPP session. The correct sequence is:

Initialization → Client sends a PADI (PPPoE Active Discovery Initiation)

Offer → Server responds with PADO (PPPoE Active Discovery Offer)

Request → Client sends PADR (PPPoE Active Discovery Request)

Session Confirmation → Server sends PADS (PPPoE Active Discovery Session-confirmation)

A.✘Wrong sequence

B.✔Correct – Matches the technical flow: PADI → PADO → PADR → PADS

C.✘Incorrect order

D.✘Incorrect order

Extract from MTCNA Course Material – PPPoE Process:

“The PPPoE discovery stage includes PADI, PADO, PADR, and PADS messages. This translates to Initialization, Offer, Request, Session confirmation.”

Extract from MikroTik Wiki – PPPoE Protocol:

“The discovery stage is used to establish a PPPoE session and includes four steps: PADI, PADO, PADR, and PADS.”

===========

Destination NAT (dst-nat) is used to redirect packets arriving at the router to a different internal destination. It is most commonly used to allow public access to internal services such as web servers or mail servers.

You can:

Change the destination IP address (redirect to an internal host)

Change the destination port (e.g., port 8080 to port 80)

But:

C. Changing the source port is a function of src-nat, not dst-nat →❌

D. Hiding the local network from the Internet is done via masquerade or src-nat →❌

MTCNA Course Manual – NAT Section:

“Use dst-nat to forward traffic to a private host. Port translation can also be applied (e.g., from 81 to 80).”

René Meneses Study Guide – NAT Configuration:

“dst-nat changes the destination IP/port of packets arriving on a specific interface. Common use case: access to LAN services from WAN.”

Terry Combs Notes – NAT Rule Summary:

“dst-nat = port forwarding. src-nat/masquerade = hide internal addresses.”

Answer: A, BQUESTION NO: 48 [RouterOS Introduction]

Which is the default port of IP-Winbox?

A. UDP 8291

B. TCP 80

C. TCP 8291

D. TCP 8192

Answer: C

Winbox is MikroTik’s GUI-based configuration tool. It communicates with RouterOS over TCP port 8291 by default. This port is used for both IP-based Winbox connections and MAC-based sessions (in combination with layer-2 discovery protocol).

Evaluation:

A. UDP 8291 →❌Wrong protocol

B. TCP 80 →❌Used for HTTP (WebFig)

C. TCP 8291 →✅Correct default Winbox port

D. TCP 8192 →❌Invalid / non-standard

MTCNA Course Manual – RouterOS Management Tools:

“Winbox uses TCP port 8291 by default. It is possible to change this port in the /ip service settings.”

René Meneses MTCNA Guide – Winbox Access:

“Default access via TCP 8291. Check firewall filters to ensure it’s not blocked.”

Terry Combs Notes – Remote Management:

“Winbox = TCP/8291. WebFig = TCP/80 or 443.”

Answer: CQUESTION NO: 49 [PPP]

It is possible to create an encrypted PPPoE tunnel in RouterOS:

A. true

B. false

Answer: B

PPPoE (Point-to-Point Protocol over Ethernet) does not include encryption by default. It can authenticate users using PAP or CHAP, but the data payload is transmitted in cleartext unless another secure tunneling protocol (e.g., IPSec) is layered on top.

MikroTik supports encryption in other tunneling protocols, such as:

SSTP (uses SSL)

L2TP with IPSec

OpenVPN (SSL-based)

IPsec itself (for IP layer encryption)

MTCNA Tunneling Chapter – PPP Protocol Features:

“PPPoE offers authentication, compression, but no native encryption. Use IPSec if encryption is needed.”

René Meneses Guide – Tunnel Comparison Table:

“PPPoE is not encrypted. SSTP and L2TP/IPSec are alternatives when encryption is a requirement.”

Terry Combs Notes – PPP Family Summary:

“PPPoE: Authentication = Yes, Encryption = No. Use with caution over untrusted networks.”

Answer: BQUESTION NO: 50 [Wireless]

Why is it useful to set a Radio Name on the radio interface?

A. To identify a station in a list of connected clients

B. To identify a station in Neighbor discovery

C. To identify a station in the Access List

Answer: A

The Radio Name is a human-readable identifier assigned to a wireless interface. It becomes visible in the Registration Table (i.e., the list of connected clients) on an access point. It helps network administrators distinguish between multiple connected devices.

Evaluation:

A.✅Correct — Radio Name is shown in the Registration Table (list of connected clients)

B.❌Neighbor discovery uses MAC and device identity, not radio name

C.❌Access List uses MAC addresses, not radio name, for matching

MTCNA Wireless Module – Interface Settings:

“Radio Name is shown in the registration table on the AP. It helps in client identification.”

René Meneses Guide – Wireless Monitoring:

“The AP uses the client’s Radio Name to label them in the list of associated stations.”

Terry Combs Notes – Best Practice:

“Set radio-name so you can easily tell which device is which in the registration list.”

Answer: A

To block a client’s application traffic (like MSN Messenger) that is passing through the router (from LAN to WAN or vice versa), the forward chain must be used. This chain processes packets that are routed through the router.

Evaluation:

A. static →❌Not a valid firewall chain.

B.✅forward → Correct – used to filter traffic that passes through the router.

C.❌output → Filters traffic originating from the router itself.

D.❌input → Filters traffic destined for the router itself.

MTCNA Firewall Section – Chain Descriptions:

“forward – Used for filtering transit traffic (client to internet or internet to client).”

René Meneses Guide – Firewall Chains:

“To block client application traffic, use the forward chain. Input/output are for local router access.”

Terry Combs Notes – Chain Matching:

“forward = traffic passing through router, like client web or chat traffic.”

Answer: BQUESTION NO: 71 [Routing]

There are two routes in the routing table:

0 dst-addr=10.1.1.0/24 gateway=5.5.5.5

1 dst-addr=10.1.1.4/30 gateway=5.6.6.6

Which gateway will be used to get to the IP address 10.1.1.6?

A. both – half of the traffic will be routed through one gateway, half through the other

B. 5.5.5.5

C. the required route is not in the routing table

D. 5.6.6.6

Answer: D

Routing decisions are made based on the longest prefix match (most specific route).

10.1.1.6 falls within:→ 10.1.1.0/24 → range: 10.1.1.0 – 10.1.1.255 (prefix length: 24)→ 10.1.1.4/30 → range: 10.1.1.4 – 10.1.1.7 (prefix length: 30)

Because /30 is more specific than /24, it will be selected for routing the packet.

MTCNA Routing Module – Prefix Length Decision:

“Router chooses the route with the longest subnet mask (most specific match).”

René Meneses Study Guide – Longest Match Principle:

“10.1.1.6 falls within 10.1.1.4/30 → use gateway 5.6.6.6.”

Terry Combs Notes – Routing Table Resolution:

“Always check if multiple routes match. Use the one with the longest prefix.”

Answer: DQUESTION NO: 72 [Wireless Security]

In order to use dynamic keys in your wireless security profile for an AP, you MUST set up the DHCP server to provide the dynamic keys.

A. true

B. false

Answer: B

MikroTik RouterOS supports dynamic key exchange for wireless networks using WPA/WPA2 (with PSK or EAP). These dynamic keys are not provided by the DHCP server but are instead part of the wireless security profile configured under /interface wireless security-profiles.

DHCP only assigns IP addresses and other network configuration parameters — it does not provide encryption keys.

MTCNA Wireless Security Module – WPA/WPA2 Explained:

“Dynamic keys are negotiated during the WPA/WPA2 authentication process, not via DHCP.”

René Meneses Guide – Wireless Authentication:

“Security profiles define pre-shared or dynamic key exchange (WPA-EAP). DHCP is unrelated.”

Terry Combs Notes – Misconceptions in Wireless Setup:

“DHCP and wireless encryption are separate layers. Keys are not assigned through DHCP.”

Answer: BQUESTION NO: 73 [Firewall / Security]

Which firewall chain should you use to filter SSH access to the router itself?

A. output

B. input

C. prerouting

D. forward

Answer: B

SSH access to the router targets the router itself. Therefore, any packets destined for the router (for example, to TCP port 22) are evaluated in the input chain of the firewall.

Evaluation:

A. output →❌For packets originating from the router, not to it.

B.✅input → Correct – handles traffic destined for the router (like SSH, Winbox, etc.)

C.❌prerouting → Used for NAT and mangle operations, not filtering

D.❌forward → Used for traffic routed through the router (not for router itself)

MTCNA Firewall Section – Chain Functions:

“SSH access to the router is incoming traffic. Use input chain to filter or allow it.”

René Meneses Guide – Access Protection:

“input chain is responsible for traffic to the router’s IP – block/allow SSH, Winbox, etc.”

Terry Combs Notes – Firewall Management:

“Always use input chain for filtering incoming management protocols like SSH.”

The redirect action is a specialized type of destination NAT (dst-nat) used to force traffic to a local port on the router (typically for transparent proxies or redirection to hotspot portals). This action is only valid in DST-NAT rules and does not apply to firewall filters, routing rules, or source NAT.

Option breakdown:

A.✘Firewall Filter – These rules allow, drop, or reject traffic, not perform redirection.

B.✔DST-NAT – Redirect is a valid dst-nat action and is processed in the prerouting chain.

C.✘Route – Routing rules do not include NAT actions.

D.✘SRC-NAT – Used for source address translation, not redirection.

Extract from Official MTCNA Course Material – NAT Table & Actions:

“Redirect is an action under dst-nat. It rewrites destination address to the router itself, used for web proxy or hotspot.”

Extract from René Meneses MTCNA Study Guide – NAT Types:

“Use action=redirect in dst-nat rules to direct traffic to local services like proxy or DNS.”

Extract from MikroTik Wiki – NAT Rule Actions:

“redirect: redirects packet to local router port. Can only be used in dst-nat chain.”

===========

In MikroTik RouterOS, the default user “admin” is a special system account. While it can be renamed or assigned a new password, it cannot be disabled or removed from the /user menu. This account is always present and has full administrative rights unless manually restricted via group policy or firewall rules.

A.✔True – You cannot disable or delete the “admin” user account.

B.✘False – Disabling is not possible via normal means in /user.

Extract from Official MTCNA Course Material – User Management Section:

"The default user 'admin' cannot be deleted or disabled. You may rename it or assign a strong password."

Extract from René Meneses MTCNA Study Guide – Users and Access Control:

“The admin account is permanent. For security reasons, change its name or use a different account and firewall access.”

Extract from Terry Combs Notes – User Management:

“Admin is system-protected. You can change the username, but it cannot be disabled or removed.”

===========

Bridging loops occur when there are multiple active paths between switches or bridge interfaces, causing broadcast storms or MAC table instability. MikroTik RouterOS supports both STP (Spanning Tree Protocol) and RSTP (Rapid Spanning Tree Protocol) to detect and block redundant paths.

A.✔RSTP – Faster and preferred protocol to prevent loops.

B.✔STP – The original protocol, slower convergence but still effective.

C.✘Connection tracking – Not related to Layer 2 loop prevention.

D.✘UDP filter – Filters specific traffic types, doesn’t handle loops.

E.✘ICMP filter – Not relevant to Layer 2 loop protection.

Extract from Official MTCNA Course Material – Bridging and STP:

“STP or RSTP must be enabled to prevent bridging loops. RSTP is the recommended version due to faster convergence.”

Extract from René Meneses MTCNA Study Guide – Bridging:

“Always enable STP or RSTP when using bridges with multiple paths to prevent Layer 2 loops.”

Extract from MikroTik Wiki – STP / RSTP:

“STP and RSTP are loop prevention mechanisms for bridges. They dynamically block redundant links.”

===========

PPP (Point-to-Point Protocol) uses a modular architecture consisting of two main components:

LCP (Link Control Protocol): Establishes, configures, and tests the data-link connection

NCP (Network Control Protocol): Identifies and configures protocols at the Network Layer (e.g., IP, IPX)

NCP allows multiple protocols to be used over the same PPP link by negotiating and identifying the type of Layer 3 protocol.

MTCNA Course Material – PPP Components:

“NCP handles Layer 3 protocol negotiation and support. For example, IPCP (IP Control Protocol) is a type of NCP used for IP.”

René Meneses MTCNA Study Guide – PPP Protocol Stack:

“PPP uses NCP to identify and configure multiple Layer 3 protocols such as IP, IPX, AppleTalk.”

Other options:

B: ISDN is a WAN access technology, not part of PPP stack

C: HDLC is a data-link layer protocol, not used for identifying Layer 3

D: LCP configures link parameters, not network layer protocols

Final Answer: AQUESTION NO: 142 [Cisco IOS – IOS Backup Procedure]

To back up an IOS, what command will you use?

A. backup IOS disk

B. copy ios tftp

C. copy tftp flash

D. copy flash tftp

Answer: D

To back up the Cisco IOS image from the router’s flash memory to an external TFTP server, the correct command is:

copy flash tftp

This command initiates a transfer from flash memory to a TFTP server and is the standard procedure for backing up IOS images.

Cisco IOS Configuration Guide – Image Backup:

“To back up your IOS image, use the command copy flash tftp and follow the prompts for file name and TFTP server IP.”

René Meneses MTCNA Study Guide – IOS Management:

“copy flash tftp is the correct syntax to save a router’s current IOS to a TFTP server.”

Other options:

A: Invalid syntax

B: Invalid command (copy ios does not exist)

C: copy tftp flash is for installing, not backing up

Final Answer: DQUESTION NO: 143 [IP Addressing – Subnet Calculation]

Which of the following is the valid host range for the subnet on which the IP address 192.168.168.188 255.255.255.192 resides?

A. 192.168.168.129–190

B. 192.168.168.129–191

C. 192.168.168.128–190

D. 192.168.168.128–192

Answer: B

IP address: 192.168.168.188

Subnet mask: 255.255.255.192 → /26 → Block size = 64

Subnets:

192.168.168.0/26 → 192.168.168.0 – 63

192.168.168.64/26 → 192.168.168.64 – 127

192.168.168.128/26 → 192.168.168.128 – 191 ← Contains 192.168.168.188

192.168.168.192/26 → 192.168.168.192 – 255

Valid host range = 192.168.168.129 – 190

(Broadcast = 191, Network address = 128)

MTCNA Course Material – Subnetting Practice:

“To find valid hosts, exclude the subnet and broadcast address. In /26, each block is 64 addresses.”

René Meneses MTCNA Study Guide – IP Addressing:

“For /26 subnetting, calculate block size as 2^(32–26) = 64. Subnet starts at multiples of 64.”

Final Answer: BQUESTION NO: 144 [Wireless – IEEE 802.11 Standards]

Which WLAN IEEE specification allows up to 54 Mbps at 2.4 GHz?

A. A

B. B

C. G

D. N

Answer: C

802.11g operates in the 2.4 GHz band and supports data rates up to 54 Mbps. It is backward-compatible with 802.11b and was a significant improvement in speed while maintaining wide compatibility.

MTCNA Course Material – Wireless Standards:

“802.11g operates at 2.4 GHz and supports up to 54 Mbps. It is widely used in legacy devices.”

René Meneses MTCNA Study Guide – WLAN Specifications:

“802.11g = 2.4 GHz, 54 Mbps.

802.11a = 5 GHz, 54 Mbps

802.11b = 2.4 GHz, 11 Mbps

802.11n = 2.4/5 GHz, up to 600 Mbps (MIMO)”

Option Breakdown:

A: 802.11a = 54 Mbps at 5 GHz

B: 802.11b = 11 Mbps at 2.4 GHz

C: 802.11g =✔54 Mbps at 2.4 GHz

D: 802.11n = supports 2.4/5 GHz, speeds up to 600 Mbps (depending on MIMO)

fundamentals.

────────────────────────────────────────────────────────────

Binary to Decimal:

10011101

= 1×2^7 + 0×2^6 + 0×2^5 + 1×2^4 + 1×2^3 + 1×2^2 + 0×2^1 + 1×2^0

= 128 + 0 + 0 + 16 + 8 + 4 + 0 + 1

= 157

Decimal to Hexadecimal:

157 ÷ 16 = 9 remainder 13 → 13 = D

So, 157 = 0x9D

MTCNA Course Material – Binary and Hex Conversion:

“Convert binary to decimal by summing powers of 2. Then convert decimal to hexadecimal by dividing by 16.”

René Meneses MTCNA Study Guide – Number Systems:

“For binary 10011101, the decimal is 157, and hex is 9D.”

Only Option B is correct: 157, 0x9D.

Final Answer: BQUESTION NO: 110 [RouterOS Introduction]

If you use either Telnet or FTP, which is the highest layer you are using to transmit data?

A. Application

B. Presentation

C. Session

D. Transport

Answer: A

Protocols like Telnet and FTP are considered Application Layer protocols in the OSI model. They operate at Layer 7, providing interfaces for user-level interaction and command control.

MTCNA Course Material – TCP/IP vs OSI Model:

“Telnet, FTP, HTTP are Application Layer protocols. They operate at the top of the OSI stack (Layer 7).”

René Meneses MTCNA Study Guide – Protocol Layers:

“Telnet and FTP reside at the Application Layer. They initiate data exchange between hosts.”

Presentation and Session layers are not separately used in the TCP/IP model and are merged into the Application Layer.

Transport (Layer 4) is used by these protocols (via TCP), but the protocol itself resides at the Application Layer.

Final Answer: AQUESTION NO: 111 [RouterOS Introduction – IP Addressing]

Which class of IP address provides a maximum of only 254 host addresses per network ID?

A. Class A

B. Class B

C. Class C

D. Class D

Answer: C

Class C networks are defined as IP addresses with the first octet in the range of 192 to 223. Their default subnet mask is 255.255.255.0 (/24), which provides:

2^8 = 256 total addresses

Minus 2 (1 for network address, 1 for broadcast)

→ 254 usable host addresses

MTCNA Course Material – IP Address Classes:

“Class C has a default mask of /24. This allows for 254 hosts per network.”

René Meneses MTCNA Study Guide – IP Classes:

“Class C = 192.0.0.0 to 223.255.255.255, 254 usable hosts per subnet.”

Other classes:

Class A: ~16 million hosts

Class B: ~65,000 hosts

Class D: used for multicast (not host assignment)

Final Answer: CQUESTION NO: 112 [RouterOS Introduction – Protocols]

Which of the following services use UDP?

DHCP

SMTP

SNMP

FTP

HTTP

TFTP

A. 1, 3 and 6

B. 2 and 4

C. 1, 2 and 4

D. All of the above

Answer: A

UDP is a connectionless protocol used by several lightweight or stateless network services. Among the listed services:

DHCP: Uses UDP (Ports 67 and 68)

SNMP: Uses UDP (Ports 161/162)

TFTP: Uses UDP (Port 69)

Other protocols:

SMTP: Uses TCP (Port 25)

FTP: Uses TCP (Ports 20 and 21)

HTTP: Uses TCP (Port 80)

MTCNA Course Material – Protocols and Ports:

“UDP is used for DHCP, SNMP, TFTP. TCP is used for SMTP, FTP, HTTP.”

René Meneses MTCNA Study Guide – Port Assignments:

“TCP: FTP, SMTP, HTTP. UDP: DHCP, SNMP, TFTP.”

Only 1, 3, and 6 use UDP.

The /interface wireless access-list in MikroTik is used to define a set of rules that permit or deny wireless clients based on their MAC addresses and signal strength.

This list applies only to clients trying to connect to the router’s wireless interface when it is configured as an Access Point.

Let’s break down the options:

A.✅Correct – Used to allow or deny client MAC addresses and apply settings like rate limits, VLANs, etc.

B.❌That’s the role of the registration table.

C.❌Security profiles are configured separately under /interface wireless security-profiles.

D.❌Hotspot authentication is handled via /ip hotspot, not wireless access lists.

MTCNA Wireless Module – MAC Access Control:

“Access-list matches incoming clients by MAC. You can allow, deny, and apply custom settings.”

René Meneses Study Guide – Wireless Security:

“Access-list is used to explicitly permit or block clients based on their MAC address.”

Terry Combs Notes – Wireless Filtering:

“Think of access-list like a whitelist/blacklist for Wi-Fi clients.”

Answer: AQUESTION NO: 65 [Firewall]

One host on an internal network is accessing an external web page through a MikroTik router that is doing source NAT. Select the correct statement about the packets that flow from that web page to the host:

A. Packets go through the input chain

B. Packets go through the forward chain

C. Packets go through the output chain

D. Packets go through the input chain before the routing decision and after that through output chain

Answer: B

When a host on a LAN accesses a website on the internet via a MikroTik router that’s performing source NAT (e.g., masquerade), the traffic path is as follows:

From LAN host to internet → forward chain → NAT (src-nat)

From internet back to LAN host → forward chain again → connection-tracked → src-nat reversed

Since the router is only routing the packets and is not the originator or final destination, the packet passes through the forward chain.

Clarifying the options:

A.❌input chain is for packets destined to the router itself

B.✅Correct – packet is routed through the router (forwarded)

C.❌output chain is for packets originating from the router

D.❌This description applies to packets sourced by the router itself

MTCNA Course Manual – Packet Flow Diagram:

“Forward chain handles packets that are being routed through the device (not destined to or from the router itself).”

René Meneses Guide – Firewall Chains:

“For routed traffic, the forward chain is used. This includes NATed traffic between LAN and WAN.”

Terry Combs Notes – Packet Flow:

“Understand the router’s role. If it’s just forwarding, only the forward chain applies.”

Answer: BWould you like to continue with Questions 66–70, or generate a full summary (PDF-style) of all 65 completed qu

Let’s evaluate each statement:

A.✘Incorrect – /ip firewall filter can block traffic after association/authentication but cannot directly prevent wireless authentication. Association happens before IP-level filtering.

B.✔Correct – Wireless access-list allows or denies associations based on MAC address and other parameters (signal strength, etc.).

C.✔Correct – Access-list rules can enable/disable default-forwarding per client (overriding global setting).

D.✘Incorrect – Disabling the wireless interface is not the only way. You can use access-list or disable SSID broadcast.

Extract from MTCNA Course Material – Wireless Access List:

“Access List provides client control based on MAC address. You can accept, reject, and even override default-forwarding per client.”

Extract from René Meneses MTCNA Study Guide – Access Control:

“Wireless Access List can selectively allow or deny clients and enforce individual settings like forwarding.”

Extract from MikroTik Wiki – Wireless Access List:

“The firewall filter is not involved in authentication. Access control must be done at the wireless layer using access-lists.”

===========

The action=redirect is used only in the dstnat chain to redirect traffic to a local port (e.g., for transparent proxy or DNS capture). It is not valid in the srcnat chain.

A.✘Incorrect – RouterOS will not permit redirect in srcnat.

B.✔Correct – redirect is only supported in dstnat.

Extract from Official MTCNA Course Material – NAT Actions:

“Redirect is used in the dstnat chain to force traffic to a specific port on the local router.”

Extract from MikroTik Wiki – NAT Action Reference:

“Action=redirect is only meaningful in dstnat and is used to redirect traffic to router-local services.”

Extract from René Meneses Study Guide – NAT Table:

“Redirect cannot be used in srcnat. Only valid in dstnat for local service interception.”

===========

Netinstall is a MikroTik tool for reinstalling RouterOS on RouterBOARD devices. It uses the RARP (Reverse ARP) protocol during the boot phase to obtain the host from which to download the OS. It does not rely on DHCP, ARP, or BOOTP in standard Netinstall scenarios.

A.✘arp – Not used by Netinstall for initial boot communication

B.✘bootp – Not used in Netinstall process

C.✘dhcp – Not used for booting RouterBOARD into Netinstall

D.✔rarp – Used by Netinstall to allow the RouterBOARD to request an address and boot image

Extract from MTCNA Course Material – Netinstall Boot Process:

“Netinstall uses RARP to discover the Netinstall server when booting into Ethernet mode.”

Extract from MikroTik Wiki – Netinstall:

“Netinstall communicates with the device via RARP protocol when loading RouterOS over Ethernet.”

Extract from René Meneses MTCNA Study Guide – Netinstall Chapter:

“RARP is used for booting during Netinstall. DHCP is not required for this operation.”

To configure a PPPoE client on MikroTik, you need to:

Set the client interface (usually ether1 or another WAN-facing port).

Optionally add NAT masquerading to enable LAN users to reach the internet.

IP address on the interface is assigned dynamically from the ISP after PPPoE negotiation, so a static IP is not required.

Option Analysis:

A.✔Required – You must select the interface that initiates the PPPoE connection.

B.✘Not Required – The IP is typically assigned by the PPPoE server (ISP).

C.✔Required – NAT masquerade is commonly used to allow internet access for private IP clients behind the router.

Extract from MTCNA Course Material – PPPoE Client Setup:

“The PPPoE client must have an interface specified. A NAT masquerade rule is recommended for internet access sharing.”

Extract from René Meneses MTCNA Study Guide – PPPoE:

“You do not need to assign a static IP to the PPPoE client interface. IP is received after successful login.”

Extract from MikroTik Wiki – PPPoE Client:

“After setting up the interface and credentials, PPPoE client negotiates and receives dynamic IP. Add NAT if routing LAN traffic.”

===========

To redirect SMTP (port 25) traffic from users to a specific internal or external SMTP server, you must use dst-nat. This modifies the destination address and port to point to the desired mail server.

A.✘passthrough – Allows the packet to be evaluated by other NAT rules; it doesn't alter traffic

B.✔dst-nat – Rewrites destination IP/port; this is what is needed to redirect SMTP to a specific server

C.✘redirect – Sends traffic to the router itself; not suitable for external redirection

D.✘tarpit – Used for slowing down malicious TCP connections, not redirection

Extract from MTCNA Course Material – NAT Types:

“Use dst-nat to change the destination IP address. This is suitable for port forwarding or service redirection.”

Extract from René Meneses Study Guide – NAT Rules:

“To redirect traffic to a specific server, use action=dst-nat and specify the new destination address.”

===========

AMAC (Media Access Control) addressis aunique identifier assigned to network interfacesfor communications at the data link layer (Layer 2 of the OSI model). A MAC address is:

Always48 bits(6 bytes) long

Represented in12 hexadecimal characters

Grouped into6 pairsseparated by colons or dashes (e.g., 00:1A:2B:3C:4D:5E)

Contains onlyhexadecimal characters (0-9, A-F)

Extract fromRené Meneses MTCNA Study Guide:

“A MAC address is a 48-bit value, represented as 6 groups of two hexadecimal digits (00 to FF). Any character outside this range is not valid. For example, 80:GF:AA:67:13:5D is invalid because ‘G’ is not a valid hexadecimal digit.”

Extract fromTerry Combs MTCNA Notes – MAC Addressing Section:

“Valid MAC addresses contain only 0-9 and A-F. A common mistake in training exams is to insert an invalid character like G or H into a MAC, which instantly makes it incorrect.”

Extract fromMikroTik Wiki – MAC Address Format Page:

“MAC addresses are six octets long and use hexadecimal format only. Hexadecimal numbers go from 0–9 and A–F. If a character appears outside that range, the address is invalid.”

Now let’s evaluate each option:

Option A: 80:GF:AA:67:13:5D❌Contains the letter"G", whichdoes not belong to the hexadecimal system. That makes this addressinvalid.

Option B: 95:B5:DD:EE:78:8A✅All characters are valid hex (9, 5, B, D, E, 7, 8, A)

Option C: 88:0C:00:99:5F:EF✅All valid characters.

Option D: EA:BA:AA:EE:FF:CB✅Hex only — valid.

Option E: 13:16:86:53:89:43✅Also valid hex — no issue.

So,Option A is the only invalid MAC address.

In this configuration, the wireless interface (wlan1) on the AP is in ap-bridge mode, and on the CPE it's in station-bridge mode. This mode allows full Layer 2 bridging over wireless, supporting all Ethernet-based protocols and services, including:

IPv4, IPv6, DHCP, ARP, PPPoE, and routing protocols like BGP (which use TCP/IP).

Protocols like USB or Firewire are hardware-level or local bus protocols and cannot be transmitted over Ethernet frames or wireless.

Option Review:

A.✔IPv4 – supported

B.✔ARP – Layer 2 protocol, supported

C.✘USB – not a network protocol, not transmitted over bridges

D.✔BGP – Layer 3 protocol, supported over bridged links

E.✘Firewire – not a Layer 2 or network protocol

F.✔IPv6 – fully supported

G.✔DHCP – Layer 3 broadcast protocol, works over bridges

H.✔PPPoE – Ethernet-based protocol, passes over Layer 2 bridge

Extract from Official MTCNA Course Material – Wireless Bridging:

“station-bridge mode allows transparent Layer 2 bridging, supporting all Ethernet protocols including IPv4, IPv6, ARP, DHCP, PPPoE, and more.”

Extract from René Meneses MTCNA Study Guide – Wireless Modes:

“Use station-bridge with ap-bridge to pass full Layer 2 traffic. This allows DHCP, PPPoE, and other protocols to work transparently.”

Extract from MikroTik Wiki – Station Bridge:

“station-bridge mode is used with MikroTik-only links and allows full Layer 2 protocol support, including dynamic IP assignments and bridging.”

RouterOS Level 1 license is the demo license that comes with all RouterOS installations (particularly on x86 or CHR before activation). It is unrestricted in time, meaning it never expires, but functionality is extremely limited.

A. 24 hours → Incorrect. There is no such time-limited restriction.

B. Infinite time → Correct. Level 1 license is perpetual but has limited features.

C. 1 month → Incorrect. MikroTik does not impose monthly timeouts on license levels.

D. 1 year → Incorrect. No temporary time-bound license is assigned by default.

Extract from Official MTCNA Course Material – Licensing Section:

“Level 1 (demo) license is unlimited in time but has very limited functionality. It is designed for testing purposes only.”

Extract from René Meneses MTCNA Study Guide – RouterOS Licensing:

“The Level 1 license is not time-limited, but it cannot be used in production due to its lack of key features.”

Extract from MikroTik Wiki – Licensing Model:

“License level 1 is a free demo license that does not expire.”

===========

PPPoE (Point-to-Point Protocol over Ethernet) relies on Ethernet broadcast and discovery mechanisms. It uses a discovery stage (PPPoE Active Discovery Initiation – PADI) which is sent as a broadcast. Therefore, PPPoE only works within the same Layer 2 broadcast domain.

If a router (Layer 3 device) exists between the client and PPPoE server, it breaks the Layer 2 broadcast domain, making it impossible for the client to reach the server.

A.✘False – Routers break the broadcast domain; PPPoE will fail.

B.✔True – PPPoE requires L2 adjacency.

Extract from Official MTCNA Course Material – PPPoE Concepts:

“PPPoE operates only over Ethernet broadcast domains. If routed, PADI packets will not reach the PPPoE server.”

Extract from René Meneses MTCNA Study Guide – PPPoE:

“PPPoE discovery is broadcast-based and does not traverse routers.”

Extract from MikroTik Wiki – PPPoE Limitations:

“PPPoE cannot function over routed networks. Server and client must be in the same broadcast domain.”

===========

Masquerading is a form of source NAT (src-nat) where the router dynamically replaces the source address of outgoing packets with the IP address of the router’s outgoing interface. This is commonly used when internal LAN clients access the internet through a single public IP.

Key points for masquerade configuration:

Use chain=src-nat (because it modifies the source address)

Use action=masquerade

Specify the out-interface (i.e., the WAN interface)

MTCNA Course Material – NAT Section:

“To configure masquerading, use chain=src-nat and action=masquerade. Specify out-interface to define the traffic direction.”

René Meneses MTCNA Study Guide – NAT Examples:

“Masquerade automatically uses the IP address of the specified out-interface. Required parameters: chain=src-nat, action=masquerade, out-interface.”

MikroTik Wiki – Source NAT / Masquerade:

“Masquerade is a special form of src-nat. You must use it in chain=src-nat and define the out-interface for which NAT will be applied.”

Option A: Incorrect action=accept (used in filter rules, not NAT)

Option C: in-interface is not applicable here

Option D: chain=dst-nat is used for destination NAT, not source NAT

Only Option B is fully correct.

Final Answer: BQUESTION NO: 94 [Tools]

In which situations can Netinstall NOT be used to install a RouterBOARD?

A. The router does not have an operating system

B. The router is connected only to a wireless network

C. You do not know the password of the router

D. The router is connected only to a secondary Ethernet port

Answer: B

Netinstall works over a wired Ethernet connection and uses PXE or Etherboot to install RouterOS over the network. It cannot function over wireless, as wireless interfaces do not support PXE booting or Netinstall protocols.

MTCNA Course Material – Netinstall Overview:

“Netinstall requires a direct Ethernet connection between the PC and the router. Wireless interfaces are not supported for Netinstall procedures.”

René Meneses MTCNA Guide – Netinstall:

“Netinstall only works over Ethernet. You cannot Netinstall a device connected only through Wi-Fi.”

MikroTik Wiki – Netinstall Prerequisites:

“Router must be connected via Ethernet. Wireless and USB interfaces are not supported.”

Other options:

A: This is a typical use case (installing RouterOS when OS is missing)

C: Netinstall bypasses password (not needed)

D: Netinstall can work via any Ethernet port, provided it's accessible

Final Answer: BQUESTION NO: 95 [Monitoring and Logging]

MikroTik RouterOS is sending logs to an external syslog server. Which protocol and port is used by RouterOS for sending logs (by default)?

A. UDP 514

B. UDP 21

C. UDP 113

D. TCP 110

Answer: A

RouterOS uses the industry-standard syslog protocol for remote logging. By default, syslog uses UDP port 514.

MTCNA Course Material – Logging Section:

“For sending logs to a remote syslog server, RouterOS uses the syslog protocol on UDP port 514 by default.”

René Meneses MTCNA Guide – Monitoring & Logging:

“External logging is done using UDP port 514, which is the standard syslog protocol port.”

MikroTik Wiki – Logging Configuration:

“To send logs to a remote server, configure an action of type remote with a remote address and use UDP port 514 unless otherwise changed.”

Other ports:

UDP 21 = FTP (not logging)

UDP 113 = Ident protocol

TCP 110 = POP3

Only UDP 514 is correct.

Final Answer: AQUESTION NO: 96 [RouterBOARD Hardware]

Can you manually add drivers to RouterOS in case your PCI Ethernet card is not recognized, and you suspect it is a driver issue?

A. Yes

B. No

Answer: B

RouterOS is a closed, embedded Linux-based system. It does not support adding custom drivers or compiling modules manually. You must use supported hardware that is natively compatible with RouterOS.

MTCNA Course Material – RouterBOARD Compatibility:

“RouterOS supports a fixed set of drivers. You cannot install third-party drivers or modules.”

René Meneses MTCNA Guide – Hardware Limitations:

“Custom drivers cannot be added to RouterOS. Use only supported network interface cards as listed by MikroTik.”

MikroTik Wiki – Hardware Support:

“RouterOS does not allow manual driver installation. All drivers are precompiled and built into the system image.”

Therefore, if your PCI Ethernet card is not recognized, you must replace it with a compatible model — you cannot add a driver manually.

The TCP/IP or DoD model includes the following layers:

Application

Host-to-Host

Internet

Network Access

The Internet layer in the DoD model is responsible for logical addressing and routing — matching the function of the OSI model's Layer 3 (Network Layer), which handles IP addressing and packet forwarding.

MTCNA Course Material – TCP/IP vs OSI Model:

“The Internet layer of the TCP/IP model maps directly to the OSI’s Network Layer and is responsible for logical addressing and routing.”

René Meneses MTCNA Study Guide – Layer Mapping Table:

“TCP/IP Internet Layer = OSI Network Layer. Handles IP routing, addressing.”

Other mappings:

Application = OSI Layers 5–7

Host-to-Host = OSI Layer 4 (Transport)

Network Access = OSI Layers 1–2

Final Answer: CQUESTION NO: 114 [RouterOS Introduction – ARP]

Which of the following allows a router to respond to an ARP request that is intended for a remote host?

A. Gateway DP

B. Reverse ARP (RARP)

C. Proxy ARP

D. Inverse ARP (IARP)

Answer: C

Proxy ARP allows a router to answer ARP requests on behalf of another device. It is often used in networks where hosts don't have proper default gateways but still need to communicate with devices in different subnets.

MTCNA Course Material – ARP Types:

“Proxy ARP allows a router to respond to an ARP request for an IP address that is not on the local subnet, effectively acting as a proxy.”

René Meneses MTCNA Guide – ARP Configuration:

“Proxy ARP is useful for bridging two IP networks or for clients that do not have default gateways defined.”

MikroTik Wiki – ARP Modes:

“When Proxy ARP is enabled, the router replies to ARP requests for hosts that are not on the same subnet.”

Other options:

A: Gateway DP is not a standard term or protocol.

B: RARP maps MAC to IP — outdated and not used in this context.

D: Inverse ARP is used in Frame Relay, not Ethernet/IP networks.

Final Answer: CQUESTION NO: 115 [DHCP]

You want to implement a mechanism that automates the IP configuration, including IP address, subnet mask, default gateway, and DNS information. Which protocol will you use to accomplish this?

A. SMTP

B. SNMP

C. DHCP

D. ARP

Answer: C

DHCP (Dynamic Host Configuration Protocol) is specifically designed to assign IP configuration details automatically to clients on a network, including:

IP address

Subnet mask

Default gateway

DNS servers

MTCNA Course Material – DHCP Server Function:

“DHCP is a service that dynamically assigns IP settings to clients, removing the need for manual configuration.”

René Meneses MTCNA Study Guide – DHCP Operation:

“DHCP provides automatic configuration of network parameters including IP, mask, DNS, and gateway.”

Other options:

A: SMTP is for email

B: SNMP is for monitoring

D: ARP resolves IP-to-MAC addresses

Final Answer: CQUESTION NO: 116 [DHCP]

Which of the following describe the DHCP Discover message?

It uses FF:FF:FF:FF:FF:FF as a layer 2 broadcast.

It uses UDP as the Transport layer protocol.

It uses TCP as the Transport layer protocol.

It does not use a layer 2 destination address.

A. 1 only

B. 1 and 2

C. 3 and 4

D. 4 only

Answer: B

When a client sends a DHCP Discover message:

It does not yet have an IP address, so it sends a Layer 2 broadcast (FF:FF:FF:FF:FF:FF).

DHCP uses UDP, not TCP.

Specifically, it uses UDP port 67 (server) and 68 (client).

Layer 2 destination is broadcast — it certainly does use a Layer 2 address.

MTCNA Course Material – DHCP Process:

“The client broadcasts a DHCP Discover message to FF:FF:FF:FF:FF:FF using UDP ports 67 and 68.”

René Meneses MTCNA Study Guide – DHCP Message Types:

“DHCP uses UDP. Discovery messages are Layer 2 broadcasts to locate a DHCP server.”

MikroTik Wiki – DHCP Protocol Behavior:

“The Discover message uses UDP and broadcast MAC addressing.”

Statements:

1: True (Layer 2 broadcast)

2: True (Uses UDP)

3: False (TCP not used)

4: False (Layer 2 destination address is broadcast)

────────────────────────────────────────────────────────────

Simple Queues in MikroTik are the most straightforward way to manage bandwidth per IP address or subnet. To apply bandwidth limitations, you primarily need:

target-address (the IP address or subnet you're shaping)

max-limit (the maximum allowable upload/download bandwidth)

Other fields like dst-address can be used for advanced matching, but they are not required for basic bandwidth limiting.

A. Correct. This is the minimum required configuration.

B. Incorrect. dst-address is optional and unnecessary unless shaping traffic only to specific destinations.

C. Incorrect. Lacks max-limit, which is essential for any bandwidth cap.

D. Incorrect. Without target-address, the queue doesn’t know which host or network to apply the rule to.

Extract from Official MTCNA Course Material – QoS Section:

"To shape traffic in a simple queue, the most basic configuration requires target-address and max-limit. Target-address specifies which host or network to affect. Max-limit defines upload/download caps."

Extract from René Meneses MTCNA Study Guide – QoS:

"A simple queue needs at least two values: target (the IP or range) and max-limit (limits for up/down in bits per second). Everything else is optional for basic shaping."

Extract from Terry Combs Notes – Queues:

“Without a max-limit value, the queue does not restrict bandwidth. dst-address is rarely used in simple queues unless traffic is routed externally.”

===========