MikroTik MTCNA Dumps

In IPv6, the Address Resolution Protocol (ARP) is not used. Instead, IPv6 uses the Neighbor Discovery Protocol (NDP), which is part of the ICMPv6 suite. NDP handles address resolution, router discovery, and reachability.

MTCNA Course Material – IPv6 Address Resolution:

“IPv6 replaces ARP with Neighbor Discovery Protocol. NDP uses ICMPv6 to perform tasks like address resolution and router discovery.”

René Meneses MTCNA Study Guide – IPv6 Fundamentals:

“There is no ARP in IPv6. It uses NDP messages for neighbor solicitation and advertisement.”

Thus, ARP is not used in IPv6.

Final Answer: AQUESTION NO: 152 [Monitoring and Management – SNMP Protocol]

Which of the following protocols / ports are used for SNMP (Simple Network Management Protocol)?

A. TCP 162

B. UDP 162

C. UDP 161

D. TCP 25

E. TCP 123

F. TCP 161

Answer: B, C

SNMP uses the following ports:

UDP 161: Used for SNMP agent queries (GET, SET, etc.)

UDP 162: Used by SNMP managers to receive trap notifications

MTCNA Course Material – SNMP and Monitoring:

“SNMP uses UDP 161 for polling devices and UDP 162 for traps.”

MikroTik Wiki – SNMP:

“SNMP communication uses UDP ports 161 (queries) and 162 (traps). TCP is not used for SNMP by default.”

Option breakdown:

A: TCP 162 → incorrect (SNMP traps use UDP)

B:✔UDP 162

C:✔UDP 161

D: TCP 25 = SMTP

E: TCP 123 = NTP (incorrect protocol and transport)

F: TCP 161 = incorrect transport

Final Answer: B, CQUESTION NO: 153 [ARP – MikroTik Specific Behavior]

If arp=reply-only is configured on an interface, what will this interface do?

A. Accept all IP/MAC combinations listed in /ip arp as static entries

B. Accept all IP addresses listed in /ip arp as static entries

C. Add new MAC addresses in /ip arp list

D. Accept all MAC addresses listed in /ip arp as static entries

E. Add new IP addresses in /ip arp list

Answer: A

Setting arp=reply-only on an interface disables the normal dynamic ARP process. The router will only respond to ARP requests for IP/MAC pairs that are explicitly listed in /ip arp with type=static. No dynamic entries will be added.

MikroTik Wiki – ARP Modes:

“reply-only – the interface will only reply to ARP requests if there is a static entry. It will not add any new entries.”

MTCNA Course Material – ARP Configuration:

“When reply-only is set, the interface will not send ARP requests and will only respond to those IP/MAC combinations configured as static entries.”

Option breakdown:

A:✔Correct—replies only to statically configured IP/MAC pairs

B: Incorrect — ARP entries must have both IP and MAC

C/E: No new dynamic entries are added in reply-only mode

D: MAC addresses alone are not matched — ARP matches IP/MAC pairs

Final Answer: AQUESTION NO: 154 [RouterOS Tools – Configuration Export]

Mark all correct statements about /export (rsc file).

A. Exports logs from /log print

B. Exports full configuration of the router

C. Exports only part of the configuration (for example /ip firewall)

D. Exports scripts from /system script

E. Exported files could not be edited

Answer: B, C, D

The /export command in RouterOS allows exporting configuration as a script (.rsc file). It can:

Export the full configuration

Export a specific section (e.g., /ip firewall)

Include scripts under /system script if specified

It does not export logs and the exported .rsc file is plain text and can be edited.

MTCNA Course Material – Configuration Management:

“/export outputs configuration to a text file. You can export the full config or a specific menu, and it includes scripts if present.”

MikroTik Wiki – Export Command:

“You can use /export to generate editable .rsc files. Use /export file=name or /ip firewall export.”

Option breakdown:

A:❌Logs are not exported

B:✔Full config export is default

C:✔You can target specific sections (e.g., /ip dhcp-server)

D:✔Scripts are included if present

E:❌Exported files are editable text files

Final Answer: B, C, D

MikroTik RouterOS uses the /system scheduler to execute scripts or commands at defined times or intervals. It allows for automation of tasks such as backups, reboots, updates, and more.

Evaluation:

A. /system watchdog →❌Used for hardware monitoring and rebooting if the system freezes.

B. /system cron →❌Not available in MikroTik RouterOS (RouterOS doesn’t use cron syntax).

C. /system scheduler →✅Correct. Built-in RouterOS feature for scheduled command execution.

MTCNA Course Manual – System Scheduler Section:

“Use /system scheduler to run scripts or commands at regular intervals or specific times.”

René Meneses Guide – Automating Tasks:

“Scheduler is the only built-in time-based job handler in RouterOS.”

Terry Combs Notes – Script Automation:

“RouterOS uses scheduler, not cron. Schedule by time or interval.”

Answer: CQUESTION NO: 67 [Firewall / Tools]

Where can you monitor (see addresses and ports) real-time connections which are processed by the router?

A. Firewall Connection Tracking

B. Firewall Counters

C. Tool Torch

D. Queue Tree

Answer: A

Firewall Connection Tracking (also known as conntrack) is used to monitor real-time connections that pass through the router. It shows source and destination IPs, ports, protocols, connection states (established, new, related), and more.

Let’s evaluate the options:

A.✅Correct – Shows live connection table with IPs, ports, and statuses

B.❌Shows rule match counters only — no detailed connection info

C.❌Torch shows per-interface traffic; useful for bandwidth, but not a connection list

D.❌Queue Tree is used for traffic shaping, not for viewing connections

MTCNA Course Manual – Firewall Concepts:

“Connection tracking shows all active sessions through the router with IP and port details.”

René Meneses Guide – Firewall Tools:

“Use connection tracking to diagnose connection states and NAT behavior.”

Terry Combs Notes – Monitoring Tools:

“conntrack is your real-time connection monitor. Torch is per-interface, not per-flow.”

Answer: AQUESTION NO: 68 [Wireless]

How many wireless clients can connect, when wireless card is configured to mode=bridge?

A. 1

B. 100

C. 2007

D. 2

Answer: A

In MikroTik RouterOS, if a wireless card is configured to mode=bridge (also referred to as "station-bridge"), it can only be used to connect a single client device (MAC address) behind it. This is due to limitations in how 802.11 bridges MAC addresses.

So:

A.✅Correct – Only 1 MAC address can pass via wireless bridge mode (unless using WDS or 4-address mode)

B, C →❌Too many clients for bridge mode

D.❌Incorrect – Still only one client allowed per interface in bridge mode

MTCNA Wireless Module – Wireless Modes:

“Bridge mode allows one client only unless extended bridging protocols are used.”

René Meneses Guide – Wireless Bridging:

“mode=bridge = one MAC behind the station. Use WDS for multiple MACs.”

Terry Combs Notes – Wireless Modes:

“Station-bridge mode works like Ethernet, but only supports one MAC address unless using WDS.”

Answer: AQUESTION NO: 69 [Routing]

In the Route List, the identification DAb for a route stands for:

A. direct - active - bgp

B. direct - acknowledge - backup

C. dynamic - active - backup

D. dynamic - active - bgp

Answer: D

In MikroTik RouterOS, route flags provide quick insight into how the route was created and its status:

D = Dynamic → The route was added dynamically by a protocol (like BGP, OSPF, RIP)

A = Active → This route is currently being used

b = BGP → Indicates that the route was learned via the BGP routing protocol

Therefore, DAb means:

→ D = Dynamic

→ A = Active

→ b = BGP

MTCNA Routing Section – Route Flags Explanation:

“D = dynamically added, A = currently active, b = learned via BGP.”

René Meneses Guide – Understanding Route Lists:

“DAb → dynamic + active + BGP route. Route is learned and installed via BGP.”

Terry Combs Notes – Route Symbols:

“Check the route list: b = BGP, o = OSPF, r = RIP, s = static, c = connected.”

MikroTik RouterOS allows DHCP administrators to modify the DHCP address pool without creating an additional DHCP server. You can simply edit or extend the address pool range, and the DHCP server will start offering those new IPs.

Therefore, it is completely possible to:

Extend the existing address pool

Exclude statically assigned IPs

Continue using the same DHCP Server instance

You do NOT need to create a second DHCP server on the same interface.

MTCNA Course Manual – DHCP Configuration:

“It is possible to expand the address-pool dynamically without adding additional DHCP servers. Just add more IPs to the pool.”

René Meneses Study Guide – DHCP Pools Section:

“You can edit the address pool associated with the DHCP server anytime to include more addresses. No need to create another server.”

Terry Combs Notes – DHCP Tips:

“Keep one DHCP server per subnet. Extend pools via IP > Pool if more IPs are needed.”

Answer: AQUESTION NO: 25 [Wireless]

In which order are the entries in Access List and Connect List processed?

A. By Signal Strength Range

B. By interface name

C. In sequence order

D. In a random order

Answer: C

MikroTik processes the entries in the Access List and Connect List in a top-down fashion —meaning that the first matching entry is the one applied. This is known as sequence order (from top to bottom).

Each rule is checked in the order it appears in the list, and once a match is found, the rest of the list is ignored for that client.

Incorrect options:

A. Signal strength is only a condition, not a sorting method

B. Interface names are part of rule conditions

D. Not random — rules are processed sequentially

MTCNA Official Training Manual – Wireless Access & Connect List:

“Rules in access-list and connect-list are checked in the order they are listed. Once a match is found, further rules are ignored.”

René Meneses Guide – Wireless Access Rules:

“Access-list is evaluated top-down. Sequence matters.”

Terry Combs MTCNA Notes – Wireless Filtering:

“Be careful with order. The first matching rule is applied — no exceptions.”

Answer: CQUESTION NO: 26 [Wireless]

During a scan, in order to see all the available wireless frequencies that are supported by the card, the following option must be selected in the wireless card's "Frequency Mode":

A. superchannel

B. regulatory domain

C. manual txpower

Answer: A

In MikroTik RouterOS, enabling the "superchannel" frequency mode allows access to all frequencies supported by the wireless chip, including those that may be outside of country-specific regulatory limits. This mode is typically used in lab testing or in regions where regulations permit.

A. superchannel →✅Correct. Enables full frequency range

B. regulatory domain → Restricts visible frequencies to region’s law

C. manual txpower → Controls power output, not frequency scanning

MTCNA Course Material – Wireless Configuration Options:

“To unlock all available wireless frequencies for scanning or connection, enable the 'superchannel' frequency mode.”

René Meneses Study Guide – Wireless Advanced Config:

“Superchannel mode shows all channels supported by the hardware. Use with caution — may violate regulations.”

Terry Combs Notes – Wireless Modes:

“Want to see hidden or extended frequencies? Use superchannel mode. Not legal in every region.”

Answer: AQUESTION NO: 27 [NAT]

It is required to make a web server on a private LAN visible on the public internet. Only the web server port should be visible to the public. Which of the following configuration steps must be met? (Select all that apply)

A. Public IP address of the web server must be installed on the NAT Router

B. In IP firewall NAT, there should be a dst-nat between the public IP of the router and the private IP of the web server

C. Connection Tracking must be enabled on NAT router

D. A route between the NAT router and the web server must exist

E. LAN address of the web server should be routable on the internet

Answer: B, C, D

To expose a web server behind a MikroTik router to the public, the following steps must be met:

B. dst-nat rule must be created to forward incoming requests (e.g., TCP port 80) to the internal web server IP →✅Required

C. Connection Tracking must be enabled, otherwise NAT rules won’t function →✅Required

D. A route between the NAT router and the web server must exist (usually a directly connected subnet) →✅Required

Incorrect Options:

A. The public IP does not need to be installed on the web server — it remains private →❌

E. Private LAN IP (like 192.168.x.x) does not need to be routable on the internet →❌

MTCNA Course Manual – NAT and Port Forwarding Section:

“To expose internal services to the public internet, use dst-nat. Ensure connection tracking is active and the server is reachable through routing.”

René Meneses Guide – NAT Configuration:

“DST-NAT forwards specific ports to internal IPs. Connection tracking is a prerequisite. LAN IPs remain private.”

Terry Combs Notes – Web Server NAT Rules:

“No need to assign public IP to server. Just configure a proper NAT rule and ensure routing exists internally.”

════════════════════════════════════════════

When multiple gateways are used in an ECMP (Equal Cost Multi-Path) configuration, the check-gateway option ensures that RouterOS will actively monitor the health of each gateway using ping (or ARP). If a gateway becomes unreachable, RouterOS temporarily removes it from the active ECMP gateway list.

A.✘Incorrect – Unreachable gateways are excluded from packet forwarding.

B.✔Correct – Only reachable gateways are used in the ECMP round robin logic.

C.✘Incorrect – The entire ECMP route remains active; only the failed gateway is excluded.

Extract from MTCNA Course Material – ECMP Routing:

“With check-gateway enabled, RouterOS will exclude unreachable gateways from ECMP rotation.”

Extract from MikroTik Wiki – Check-Gateway Option:

“When a gateway is unreachable, it is skipped in ECMP logic until it becomes reachable again.”

Extract from René Meneses Study Guide – ECMP and Gateway Monitoring:

“Check-gateway helps prevent blackholing by skipping dead gateways. The route remains active.”

==================================

The log action in MikroTik's firewall does not block or drop packets. Instead, it generates a log entry for packets that match the rule and passes the packet to the next rule in the chain. It is used for monitoring, debugging, or auditing network behavior.

MTCNA Official Course Material – Firewall Filters:

“The action 'log' creates a log entry when a packet matches the rule. It does not terminate or alter the packet's flow. The packet continues to be processed by subsequent rules.”

René Meneses MTCNA Study Guide – Firewall Logging:

“Log action is used to generate logs for matched packets. It does not block or modify traffic.”

MikroTik Wiki – Firewall Actions:

“log – This action writes matching packets to the log. Logging rules have no effect on the packet’s behavior.”

Hence, Option D is correct: It logs the packet, nothing more.

Final Answer: DQUESTION NO: 86 [Firewall]

Which of the following is true for connection tracking?

A. Connection tracking must be enabled for NAT'ed network

B. Enabling connection tracking reduces CPU usage in RouterOS

C. Disable connection tracking for mangle to work

D. Connection tracking must be enabled to be able to use all firewall features

Answer: D

Connection tracking (conntrack) is a feature that enables RouterOS to monitor and manage the state of all network connections passing through the router. It is essential for features like NAT, stateful firewalling, and proper use of mangle and filter rules.

MTCNA Course Material – Connection Tracking:

“Most firewall and NAT functionality depends on connection tracking being enabled. Without connection tracking, many features (like NAT) won’t function properly.”

René Meneses MTCNA Study Guide – Firewall Section:

“Connection tracking is required for NAT and most firewall filters. When disabled, connection-state-based filtering or NAT is not possible.”

Terry Combs MTCNA Notes – Conntrack Section:

“Conntrack must be enabled to use full firewall capabilities, including NAT and filtering by connection states like established and related.”

Option A is partially true but not complete.

Option B is incorrect – conntrack may increase CPU load due to session tracking.

Option C is incorrect – mangle rules often depend on connection marks which require conntrack.

Only Option D accurately captures the critical requirement of connection tracking.

Final Answer: DQUESTION NO: 87 [RouterOS Introduction]

Which of the following keystrokes enables safe mode in console?

A. Ctrl+x

B. Ctrl+c

C. Ctrl+d

D. Ctrl+s

Answer: D

Safe Mode in MikroTik CLI is a protective mode that helps revert any unintended changes if you get disconnected. It is activated by pressing Ctrl+X in older versions, but the current standard keybinding for enabling safe mode is Ctrl+S.

MTCNA Course Material – Safe Mode:

“To enable safe mode in the terminal, press Ctrl+S. A confirmation [Safe Mode] will appear in the prompt. If the terminal is closed or disconnected, the changes are rolled back.”

René Meneses MTCNA Study Guide – Terminal Commands:

“Safe Mode can be activated using Ctrl+S. This is useful during remote configuration. It reverts changes if the terminal is closed.”

MikroTik Wiki – Safe Mode Section:

“To enter safe mode, press Ctrl+S in CLI. This ensures configuration rollback if disconnected.”

Other options:

Ctrl+C terminates commands or CLI input

Ctrl+X may not activate safe mode in newer versions

Ctrl+D is used to log out in some Unix-like terminals

Correct answer: Ctrl+S

Final Answer: DQUESTION NO: 88 [Wireless]

Select minimal set of software packages in RouterOS required to configure a wireless AP:

A. Wireless

B. advanced-tools

C. dhcp

D. routing

E. system

Answer: A

To configure a wireless access point (AP) in RouterOS, the only required software package is wireless. All other functionalities like DHCP or routing are optional depending on the network setup. The system package is always present and not removable, so it's not listed as a required dependency in package selection.

MTCNA Course Material – Wireless Configuration Basics:

“Wireless functionality is provided by the wireless package. Without it, no wireless interfaces are present or configurable.”

René Meneses MTCNA Guide – Wireless Module:

“Only the wireless package is required to configure an AP. DHCP is used optionally for IP address assignment.”

MikroTik Wiki – Packages:

“The wireless package is responsible for enabling WLAN interfaces and features such as AP mode, client mode, and security.”

Other packages:

advanced-tools: includes tools like bandwidth-test and traffic generator

dhcp: only needed if the router is issuing IPs

routing: required for static/dynamic routing but not AP setup

Only Option A is required.

The “Area” parameter is a user-defined tag in the wireless interface configuration that works with the Access List in MikroTik RouterOS. It allows grouping of clients or APs for filtering or configuration logic.

When an Access List rule includes an area name, it will only apply to devices matching that area.

Option breakdown:

A. Connect List → Incorrect. Area is not used here.

B. Access List →✔Correct. “Area” is matched directly in Access List rules.

C. None of these → Incorrect.

D. Security Profile → Incorrect. Security Profiles control authentication/encryption, not area filtering.

Extract from Official MTCNA Course Material – Wireless Access List:

"The Area field allows you to group wireless interfaces and filter clients based on Access List rules that include this tag."

Extract from Terry Combs Notes – Wireless Configuration:

“Area is a label that can be referenced in Access List rules to apply rules selectively.”

Extract from MikroTik Wiki – Wireless Access List Section:

"Area is used in Access List to assign rules based on interface groups or locations."

The hardware-coded address that uniquely identifies a device's network interface card (NIC) on the local network is called a MAC address. It is “burned in” by the hardware manufacturer and remains constant unless manually overridden.

MAC stands for Media Access Control, and it operates at Layer 2 of the OSI model. It is used to identify devices on a local area network.

A. FQDN (Fully Qualified Domain Name) refers to a human-readable name used in DNS.

B. IP Address is a logical address used for routing at Layer 3.

C. Interface Address is a generic term and not a standard identifier.

D. MAC Address is correct and refers to the physical, hardware-encoded address on an interface.

Extract from MTCNA Course Manual – RouterBOARD Overview:

“A MAC address is a globally unique hardware identifier assigned to each Ethernet or wireless interface. It is used by Layer 2 to ensure local delivery.”

René Meneses Study Guide – MAC & OSI Layering:

“The MAC address is a 48-bit physical identifier, hardcoded by the device vendor and located in the NIC chip.”

Terry Combs MTCNA Notes – Layer 2 Concepts:

“MAC = Physical Address = Layer 2 Identifier. It’s what switches use to forward Ethernet frames.”

===========

Winbox is a small, native Windows utility provided by MikroTik for graphical administration of RouterOS devices. It is typically downloaded from MikroTik's official website.

A. Router’s webpage → Incorrect. While the router’s WebFig interface may allow configuration, it does not offer a Winbox download.

B. Files menu → Incorrect. The Files menu is for storing backups or firmware packages, not distributing Winbox.

C. Console cable → Incorrect. Console access is CLI only; no GUI utilities can be transferred through it.

D. mikrotik.com → Correct. The only official and secure location to download Winbox is the MikroTik website.

Extract from Official MTCNA Course Material – RouterOS Introduction:

“Winbox can be downloaded from the official MikroTik website. It provides a GUI frontend for managing RouterOS.”

Extract from René Meneses MTCNA Study Guide – RouterOS Access Methods:

“You can download Winbox from mikrotik.com under the Software Tools section.”

Extract from Terry Combs MTCNA Notes – Access Methods:

“Winbox is a Windows application that must be downloaded from MikroTik’s website. It is not available directly from the router.”

===========

The OSI (Open Systems Interconnection) model is a conceptual framework that standardizes the functions of a communication system into seven distinct layers. It is used to understand and design computer networking systems.

The seven layers of the OSI model are:

Application

Presentation

Session

Transport

Network

Data Link

Physical

Each layer has its own specific purpose and interacts with adjacent layers to perform data transmission functions.

MTCNA Official Course Material – OSI Model Chapter:

“The OSI model consists of 7 layers. Understanding these layers is critical for troubleshooting and protocol analysis.”

René Meneses MTCNA Study Guide – OSI Model Section:

“There are exactly seven OSI layers. They range from the Physical Layer (Layer 1) to the Application Layer (Layer 7).”

Terry Combs Notes – OSI Summary Page:

“OSI = 7 Layers. The most important ones for network engineers are Layer 1 through Layer 4.”

Answer: DQUESTION NO: 13 [Routing]

How many usable IP addresses are there in a 20-bit subnet?

A. 4096

B. 4094

C. 2046

D. 2048

E. 2047

Answer: B

A /20 subnet means that 20 bits are used for the network portion, and 12 bits are left for host addresses. The total number of IP addresses available in such a subnet is:

2^12 = 4096 (total addresses)

Usable IP addresses = 4096 - 2 = 4094

→ (1 address is reserved for the network ID, and 1 for the broadcast address)

MTCNA Course Manual – Subnetting and IP Allocation:

“A subnet with n host bits gives 2^n total addresses. Always subtract 2 to account for network and broadcast addresses.”

René Meneses Study Guide – Subnet Calculations:

“/20 = 12 host bits → 4096 total IPs. Usable = 4094. Remember to subtract 2.”

Terry Combs MTCNA Notes – Addressing Math:

“20-bit subnet = 4094 usable IPs. Know how to compute 2^x and subtract 2.”

Answer: BQUESTION NO: 14 [Routing]

You have a router with configuration

Public IP: 202.168.125.45/24

Default gateway: 202.168.125.1

DNS server: 248.115.148.136, 248.115.148.137

Local IP: 192.168.2.1/24

Mark the correct configuration on client PC to access the Internet:

A. IP: 192.168.0.1/24, gateway: 192.168.2.1

B. IP: 192.168.2.253/24, gateway: 202.168.0.1

C. IP: 192.168.2.115/24, gateway: 192.168.2.1

D. IP: 192.168.2.2/24, gateway: 202.168.125.45

E. IP: 192.168.1.223/24, gateway: 248.115.148.136

Answer: C

To correctly configure a host in a private network behind a router:

The IP must match the local subnet (192.168.2.0/24)

The gateway must be the router’s local IP (192.168.2.1)

DNS settings can be default or custom, but IP and gateway must be valid

Let’s evaluate:

A. 192.168.0.1 → Wrong subnet (192.168.0.0/24 ≠ 192.168.2.0/24)❌

B. Gateway 202.168.0.1 → Invalid internal gateway❌

C. IP 192.168.2.115 with gateway 192.168.2.1 →✅Correct subnet and correct gateway

D. Gateway 202.168.125.45 → This is router’s public IP, not the correct gateway for LAN❌

E. IP 192.168.1.223 → Wrong subnet; also, gateway is DNS IP❌

MTCNA NAT Section – Network Configuration:

“Clients should be in the same subnet as the router’s local IP and must use that local IP as their gateway to reach outside networks.”

René Meneses Guide – Gateway and Addressing:

“The client’s IP should belong to the same subnet as the local router interface. Always verify gateway IP points to the internal address.”

Terry Combs Notes – Default Gateway Setup:

“The default gateway for local clients must be the internal router IP — not the public or DNS IP.”

Answer: CQUESTION NO: 15 [RouterBOARD Hardware]

Collisions are possible in full-duplex Ethernet networks:

A. true

B. false

Answer: B

In full-duplex Ethernet, devices can transmit and receive simultaneously on separate physical or logical channels. This eliminates the possibility of collisions because there is no need for devices to listen before transmitting — unlike half-duplex Ethernet, which uses CSMA/CD to manage potential collisions.

Full-duplex connections are the standard in modern switching environments and are always collision-free.

MTCNA Official Course Material – Ethernet & Duplex Modes:

“In full-duplex Ethernet, there are separate transmit and receive paths, and therefore, collisions cannot occur.”

René Meneses Study Guide – Ethernet Basics:

“Full-duplex = simultaneous send/receive = no collisions. Collisions are a legacy issue from half-duplex Ethernet.”

Terry Combs MTCNA Notes – CSMA/CD and Ethernet:

“Collision Detection (CD) is not used in full-duplex. Only half-duplex environments use CSMA/CD to manage access.”

Subnet masks are used in IP networking to define the boundary between the network portion and the host portion of an IP address. A valid subnet mask must consist of a contiguous block of 1s followed by a contiguous block of 0s in its binary representation.

Let’s analyze the given options:

A. 255.192.0.0– This isnot a standard or valid subnet maskbecause the 1s are not contiguous beyond the second octet. This is typically used in class A subnetting but is not commonly considered valid in CIDR or MTCNA context. While technically binary-valid, it’s not recommended or standard for practical subnetting.

B. 255.255.192.255–Invalid, because the last octet is255, which implies all bits are 1s, but in the third octet only partial bits are set (192is11000000). This breaks the required rule of contiguous 1s followed by contiguous 0s.

C. 192.0.0.0–Invalid, as it doesn’t represent a valid subnet mask.192in the first octet (11000000) followed by zeros is not a valid mask – it's actually a network address, not a subnet mask.

D. 255.255.224.0–Valid subnet mask. This represents/19in CIDR notation. In binary:11111111.11111111.11100000.00000000, which follows the correct rule of contiguous 1s followed by contiguous 0s.

Extract from MTCNA Study Guide by René Meneses:

Subnet masks must be a continuous string of 1s followed by a continuous string of 0s. Any deviation or split between the blocks renders the mask invalid.

Extract from MTCNA Official Course Manual:

Valid subnet masks include values such as 255.0.0.0 (/8), 255.255.0.0 (/16), 255.255.255.0 (/24), and also non-classful masks like 255.255.224.0 (/19) are allowed and used for more flexible subnetting.

Conclusion:Option D is the only one meeting the criteria for a valid subnet mask as taught in the MTCNA curriculum.

===========

Address Resolution Protocol (ARP) is used in IPv4 to resolve IP addresses into MAC addresses. However, in IPv6, ARP is completely replaced by the Neighbor Discovery Protocol (NDP), which is part of ICMPv6. Therefore, ARP is not used in IPv6 at all.

A. True → Incorrect. ARP is exclusive to IPv4.

B. False → Correct. IPv6 replaces ARP with ICMPv6-based mechanisms.

Extract from Official MTCNA Course Material – IPv6 Overview:

“IPv6 does not use ARP. Instead, it uses the Neighbor Discovery Protocol (NDP), which provides similar functionality using ICMPv6 messages.”

Extract from René Meneses MTCNA Study Guide – IPv6 Chapter:

“In IPv6, the legacy ARP protocol is replaced with Neighbor Solicitation and Advertisement messages as part of the Neighbor Discovery Protocol.”

Extract from MikroTik Wiki – IPv6 Concepts:

“ARP is not used in IPv6. Instead, Neighbor Discovery Protocol handles address resolution, router discovery, and prefix information.”

In the PPP > Active Connections window in RouterOS, the letter "R" in the "Flags" column indicates the session is Running. This means the session is active and fully negotiated.

A.✘Radius – Not what "R" stands for in this context

B.✔Running – The connection is established and currently operating

C.✘Remote – Not relevant in this context

Extract from MTCNA Course Material – PPP Interface Flags:

“R indicates a Running state. The session is successfully established and data can be transmitted.”

Extract from MikroTik Wiki – PPP Flags Reference:

“R = Running. The session is active.”

To redirect SMTP (port 25) traffic from users to a specific internal or external SMTP server, you must use dst-nat. This modifies the destination address and port to point to the desired mail server.

A.✘passthrough – Allows the packet to be evaluated by other NAT rules; it doesn't alter traffic

B.✔dst-nat – Rewrites destination IP/port; this is what is needed to redirect SMTP to a specific server

C.✘redirect – Sends traffic to the router itself; not suitable for external redirection

D.✘tarpit – Used for slowing down malicious TCP connections, not redirection

Extract from MTCNA Course Material – NAT Types:

“Use dst-nat to change the destination IP address. This is suitable for port forwarding or service redirection.”

Extract from René Meneses Study Guide – NAT Rules:

“To redirect traffic to a specific server, use action=dst-nat and specify the new destination address.”

===========

Let’s evaluate each statement:

A.✘Incorrect – /ip firewall filter can block traffic after association/authentication but cannot directly prevent wireless authentication. Association happens before IP-level filtering.

B.✔Correct – Wireless access-list allows or denies associations based on MAC address and other parameters (signal strength, etc.).

C.✔Correct – Access-list rules can enable/disable default-forwarding per client (overriding global setting).

D.✘Incorrect – Disabling the wireless interface is not the only way. You can use access-list or disable SSID broadcast.

Extract from MTCNA Course Material – Wireless Access List:

“Access List provides client control based on MAC address. You can accept, reject, and even override default-forwarding per client.”

Extract from René Meneses MTCNA Study Guide – Access Control:

“Wireless Access List can selectively allow or deny clients and enforce individual settings like forwarding.”

Extract from MikroTik Wiki – Wireless Access List:

“The firewall filter is not involved in authentication. Access control must be done at the wireless layer using access-lists.”

===========

The PPPoE server functionality in RouterOS relies primarily on the PPP package, which includes support for protocols like PPP, PPPoE, PPTP, L2TP, SSTP, etc. The system package is also always required, as it contains the core OS components.

Option breakdown:

A.✔ppp – Required. Contains all PPP and PPPoE server/client implementations.

B.✘user-manager – Optional. Used for advanced AAA (authentication/accounting), not required for basic PPPoE.

C.✘radius – Optional. Used for external authentication, not essential unless RADIUS integration is needed.

D.✘synchronous – Used for legacy synchronous interfaces (e.g., serial or modem), not for PPPoE.

E.✔system – Required for all RouterOS functions.

Extract from Official MTCNA Course Material – RouterOS Packages:

“To enable PPPoE server functionality, you need the ppp and system packages. Radius and User Manager are optional.”

Extract from René Meneses MTCNA Study Guide – PPPoE Deployment:

“Only the ppp and system packages are strictly required. Additional features like radius are for centralized authentication.”

Extract from MikroTik Wiki – RouterOS Package Descriptions:

“ppp: required for PPP, PPTP, L2TP, PPPoE; system: required core package. user-manager and radius are optional.”

===========

Only tunnel types built on PPP support authentication with username and password:

A.✔PPPoE – Built on PPP, uses CHAP, PAP authentication.

B.✔OpenVPN – Supports user/password login for client authentication.

C.✘IPIP – A stateless Layer 3 tunnel; no authentication support.

D.✔PPTP/L2TP – Both are PPP-based and support username/password authentication.

E.✘EoIP – MikroTik proprietary Layer 2 tunnel; no username/password authentication.

Extract from MTCNA Course Material – Tunnel Types:

“PPPoE, PPTP, and L2TP are PPP-based and support user/password authentication. IPIP and EoIP do not.”

Extract from René Meneses Study Guide – Tunnel Protocols:

“Authentication (PAP/CHAP) is part of PPP. Use PPPoE, PPTP, L2TP, or OpenVPN for user logins.”

Extract from MikroTik Wiki – Tunnel Protocols Overview:

“Only PPP-based tunnels support authentication via username/password.”

===========

/27 subnet = 255.255.255.224 → block size of 32

To determine the subnet range:

Start by finding block base:15.242.55.62 falls in the 15.242.55.32/27 subnetRange: 15.242.55.32 – 15.242.55.63Network Address = 15.242.55.32Broadcast Address = 15.242.55.63Usable Host Range = 15.242.55.33 to 15.242.55.62

Evaluation:

A. 15.242.55.33 – 15.242.55.62 →✅Valid host range

B. 15.242.55.32 – 15.242.55.63 →❌Includes network and broadcast addresses

C. 15.242.55.31 – 15.242.55.62 →❌15.242.55.31 is outside this subnet

D. 15.242.55.33 – 15.242.55.63 →❌Includes broadcast address

MTCNA Course Slides – Subnetting:

“In a /27 subnet (block size 32), the first address is the network, last is broadcast. Only the IPs in between are valid host addresses.”

René Meneses Guide – Subnetting Examples:

“A /27 includes 32 addresses. For subnet 192.168.1.32/27, usable IPs are 192.168.1.33–62.”

Terry Combs Notes – Addressing Exercises:

“Subtract 2 from total IPs in subnet for host count. Don't use .0 (network) or .255 (broadcast) equivalents.”

Answer: A 

MikroTik RouterOS offers several queuing types under /queue type. These queuing algorithms manage how packets are buffered and sent, affecting fairness, delay, and throughput.

Available queue types in RouterOS:

SFQ (Stochastic Fairness Queuing)✔

FIFO (First In First Out – for bytes or packets)✔

PCQ (Per Connection Queuing)✔

RED (Random Early Detection/Drop)✔

Unavailable queue types:

DRR✘– Not supported by RouterOS

LIFO✘– Not supported; not suitable for networking queues

Extract from Official MTCNA Course Material – Queue Types:

"RouterOS supports PCQ, SFQ, RED, FIFO, and more. DRR and LIFO are not implemented."

Extract from René Meneses MTCNA Study Guide – Traffic Management:

“Only PCQ, FIFO, SFQ, RED are listed under /queue type. DRR and LIFO do not appear in the supported list.”

Extract from MikroTik Wiki – Queue Types:

“Supported types include FIFO, PCQ, RED, and SFQ. Each has specific use cases for latency or fairness.”

===========

A /20 subnet means 32 - 20 = 12 bits are available for host addresses.

Total IPs: 2¹² = 4096

Usable IPs = 4096 - 2 = 4094 (excluding network and broadcast addresses)

Therefore, 4094 usable IP addresses exist in a /20 subnet.

Option breakdown:

A. 2047 → Incorrect, would apply to a /21 subnet (2048 total - 1)

B. 4096 → Incorrect, total IPs, not usable

C. 2048 → Incorrect

D. 2046 → Incorrect

E. 4094 →✔Correct

Extract from MTCNA Course Material – IP Addressing/Subnetting Section:

"Number of usable hosts = 2^host-bits - 2 (network and broadcast). For /20, 2^12 - 2 = 4094."

Extract from Terry Combs Notes – IP Subnet Calculations:

“A /20 gives 4096 IPs total, 4094 usable.”

===========

ICMP (Internet Control Message Protocol) is used for diagnostics and error reporting in IP networks. It is encapsulated directly within IP datagrams and not over UDP or TCP. It does not guarantee delivery — it merely provides feedback about problems (e.g., host unreachable, time exceeded).

MTCNA Course Material – ICMP and Network Tools:

“ICMP is used for error messages and operational queries such as ping and destination unreachable. It is encapsulated in IP and does not use TCP or UDP.”

René Meneses MTCNA Study Guide – ICMP Section:

“ICMP provides diagnostic information. It is a Layer 3 protocol encapsulated directly in IP. It does not provide guaranteed delivery.”

MikroTik Wiki – ICMP Overview:

“ICMP packets are carried in IP packets and used for control messages. They are not transported using TCP or UDP.”

Breakdown:

Statement 1: False – ICMP does not guarantee delivery

Statement 2: True – provides network problem feedback

Statement 3: True – encapsulated in IP

Statement 4: False – ICMP is not encapsulated in UDP

Correct set: 2 and 3

Final Answer: BQUESTION NO: 106 [RouterOS Introduction]

Which Layer 4 protocol is used for a Telnet connection?

A. IP

B. TCP

C. TCP/IP

D. UDP

Answer: B

Telnet is a protocol used to access remote devices via command-line over the network. It operates over TCP at Layer 4, using port 23.

MTCNA Course Material – Layer 4 Protocols:

“Telnet uses TCP port 23 for remote shell access. TCP ensures ordered and reliable delivery of commands and responses.”

René Meneses MTCNA Study Guide – TCP/IP Protocols:

“Telnet is an Application Layer protocol using TCP as its transport protocol.”

MikroTik Wiki – Telnet Access:

“Telnet communicates over TCP. It does not use UDP.”

Other options:

A. IP is a Layer 3 protocol

C. TCP/IP is a model, not a single protocol

D. Telnet does not use UDP

Final Answer: BQUESTION NO: 107 [RouterOS Introduction]

Which of the following are layers in the TCP/IP model?

Application

Session

Transport

Internet

Data Link

Physical

A. 1 and 2

B. 1, 3 and 4

C. 2, 3 and 5

D. 3, 4 and 5

Answer: B

The TCP/IP model has four layers:

Application

Transport

Internet

Network Access (includes Data Link & Physical in OSI terms)

Session is part of the OSI model, not TCP/IP.

MTCNA Course Material – TCP/IP vs OSI Model:

“The TCP/IP model has Application, Transport, Internet, and Network Access layers. Application includes OSI’s Session, Presentation, and Application layers.”

René Meneses MTCNA Guide – Model Comparison:

“The TCP/IP model consists of: Application, Transport, Internet, and Network Access (which covers Data Link and Physical). Session layer is part of OSI.”

So, correct TCP/IP layers from the given list:

Application (✔)

Transport (✔)

Internet (✔)

Session is not part of TCP/IP model.

Final Answer: BQUESTION NO: 108 [RouterOS Introduction]

Which statements are true regarding ICMP packets?

They acknowledge receipt of a TCP segment.

They guarantee datagram delivery.

They can provide hosts with information about network problems.

They are encapsulated within IP datagrams.

A. 1 only

B. 2 and 3

C. 3 and 4

D. 2, 3 and 4

Answer: C

Reiterating from earlier:

ICMP does not acknowledge TCP segments; that’s TCP’s job.

ICMP does not guarantee delivery; it’s an unreliable protocol.

ICMP does provide diagnostics (e.g., unreachable, TTL exceeded).

ICMP is encapsulated directly in IP, not over TCP/UDP.

MTCNA Course Material – ICMP Behavior:

“ICMP is used for control messages like ping and unreachable. It provides feedback and is encapsulated in IP.”

René Meneses MTCNA Study Guide – ICMP & IP Layer:

“ICMP is a Layer 3 protocol, not used to acknowledge TCP, and is wrapped in IP datagrams.”

Correct:

Statement 3: True

Statement 4: True

Masquerading is a form of source NAT (src-nat) where the router dynamically replaces the source address of outgoing packets with the IP address of the router’s outgoing interface. This is commonly used when internal LAN clients access the internet through a single public IP.

Key points for masquerade configuration:

Use chain=src-nat (because it modifies the source address)

Use action=masquerade

Specify the out-interface (i.e., the WAN interface)

MTCNA Course Material – NAT Section:

“To configure masquerading, use chain=src-nat and action=masquerade. Specify out-interface to define the traffic direction.”

René Meneses MTCNA Study Guide – NAT Examples:

“Masquerade automatically uses the IP address of the specified out-interface. Required parameters: chain=src-nat, action=masquerade, out-interface.”

MikroTik Wiki – Source NAT / Masquerade:

“Masquerade is a special form of src-nat. You must use it in chain=src-nat and define the out-interface for which NAT will be applied.”

Option A: Incorrect action=accept (used in filter rules, not NAT)

Option C: in-interface is not applicable here

Option D: chain=dst-nat is used for destination NAT, not source NAT

Only Option B is fully correct.

Final Answer: BQUESTION NO: 94 [Tools]

In which situations can Netinstall NOT be used to install a RouterBOARD?

A. The router does not have an operating system

B. The router is connected only to a wireless network

C. You do not know the password of the router

D. The router is connected only to a secondary Ethernet port

Answer: B

Netinstall works over a wired Ethernet connection and uses PXE or Etherboot to install RouterOS over the network. It cannot function over wireless, as wireless interfaces do not support PXE booting or Netinstall protocols.

MTCNA Course Material – Netinstall Overview:

“Netinstall requires a direct Ethernet connection between the PC and the router. Wireless interfaces are not supported for Netinstall procedures.”

René Meneses MTCNA Guide – Netinstall:

“Netinstall only works over Ethernet. You cannot Netinstall a device connected only through Wi-Fi.”

MikroTik Wiki – Netinstall Prerequisites:

“Router must be connected via Ethernet. Wireless and USB interfaces are not supported.”

Other options:

A: This is a typical use case (installing RouterOS when OS is missing)

C: Netinstall bypasses password (not needed)

D: Netinstall can work via any Ethernet port, provided it's accessible

Final Answer: BQUESTION NO: 95 [Monitoring and Logging]

MikroTik RouterOS is sending logs to an external syslog server. Which protocol and port is used by RouterOS for sending logs (by default)?

A. UDP 514

B. UDP 21

C. UDP 113

D. TCP 110

Answer: A

RouterOS uses the industry-standard syslog protocol for remote logging. By default, syslog uses UDP port 514.

MTCNA Course Material – Logging Section:

“For sending logs to a remote syslog server, RouterOS uses the syslog protocol on UDP port 514 by default.”

René Meneses MTCNA Guide – Monitoring & Logging:

“External logging is done using UDP port 514, which is the standard syslog protocol port.”

MikroTik Wiki – Logging Configuration:

“To send logs to a remote server, configure an action of type remote with a remote address and use UDP port 514 unless otherwise changed.”

Other ports:

UDP 21 = FTP (not logging)

UDP 113 = Ident protocol

TCP 110 = POP3

Only UDP 514 is correct.

Final Answer: AQUESTION NO: 96 [RouterBOARD Hardware]

Can you manually add drivers to RouterOS in case your PCI Ethernet card is not recognized, and you suspect it is a driver issue?

A. Yes

B. No

Answer: B

RouterOS is a closed, embedded Linux-based system. It does not support adding custom drivers or compiling modules manually. You must use supported hardware that is natively compatible with RouterOS.

MTCNA Course Material – RouterBOARD Compatibility:

“RouterOS supports a fixed set of drivers. You cannot install third-party drivers or modules.”

René Meneses MTCNA Guide – Hardware Limitations:

“Custom drivers cannot be added to RouterOS. Use only supported network interface cards as listed by MikroTik.”

MikroTik Wiki – Hardware Support:

“RouterOS does not allow manual driver installation. All drivers are precompiled and built into the system image.”

Therefore, if your PCI Ethernet card is not recognized, you must replace it with a compatible model — you cannot add a driver manually.

The redirect action is only valid in the dstnat chain. It is used to redirect traffic to a service running on the router itself (e.g., redirecting HTTP to a local proxy server).

A.✘srcnat – Not compatible with redirect

B.✘forward – Redirect doesn’t apply in this chain

C.✔dstnat – This is the correct and only supported chain for action=redirect

Extract from Official MTCNA Course Material – NAT Actions:

“The redirect action is used within the dstnat chain to forward packets to the router’s local services.”

Extract from MikroTik Wiki – NAT Rule Actions:

“Redirect is used in dstnat chain and changes destination address to a local router IP and port.”

===========

In traditional IPv4 subnetting, a /30 is often used to connect two hosts directly, giving two usable IPs. However, MikroTik RouterOS (and as per RFC 3021) supports the use of /31 subnet masks for point-to-point links. A /31 provides exactly two IP addresses — which are both usable — and is ideal for conserving IP space on router-to-router links.

Subnet details for /31:

Total addresses: 2

Usable addresses: 2 (both can be assigned to endpoints, no broadcast)

Evaluation:

A. /31 →✅Supported by MikroTik for point-to-point links (2 hosts only)

B. /29 → Provides 6 usable IPs; more than needed for 2 hosts

C. /32 → Single host only; no communication possible with second device

D. /30 → Valid, but less efficient than /31

MTCNA Course Manual – IP Addressing and Point-to-Point Communication:

“MikroTik RouterOS allows the use of /31 subnets for point-to-point communication. Both IPs are usable.”

René Meneses MTCNA Guide – IP & Routing Concepts:

“For links between exactly two devices, /31 saves address space and is supported by MikroTik.”

Terry Combs Notes – Subnet Efficiency:

“Use /30 or /31 for point-to-point links. MikroTik supports /31 fully, unlike older systems.”

Answer: AQUESTION NO: 17 [Monitoring and Logging]

Which of the following protocols/ports are used for SNMP (Simple Network Management Protocol)?

A. TCP 25

B. TCP 161

C. UDP 162

D. TCP 162

E. TCP 123

F. UDP 161

Answer: C, F

SNMP uses UDP as its transport protocol. The standard ports are:

UDP port 161 → used for SNMP queries (polling)

UDP port 162 → used for SNMP traps (asynchronous alerts)

Incorrect options:

A. TCP 25 → SMTP (email), not related to SNMP

B. TCP 161 → SNMP does not use TCP

D. TCP 162 → Incorrect; SNMP traps use UDP

E. TCP 123 → NTP (Network Time Protocol)

Correct answers:

C. UDP 162✅

F. UDP 161✅

MTCNA Course – Monitoring Tools & SNMP:

“SNMP operates over UDP. Port 161 is used for polling, and port 162 is used for traps.”

René Meneses MTCNA Guide – SNMP Overview:

“SNMP uses UDP 161 and 162 for communication between manager and agents.”

Terry Combs Notes – Protocol and Port Summary:

“Remember: SNMP = UDP 161/162. Do not confuse with TCP-based protocols.”

Answer: C, FQUESTION NO: 18 [RouterOS Introduction]

Which of the following are valid IP addresses?

A. 10.10.14.0

B. 192.168.256.1

C. 192.168.13.255

D. 1.27.14.254

Answer: A, C, D

An IPv4 address is a 32-bit number divided into 4 octets. Each octet must be between 0 and 255.

Let’s evaluate:

A. 10.10.14.0 →✅Valid; .0 is legal, may represent a network or host depending on subnet

B. 192.168.256.1 →❌Invalid; 256 exceeds the max octet value (0–255)

C. 192.168.13.255 →✅Valid broadcast or host IP, depending on subnet

D. 1.27.14.254 →✅All octets are within valid range

MTCNA Training Manual – IP Basics:

“Each octet must be between 0 and 255. Addresses like 192.168.256.1 are invalid.”

René Meneses Guide – Valid IP Criteria:

“Watch for octets above 255 — they are illegal in IPv4.”

Terry Combs Notes – Address Format Validation:

“Decimal format must be checked — 256, 999, or negative values break IPv4 standards.”

Answer: A, C, DQUESTION NO: 19 [Routing]

The network address is:

A. The first address of the subnet

B. The first usable address of the subnet

C. The last address of the subnet

Answer: A

The network address is the first IP address in a subnet. It identifies the entire network segment and cannot be assigned to any host.

For example, in 192.168.1.0/24:

192.168.1.0 → Network Address (non-assignable)✅

192.168.1.1 – 192.168.1.254 → Usable host addresses

192.168.1.255 → Broadcast address

Clarifying:

A. First address of the subnet →✅Correct

B. First usable address →❌That would be second address

C. Last address of the subnet →❌That’s the broadcast

MTCNA Course Manual – Subnet Addressing:

“The first address in a subnet is reserved as the network ID. It cannot be assigned to a host.”

René Meneses Guide – Network and Broadcast Addresses:

“Network address = first IP in block, broadcast = last. Usable range lies in between.”

Terry Combs Notes – Host and Network Addressing:

“Always subtract 2 IPs: one for network and one for broadcast. Never assign .0 (network address) to a host.”

The 172.16.25.0/25 subnet provides 128 IP addresses (2^7 = 128), including network and broadcast.

To subnet a /25 network (128 addresses), we can break it into:

2 x /26 → each with 64 addresses (62 usable) →✅Valid

4 x /27 → each with 32 addresses → Also valid, but let's verify options

Let’s analyze the options:

A. one /23 and one /27 →❌Invalid. /23 is larger than /25 — can’t derive a larger subnet from a smaller one.

B. four times /27 →✅Possible. 4 × 32 = 128. But not the best or only answer — and option D is more precise.

C. two times /24 →❌Invalid. /24 = 256 addresses; you can't divide a 128-address block into 2 larger ones.

D. two times /26 →✅Each /26 = 64 addresses. Two such subnets exactly fit into a /25 network.

MTCNA Course Manual – Subnetting and Address Planning:

“To divide a /25, you may use two /26s, four /27s, or other equal parts as long as they total no more than the parent subnet.”

René Meneses MTCNA Guide – Subnet Design:

“A /25 subnet can be split into 2 /26s (64 IPs each) or 4 /27s (32 IPs each), depending on host requirements.”

Terry Combs Notes – IP Subnetting Exercises:

“Always check if the proposed subnet sizes logically fit within the assigned block.”

Answer: DQUESTION NO: 52 [Routing]

When using routing option check-gateway=ping, after how many timeouts is the gateway considered unreachable?

A. 4

B. 1

C. 2

D. 3

Answer: C

In MikroTik RouterOS, if you enable check-gateway=ping on a static route, RouterOS sends periodic ICMP echo requests (ping) to the specified gateway.

By default, the gateway is considered unreachable after:

2 consecutive ping timeouts →✅

This status will cause the router to remove the route from the routing table until the gateway responds again.

Evaluations:

A. 4 →❌Too many

B. 1 →❌Too sensitive; only one timeout doesn’t mark it unreachable

C. 2 →✅Correct default behavior

D. 3 →❌Incorrect default

MTCNA Course Manual – Gateway Checking:

“When using check-gateway=ping, the router waits for two failed pings before declaring the route inactive.”

René Meneses Study Guide – Static Routing Behavior:

“check-gateway=ping disables the route after two ping failures.”

Terry Combs Notes – Route Monitoring:

“Ping-based route checks fail after 2 missed responses — that route becomes inactive.”

Answer: CQUESTION NO: 53 [Wireless]

Which of the following is used in standard 802.11 wireless networks?

A. CSMA/CA

B. CDMA

C. FDD

D. CSMA/CD

Answer: A

802.11 (Wi-Fi) wireless networks use CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance) as their access method.

Unlike wired Ethernet, which uses CSMA/CD (Collision Detection), wireless devices can’t detect collisions efficiently. So they use avoidance techniques, like:

RTS/CTS (Request to Send)

Back-off timers

Evaluation:

A. CSMA/CA →✅Correct method used in wireless networks

B. CDMA →❌Used in cellular technologies like 3G, not Wi-Fi

C. FDD (Frequency Division Duplexing) →❌Not part of Wi-Fi MAC layer

D. CSMA/CD →❌Used in Ethernet (wired), not suitable for wireless

MTCNA Course Manual – 802.11 Wireless Principles:

“Wireless uses CSMA/CA to avoid collisions, as it’s difficult to detect them in the air.”

René Meneses Guide – Wireless Technology Overview:

“Wi-Fi operates under CSMA/CA, which is based on listen-before-talk and collision avoidance.”

Terry Combs Notes – Wi-Fi Access Methods:

“Wired = CSMA/CD. Wireless = CSMA/CA. They are not interchangeable.”

════════════════════════════════════════════

IPv4 Class B addresses have their first two bits as 10 in binary. The range for Class B starts at 128.0.0.0 and goes up to 191.255.255.255, which in binary representation begins with 10xxxxxx.

MTCNA Course Material – IP Addressing and Classes:

“Class B IP addresses are identified by the first two bits being 10. This corresponds to IP addresses from 128.0.0.0 to 191.255.255.255.”

René Meneses MTCNA Study Guide – Address Classes:

“Class B: 128.0.0.0 – 191.255.255.255. Binary pattern: 10xxxxxx.”

Terry Combs MTCNA Notes – IP Addressing:

“The first octet of a Class B address starts with binary 10, followed by 6 variable bits.”

Other options:

A. 01xxxxxx: incorrect (used for experimental/reserved ranges)

B. 0xxxxxxx: represents Class A

D. 110xxxxx: indicates Class C

Final Answer: CQUESTION NO: 102 [RouterOS Introduction – Protocols]

Which of the following protocols uses both TCP and UDP?

A. FTP

B. SMTP

C. Telnet

D. DNS

Answer: D

DNS (Domain Name System) can use both UDP and TCP. Typically:

UDP port 53 is used for standard DNS queries due to its lower overhead.

TCP port 53 is used for DNS zone transfers and when DNS responses exceed the UDP packet size (e.g., DNSSEC).

MTCNA Course Material – Protocol Overview:

“DNS uses UDP port 53 for standard queries and TCP port 53 for zone transfers or large responses.”

René Meneses MTCNA Study Guide – Protocol Functions:

“DNS can operate over UDP and TCP. UDP is faster and used for most lookups. TCP is used when the payload is too large or for zone transfers.”

MikroTik Wiki – DNS Protocols:

“DNS primarily uses UDP 53. For zone transfers (AXFR), TCP 53 is used.”

Other options:

A. FTP uses TCP (ports 20/21)

B. SMTP uses TCP (port 25)

C. Telnet uses TCP (port 23)

Only DNS uses both TCP and UDP.

Final Answer: DQUESTION NO: 103 [RouterOS Introduction – IP Fundamentals]

What protocol is used to find the hardware address of a local device?

A. RARP

B. ARP

C. IP

D. ICMP

Answer: B

ARP (Address Resolution Protocol) is used to resolve IP addresses to MAC (hardware) addresses on a local network.

MTCNA Course Material – ARP & Layer 2 Communication:

“ARP translates an IP address to a MAC address on local networks. It is necessary for IP communication within a broadcast domain.”

René Meneses MTCNA Study Guide – ARP Explanation:

“When sending to a local IP, the host first uses ARP to determine the hardware address. This is done through broadcast ARP requests.”

MikroTik Wiki – ARP Functionality:

“RouterOS uses ARP to associate IP addresses with hardware (MAC) addresses in the LAN.”

Other options:

A. RARP is Reverse ARP, outdated and rarely used.

C. IP is the higher-layer addressing protocol.

D. ICMP is used for ping and diagnostics.

Only ARP (Option B) is correct.

Final Answer: BQUESTION NO: 104 [RouterOS Introduction]

Which of the following are TCP/IP protocols used at the Application layer of the OSI model?

IP

TCP

Telnet

FTP

TFTP

A. 1 and 3

B. 1, 3 and 5

C. 3, 4 and 5

D. All of the above

Answer: C

In the OSI model:

Application layer protocols include Telnet, FTP, and TFTP.

IP is a Network Layer (Layer 3) protocol.

TCP is a Transport Layer (Layer 4) protocol.

MTCNA Course Material – OSI Model and Protocols:

“Application layer protocols provide services to user applications. Examples include FTP, TFTP, Telnet. TCP and IP operate at lower layers.”

René Meneses MTCNA Study Guide – TCP/IP Stack:

“Telnet, FTP, and TFTP are Application layer protocols. IP belongs to Layer 3. TCP is at Layer 4.”

Terry Combs MTCNA Notes – OSI Reference Model:

“Layer 7 (Application): FTP, HTTP, Telnet, TFTP.

Layer 4: TCP, UDP

Layer 3: IP”

Only Options 3 (Telnet), 4 (FTP), and 5 (TFTP) are Application layer protocols.

────────────────────────────────────────────────────────────

Netinstall is a powerful utility provided by MikroTik that allows reinstallation of RouterOS on RouterBOARD devices. It is primarily used for:

Reflashing or reinstalling RouterOS

Recovering devices that are not booting correctly

Clearing configurations during reinstall

It does not allow you to reset the password without losing the configuration, nor is it used just for configuration reset.

MTCNA Official Course Material – Tools & Netinstall:

“Netinstall is used to reinstall RouterOS onto a MikroTik device via the network. It can be used to install a specific RouterOS version or wipe the existing installation.”

René Meneses MTCNA Guide – Tools Chapter:

“Netinstall allows you to reinstall RouterOS and optionally reset the configuration. It does not allow recovery of the existing password or configuration unless backed up beforehand.”

MikroTik Wiki – Netinstall Utility:

“Netinstall is a tool used for reinstalling RouterOS. It formats the system partition and reinstalls RouterOS. This is useful in case of misconfiguration or firmware corruption.”

Option B is incorrect — password reset is only possible via full configuration wipe.

Option C is not accurate — Netinstall reinstalls the entire OS, not just resets configuration.

Only A is correct.

Final Answer: AQUESTION NO: 90 [Wireless]

You would like to allow multiple logins with one user name on a HotSpot server. How should this be configured?

A. Set "Shared Users" option at /ip HotSpot user profile

B. It's not possible

C. Set "Shared Users" option at /ip HotSpot

D. Set "only-one=no" at /ip HotSpot

Answer: A

MikroTik HotSpot user management allows defining how many simultaneous sessions a single username can support. This is done via the "Shared Users" option in the user profile configuration, not in the general HotSpot or interface settings.

MTCNA Course Material – HotSpot Section:

“Shared Users in user-profile allows multiple concurrent logins using the same username/password combination. Default is 1. If set to 3, then three sessions can be active simultaneously.”

René Meneses MTCNA Study Guide – HotSpot Configuration:

“The shared-users parameter in /ip hotspot user profile allows multiple concurrent sessions for the same user. This is commonly used in shared environments like hotels or cafes.”

Terry Combs MTCNA Notes – HotSpot Profiles:

“Shared-users is set per profile, not per user. If you want three devices to log in with the same account, set shared-users=3 in the profile assigned to that user.”

Option A is correct.

Option B is false — it is definitely possible.

Option C is incorrect — /ip hotspot does not contain this parameter.

Option D is invalid — “only-one” is not a known parameter in HotSpot configuration.

Final Answer: AQUESTION NO: 91 [Routing]

When adding a static route, you must always ensure that you add both the gateway and the interface.

A. False

B. True

Answer: A

In RouterOS, specifying the gateway IP is sufficient for static routing as long as the gateway IP is reachable via a directly connected interface. The system automatically determines the correct interface based on the routing table. Adding an interface manually is only required in special cases, such as point-to-point links.

MTCNA Course Material – Static Routing Section:

“You can configure static routes by specifying the destination and gateway only. The system can resolve the interface automatically if the gateway is reachable.”

René Meneses MTCNA Study Guide – Routing Examples:

“The interface field is optional in most routing scenarios. MikroTik will find the outgoing interface if the gateway IP is in a directly connected subnet.”

MikroTik Wiki – Routing Configuration:

“In most cases, just the dst-address and gateway are sufficient. The interface will be determined by the router.”

Therefore, the idea that both gateway and interface must always be defined is incorrect.

Final Answer: AQUESTION NO: 92 [Wireless]

Please select valid scan-list values in interface wireless configuration:

A. 5560,5620-5700

B. 5640~5680

C. default,5560,5600,5660-5700

D. 5540,5560,5620+5700

Answer: C

The scan-list option defines the frequencies that a wireless interface should scan or operate on. Valid formats include:

Single frequencies: e.g., 5560

Ranges: e.g., 5660-5700

Including "default" for system-determined values

Comma-separated lists are accepted

Characters like ~ or + are not allowed.

MTCNA Official Course Material – Wireless Configuration:

“scan-list can include frequency numbers and ranges separated by commas. Example: 5500,5520-5700. Use ‘default’ to use the standard channel list.”

René Meneses MTCNA Guide – Wireless Interface Options:

“Valid scan-list includes entries like: 5180,5200-5320, or default. Invalid characters such as ‘~’ or ‘+’ are not supported.”

MikroTik Wiki – Wireless Manual:

“Values can be comma-separated frequencies and ranges. Symbols such as ‘+’ or ‘~’ are not allowed in scan-list values.”

Option A: valid format

Option B: invalid (‘~’ is not allowed)

Option C: valid — includes default and proper ranges

Option D: invalid — ‘+’ symbol is not allowed

Thus, Option C is the only valid and complete answer.

Bridging loops occur when there are multiple active paths between switches or bridge interfaces, causing broadcast storms or MAC table instability. MikroTik RouterOS supports both STP (Spanning Tree Protocol) and RSTP (Rapid Spanning Tree Protocol) to detect and block redundant paths.

A.✔RSTP – Faster and preferred protocol to prevent loops.

B.✔STP – The original protocol, slower convergence but still effective.

C.✘Connection tracking – Not related to Layer 2 loop prevention.

D.✘UDP filter – Filters specific traffic types, doesn’t handle loops.

E.✘ICMP filter – Not relevant to Layer 2 loop protection.

Extract from Official MTCNA Course Material – Bridging and STP:

“STP or RSTP must be enabled to prevent bridging loops. RSTP is the recommended version due to faster convergence.”

Extract from René Meneses MTCNA Study Guide – Bridging:

“Always enable STP or RSTP when using bridges with multiple paths to prevent Layer 2 loops.”

Extract from MikroTik Wiki – STP / RSTP:

“STP and RSTP are loop prevention mechanisms for bridges. They dynamically block redundant links.”

===========

TheMAC layer (Media Access Control)is asub-layerof theData Link Layer, which is known asLayer 2in theOSI (Open Systems Interconnection) model. This layer is responsible for the delivery of frames between devices on the same local network. The MAC sub-layer controls how a device on the network gains access to the medium and permission to transmit data.

Extract fromRené Meneses MTCNA Study Guide – OSI Model Section:

"The MAC layer, or Media Access Control, is part of Layer 2 (Data Link Layer) in the OSI model. It handles physical addressing and access to the medium, such as Ethernet. MAC addresses are used at this level to identify source and destination interfaces in the same network segment."

Extract fromTerry Combs MTCNA Notes – OSI Layers Overview:

"Layer 2 is the Data Link Layer and contains two sublayers: LLC (Logical Link Control) and MAC (Media Access Control). The MAC sub-layer is the portion that directly interacts with the network interface and is responsible for MAC addressing and frame delivery."

Extract fromMikroTik Wiki – OSI Model & MAC Addressing Section:

"MAC addresses operate at Layer 2 of the OSI model. This layer is responsible for node-to-node data transfer, framing, and access control using MAC addresses."

Breakdown of Each Option:

A. Layer 2✅✔Correct — The MAC layer is a sublayer ofLayer 2(Data Link Layer).

B. Layer 1❌✘Incorrect — This is thePhysical Layer, responsible for transmission of raw bits, not MAC addressing.

C. Layer 6❌✘Incorrect — This is thePresentation Layer, which handles data format translation, not networking functions.

D. Layer 7❌✘Incorrect — This is theApplication Layer, used by end-user software like browsers or email clients.

E. Layer 3❌✘Incorrect — This is theNetwork Layer, responsible for logical addressing and routing using IP addresses, not MAC.

Static routing is a core feature of MikroTik RouterOS and is included in the default 'system' package. You do not need to install any additional packages (like the "routing" package) for simple static routing.

The routing package is only needed for advanced dynamic routing protocols like BGP, OSPF, and RIP. For manually configured static routes, the system package alone is sufficient.

Let’s evaluate:

A.✅Correct. Static routing is part of the default system.

B.❌advanced-tools are for diagnostics and tools like traceroute, bandwidth-test, etc.

C.❌routing package is for dynamic protocols (OSPF, BGP, etc.), not static routes

D.❌dhcp is unrelated to routing — used for dynamic host IP assignment

MTCNA Course Manual – Routing Fundamentals:

“Static routing requires no additional package — it is included in the base system.”

René Meneses Guide – Routing Overview:

“For static routes, you do not need the 'routing' package. That’s only for protocols like BGP or OSPF.”

Terry Combs Notes – Routing Concepts:

“No extra packages needed for static routes. Just use /ip route.”

Answer: AQUESTION NO: 40 [Tools]

You want to transfer existing '/ip firewall filter' configuration from one router to a new system.

Choose the best possible way to do:

A. Export global configuration and remove everything apart from '/ip firewall filter'

B. Export only '/ip firewall filter'

C. Create backup, edit backup file and restore on target router

D. Create backup only of '/ip firewall filter' rules

Answer: B

The best way to transfer only the firewall filter rules is to export just that section of the configuration. This avoids unrelated settings (like IP addresses, user accounts, etc.) that could cause issues on the new router.

MikroTik allows you to selectively export parts of the configuration using:

/ip firewall filter export

This command outputs the firewall filter rules in script format, which can then be copied and applied to another router using import or pasting into terminal.

Evaluations:

A.❌Inefficient and error-prone. Exporting everything then removing parts increases the chance of mistakes.

B.✅Best method. Selective export via command line is clean and precise.

C.❌Backups are binary and system-specific — cannot be safely edited or restored on different hardware.

D.❌Backup doesn’t work selectively per section; export is the proper method.

MTCNA Course Manual – Backup vs Export:

“Use export when you need partial configurations. Backup is for full system state and cannot be selectively restored.”

René Meneses Study Guide – Configuration Transfer:

“Export is human-readable and editable. Use it for transferring only desired parts.”

Terry Combs Notes – Best Practices for Configuration Migration:

“Don’t use backups for partial transfer. Use export for readable and editable results.”

Answer: BQUESTION NO: 41 [QoS – PCQ]

You want to use PCQ and allow 256k maximum download and upload for each client. Choose correct argument values for the required queue.

A. kind=pcq pcq-rate=256000 pcq-classifier=src-address

B. kind=pcq pcq-rate=1256000 pcq-classifier=dst-address

C. kind=pcq pcq-rate=256000 pcq-classifier=dst-address

D. kind=pcq pcq-rate=5000000 pcq-classifier=src-address

E. kind=pcq pcq-rate=5000000 pcq-classifier=dst-address

Answer: A, C

PCQ (Per Connection Queue) is used in MikroTik to enforce bandwidth fairness across multiple users. To limit each client to 256k:

pcq-rate=256000 → sets maximum bandwidth per client to 256,000 bps (256 kbps)

pcq-classifier=src-address → used in upload queues

pcq-classifier=dst-address → used in download queues

So:

A.✅Used for upload: src-address

C.✅Used for download: dst-address

The other options have incorrect rates or classifiers:

B.❌Incorrect rate (1256000 ≠ 256k)

D & E.❌Incorrect rate (5000000 = 5 Mbps)

MTCNA Course Manual – PCQ Explanation:

“Use pcq-classifier=src-address for upload, and dst-address for download. pcq-rate sets per-client limit.”

René Meneses Study Guide – Queue Management:

“To cap clients to 256k, configure pcq-rate=256000. Adjust classifiers based on traffic direction.”

Terry Combs Notes – PCQ Parameters:

“Classifier is the key. src-address = upload, dst-address = download. Don’t mix.”

Answer: A, CQUESTION NO: 42 [Routing]

Which of the following Route statuses are possible?

A. A = Active

B. C = Connected

C. S = Static

D. D = Drop

Answer: A, B, C

In the MikroTik routing table, route status flags describe the type and status of each route:

A = Active → The route is being used to forward packets✅

C = Connected → The route is to a directly connected subnet✅

S = Static → The route was added manually by the administrator✅

D = Drop →❌There is no such routing flag; “drop” may be an action in firewall or route rules but not a route status

Correct route flags in MikroTik include:

D = Dynamic

A = Active

C = Connected

S = Static

r = RIP

o = OSPF

b = BGP

MTCNA Routing Section – Route Flags Overview:

“Static routes show as S, connected routes as C, and routes in use are marked with A.”

René Meneses Guide – Routing Table Flags:

“Check route flags: A (Active), C (Connected), S (Static). Drop is not a valid route flag.”

Terry Combs Notes – Route Status Flags:

“Drop = firewall action, not route flag. Don’t confuse it with routing status.”

To configure a PPPoE client on MikroTik, you need to:

Set the client interface (usually ether1 or another WAN-facing port).

Optionally add NAT masquerading to enable LAN users to reach the internet.

IP address on the interface is assigned dynamically from the ISP after PPPoE negotiation, so a static IP is not required.

Option Analysis:

A.✔Required – You must select the interface that initiates the PPPoE connection.

B.✘Not Required – The IP is typically assigned by the PPPoE server (ISP).

C.✔Required – NAT masquerade is commonly used to allow internet access for private IP clients behind the router.

Extract from MTCNA Course Material – PPPoE Client Setup:

“The PPPoE client must have an interface specified. A NAT masquerade rule is recommended for internet access sharing.”

Extract from René Meneses MTCNA Study Guide – PPPoE:

“You do not need to assign a static IP to the PPPoE client interface. IP is received after successful login.”

Extract from MikroTik Wiki – PPPoE Client:

“After setting up the interface and credentials, PPPoE client negotiates and receives dynamic IP. Add NAT if routing LAN traffic.”

===========

Destination NAT (dst-nat) is used to redirect packets arriving at the router to a different internal destination. It is most commonly used to allow public access to internal services such as web servers or mail servers.

You can:

Change the destination IP address (redirect to an internal host)

Change the destination port (e.g., port 8080 to port 80)

But:

C. Changing the source port is a function of src-nat, not dst-nat →❌

D. Hiding the local network from the Internet is done via masquerade or src-nat →❌

MTCNA Course Manual – NAT Section:

“Use dst-nat to forward traffic to a private host. Port translation can also be applied (e.g., from 81 to 80).”

René Meneses Study Guide – NAT Configuration:

“dst-nat changes the destination IP/port of packets arriving on a specific interface. Common use case: access to LAN services from WAN.”

Terry Combs Notes – NAT Rule Summary:

“dst-nat = port forwarding. src-nat/masquerade = hide internal addresses.”

Answer: A, BQUESTION NO: 48 [RouterOS Introduction]

Which is the default port of IP-Winbox?

A. UDP 8291

B. TCP 80

C. TCP 8291

D. TCP 8192

Answer: C

Winbox is MikroTik’s GUI-based configuration tool. It communicates with RouterOS over TCP port 8291 by default. This port is used for both IP-based Winbox connections and MAC-based sessions (in combination with layer-2 discovery protocol).

Evaluation:

A. UDP 8291 →❌Wrong protocol

B. TCP 80 →❌Used for HTTP (WebFig)

C. TCP 8291 →✅Correct default Winbox port

D. TCP 8192 →❌Invalid / non-standard

MTCNA Course Manual – RouterOS Management Tools:

“Winbox uses TCP port 8291 by default. It is possible to change this port in the /ip service settings.”

René Meneses MTCNA Guide – Winbox Access:

“Default access via TCP 8291. Check firewall filters to ensure it’s not blocked.”

Terry Combs Notes – Remote Management:

“Winbox = TCP/8291. WebFig = TCP/80 or 443.”

Answer: CQUESTION NO: 49 [PPP]

It is possible to create an encrypted PPPoE tunnel in RouterOS:

A. true

B. false

Answer: B

PPPoE (Point-to-Point Protocol over Ethernet) does not include encryption by default. It can authenticate users using PAP or CHAP, but the data payload is transmitted in cleartext unless another secure tunneling protocol (e.g., IPSec) is layered on top.

MikroTik supports encryption in other tunneling protocols, such as:

SSTP (uses SSL)

L2TP with IPSec

OpenVPN (SSL-based)

IPsec itself (for IP layer encryption)

MTCNA Tunneling Chapter – PPP Protocol Features:

“PPPoE offers authentication, compression, but no native encryption. Use IPSec if encryption is needed.”

René Meneses Guide – Tunnel Comparison Table:

“PPPoE is not encrypted. SSTP and L2TP/IPSec are alternatives when encryption is a requirement.”

Terry Combs Notes – PPP Family Summary:

“PPPoE: Authentication = Yes, Encryption = No. Use with caution over untrusted networks.”

Answer: BQUESTION NO: 50 [Wireless]

Why is it useful to set a Radio Name on the radio interface?

A. To identify a station in a list of connected clients

B. To identify a station in Neighbor discovery

C. To identify a station in the Access List

Answer: A

The Radio Name is a human-readable identifier assigned to a wireless interface. It becomes visible in the Registration Table (i.e., the list of connected clients) on an access point. It helps network administrators distinguish between multiple connected devices.

Evaluation:

A.✅Correct — Radio Name is shown in the Registration Table (list of connected clients)

B.❌Neighbor discovery uses MAC and device identity, not radio name

C.❌Access List uses MAC addresses, not radio name, for matching

MTCNA Wireless Module – Interface Settings:

“Radio Name is shown in the registration table on the AP. It helps in client identification.”

René Meneses Guide – Wireless Monitoring:

“The AP uses the client’s Radio Name to label them in the list of associated stations.”

Terry Combs Notes – Best Practice:

“Set radio-name so you can easily tell which device is which in the registration list.”

Answer: A

The “Backup” function in WinBox (located under Files → Backup) creates a binary backup file (.backup) of the router’s full configuration, including sensitive data like usernames, passwords, IPsec keys, wireless keys, etc.

A.✔Correct – By default, the backup file name includes the router identity and timestamp.

B.✘Incorrect – The file is saved on the router’s internal storage (Files menu), not on the user’s computer. You must download it manually to store it locally.

C.✔Correct – Unlike an “Export” file, a .backup file includes all configuration, including encrypted credentials.

D.✔Correct – You can specify a name and optionally a password to encrypt the backup.

Extract from MTCNA Course Material – Backup & Restore:

“The backup file includes all settings and can be encrypted with a password. It is saved on the router under the Files menu.”

Extract from René Meneses Study Guide – Backup Options:

“A .backup file contains everything including usernames and secrets. You can assign a filename and encryption password.”

Extract from Terry Combs Notes – Backup and Export:

“Backup saves a full binary copy. Use the download button to copy it to your PC.”

===========