MTCNA MikroTikCertified Network Associate Exam Questions and Answers

Binary to Decimal:

10011101

= 1×2^7 + 0×2^6 + 0×2^5 + 1×2^4 + 1×2^3 + 1×2^2 + 0×2^1 + 1×2^0

= 128 + 0 + 0 + 16 + 8 + 4 + 0 + 1

= 157

Decimal to Hexadecimal:

157 ÷ 16 = 9 remainder 13 → 13 = D

So, 157 = 0x9D

MTCNA Course Material – Binary and Hex Conversion:

“Convert binary to decimal by summing powers of 2. Then convert decimal to hexadecimal by dividing by 16.”

René Meneses MTCNA Study Guide – Number Systems:

“For binary 10011101, the decimal is 157, and hex is 9D.”

Only Option B is correct: 157, 0x9D.

Final Answer: BQUESTION NO: 110 [RouterOS Introduction]

If you use either Telnet or FTP, which is the highest layer you are using to transmit data?

A. Application

B. Presentation

C. Session

D. Transport

Answer: A

Protocols like Telnet and FTP are considered Application Layer protocols in the OSI model. They operate at Layer 7, providing interfaces for user-level interaction and command control.

MTCNA Course Material – TCP/IP vs OSI Model:

“Telnet, FTP, HTTP are Application Layer protocols. They operate at the top of the OSI stack (Layer 7).”

René Meneses MTCNA Study Guide – Protocol Layers:

“Telnet and FTP reside at the Application Layer. They initiate data exchange between hosts.”

Presentation and Session layers are not separately used in the TCP/IP model and are merged into the Application Layer.

Transport (Layer 4) is used by these protocols (via TCP), but the protocol itself resides at the Application Layer.

Final Answer: AQUESTION NO: 111 [RouterOS Introduction – IP Addressing]

Which class of IP address provides a maximum of only 254 host addresses per network ID?

A. Class A

B. Class B

C. Class C

D. Class D

Answer: C

Class C networks are defined as IP addresses with the first octet in the range of 192 to 223. Their default subnet mask is 255.255.255.0 (/24), which provides:

2^8 = 256 total addresses

Minus 2 (1 for network address, 1 for broadcast)

→ 254 usable host addresses

MTCNA Course Material – IP Address Classes:

“Class C has a default mask of /24. This allows for 254 hosts per network.”

René Meneses MTCNA Study Guide – IP Classes:

“Class C = 192.0.0.0 to 223.255.255.255, 254 usable hosts per subnet.”

Other classes:

Class A: ~16 million hosts

Class B: ~65,000 hosts

Class D: used for multicast (not host assignment)

Final Answer: CQUESTION NO: 112 [RouterOS Introduction – Protocols]

Which of the following services use UDP?

DHCP

SMTP

SNMP

FTP

HTTP

TFTP

A. 1, 3 and 6

B. 2 and 4

C. 1, 2 and 4

D. All of the above

Answer: A

UDP is a connectionless protocol used by several lightweight or stateless network services. Among the listed services:

DHCP: Uses UDP (Ports 67 and 68)

SNMP: Uses UDP (Ports 161/162)

TFTP: Uses UDP (Port 69)

Other protocols:

SMTP: Uses TCP (Port 25)

FTP: Uses TCP (Ports 20 and 21)

HTTP: Uses TCP (Port 80)

MTCNA Course Material – Protocols and Ports:

“UDP is used for DHCP, SNMP, TFTP. TCP is used for SMTP, FTP, HTTP.”

René Meneses MTCNA Study Guide – Port Assignments:

“TCP: FTP, SMTP, HTTP. UDP: DHCP, SNMP, TFTP.”

Only 1, 3, and 6 use UDP.

Netinstall is a MikroTik tool for reinstalling RouterOS on RouterBOARD devices. It uses the RARP (Reverse ARP) protocol during the boot phase to obtain the host from which to download the OS. It does not rely on DHCP, ARP, or BOOTP in standard Netinstall scenarios.

A.✘arp – Not used by Netinstall for initial boot communication

B.✘bootp – Not used in Netinstall process

C.✘dhcp – Not used for booting RouterBOARD into Netinstall

D.✔rarp – Used by Netinstall to allow the RouterBOARD to request an address and boot image

Extract from MTCNA Course Material – Netinstall Boot Process:

“Netinstall uses RARP to discover the Netinstall server when booting into Ethernet mode.”

Extract from MikroTik Wiki – Netinstall:

“Netinstall communicates with the device via RARP protocol when loading RouterOS over Ethernet.”

Extract from René Meneses MTCNA Study Guide – Netinstall Chapter:

“RARP is used for booting during Netinstall. DHCP is not required for this operation.”

When you place multiple interfaces (ethernet, wlan) into a bridge, the bridge interface becomes the logical Layer 3 interface. Any IP-related services (e.g., DHCP server, firewall rules) must be applied to the bridge interface, not the individual ports.

A.✘Incorrect – IP services are not bound to physical ports in a bridged setup.

B.✘Incorrect – DHCP works perfectly in this setup.

C.✘Incorrect – The bridge ports are Layer 2; DHCP must bind to the Layer 3 bridge interface.

D.✔Correct – Configure the DHCP server on the bridge interface.

Extract from Official MTCNA Course Material – Bridging and DHCP:

“When using a bridge interface with multiple ports, IP services (like DHCP) must be bound to the bridge itself.”

Extract from René Meneses MTCNA Study Guide – Bridging Concepts:

“DHCP server should be created on the bridge interface if it includes both wireless and ethernet clients.”

Extract from MikroTik Wiki – DHCP Server:

“Always assign the DHCP server to the bridge interface when clients are behind bridged ports.”

===========

To upgrade or install a new Cisco IOS image on a router, you typically copy the IOS image file from a TFTP server into the router’s flash memory. The correct syntax is:

copy tftp flash

This command tells the router to copy the IOS image from a TFTP server into flash storage, where it can be booted.

Cisco IOS Documentation – Image Upgrade Process:

“Use the command copy tftp flash to transfer an IOS image from a TFTP server to the router’s flash memory.”

Other options:

A: copy tftp run – invalid; you cannot copy into the running-config that way

B: copy tftp start – used to copy configuration, not IOS image

C: config net – an older and deprecated command, not for IOS upgrades

Final Answer: DQUESTION NO: 122 [RouterOS Introduction – ICMP and Diagnostics]

Which protocol does Ping use?

A. TCP

B. ARP

C. ICMP

D. BootP

Answer: C

Ping is a diagnostic utility used to test reachability between devices. It sends ICMP Echo Request packets and waits for ICMP Echo Replies. ICMP (Internet Control Message Protocol) is used for these types of control messages and is encapsulated within IP.

MTCNA Course Material – Diagnostic Tools:

“Ping uses ICMP Echo Requests to verify if a destination is reachable. It does not use TCP or UDP.”

René Meneses MTCNA Study Guide – Ping and ICMP:

“Ping uses ICMP, not TCP or ARP. ICMP packets are used to check basic connectivity.”

MikroTik Wiki – Ping Tool Description:

“Ping works by sending ICMP packets. It cannot use TCP.”

Other options:

TCP: Used by protocols like HTTP, FTP

ARP: Resolves IP to MAC, not used for ping

BootP: DHCP-related protocol, not diagnostic

Final Answer: CQUESTION NO: 123 [Cisco – Frame Relay Troubleshooting]

What command will display the line, protocol, DLCI, and LMI information of an interface?

A. sh pvc

B. show interface

C. show frame-relay pvc

D. show run

Answer: C

In Cisco IOS, to display detailed Frame Relay virtual circuit information, including the line status, protocol status, DLCI (Data Link Connection Identifier), and LMI (Local Management Interface) details, the correct command is:

show frame-relay pvc

Cisco IOS Command Reference – Frame Relay:

“The show frame-relay pvc command displays information about PVC status, including DLCI numbers and LMI statistics.”

Breakdown:

A: sh pvc – shorthand and ambiguous, may not be recognized

B: show interface – general interface stats but lacks detailed LMI/DLCI info

C: show frame-relay pvc –✔correct, provides detailed DLCI/LMI info

D: show run – shows current configuration, not real-time PVC status

Final Answer: CQUESTION NO: 124 [Networking Fundamentals – Ethernet and Switching]

How many collision domains are created when you segment a network with a 12-port switch?

A. 1

B. 2

C. 5

D. 12

Answer: D

Each port on a switch creates its own collision domain. Unlike hubs (which extend a single collision domain), switches segment each interface, allowing full-duplex communication and eliminating collisions.

MTCNA Course Material – Ethernet Switching Concepts:

“Each switch port is a separate collision domain. A 24-port switch creates 24 separate collision domains.”

René Meneses MTCNA Study Guide – Collision and Broadcast Domains:

“Switches break up collision domains per port, unlike hubs.”

Therefore, a 12-port switch creates 12 individual collision domains.

The OSI Layer 1, also known as the Physical Layer, is responsible for the transmission and reception of raw binary data over a physical medium. The most fundamental unit at this layer is the bit.

Bit = Binary Digit (0 or 1)

It is transmitted over physical media (cables, radio signals, etc.)

Frames (A) exist at Layer 2 (Data Link Layer), not Layer 1.

Bytes (C) are groups of 8 bits, but bits are still the smallest indivisible transmission unit.

Headers (D) are metadata used at Layers 2–7; not relevant to Layer 1.

MTCNA Official Training Manual – OSI Model Chapter:

“Layer 1 transmits raw bits over a transmission medium. These bits form the foundation for higher-layer data structures.”

René Meneses MTCNA Guide – OSI Model Breakdown:

“Physical Layer (Layer 1) carries bits, not frames or bytes. It's concerned with voltages, cables, connectors, and signal encoding.”

Terry Combs Notes – OSI Layers:

“Layer 1 = Bits. Nothing more. Frames come into play in Layer 2.”

Answer: B 

A hub is a simple Layer 1 (Physical Layer) device that does not understand MAC addresses or IP addresses. It simply repeats electrical signals to all connected ports without inspection or filtering.

MTCNA Course Material – OSI Layer Device Roles:

“Hubs operate at the Physical Layer. They do not process frames or packets and function purely as repeaters.”

René Meneses MTCNA Study Guide – OSI Devices:

“Hubs are Layer 1 devices. They send bits — not frames — and have no concept of MAC addresses.”

Other options:

A: Session layer is Layer 5, handles sessions between applications

C: Switches/bridges operate at the Data Link layer (Layer 2)

D: Application layer (Layer 7) is for user-level software like HTTP, FTP, etc.

Final Answer: BQUESTION NO: 138 [Cisco IOS – Access List Verification]

Which command is used to determine if an IP access list is enabled on a particular interface?

A. show access-lists

B. show interface

C. show ip interface

D. show interface access-lists

Answer: C

The command show ip interface displays the status of IP-level interface parameters, including whether an access list (ACL) is applied inbound or outbound.

Cisco IOS Command Reference – Interface ACL Check:

“Use show ip interface to verify whether an access list is applied to the interface and in which direction (in or out).”

René Meneses MTCNA Study Guide – Cisco Access List Monitoring:

“To verify ACL assignment to an interface, use show ip interface. It provides ACL status along with IP addressing info.”

Breakdown:

A: show access-lists → shows ACL contents, not interface bindings

B: show interface → shows interface stats, not ACL usage

D: Invalid syntax in Cisco IOS

Final Answer: CQUESTION NO: 139 [RouterOS Introduction – Transport Protocols]

Which protocol does DHCP use at the Transport layer?

A. IP

B. TCP

C. UDP

D. ARP

Answer: C

DHCP (Dynamic Host Configuration Protocol) operates over UDP:

Client uses UDP port 68

Server uses UDP port 67

It is a connectionless protocol, and because clients typically do not yet have IP addresses, UDP is used due to its simplicity.

MTCNA Course Material – DHCP Protocol Layering:

“DHCP uses UDP for communication between clients and servers. TCP is not used due to the stateless, broadcast nature of DHCP discovery.”

René Meneses MTCNA Study Guide – Port Assignments:

“UDP 67/68 are used by DHCP. TCP is not used because clients lack IPs initially.”

Other options:

A: IP is the network layer, not transport

B: TCP is used by reliable services (FTP, HTTP)

D: ARP resolves IP-to-MAC; unrelated to DHCP transport

Final Answer: CQUESTION NO: 140 [Cisco IOS – Remote Access Configuration]

Which of the following commands will allow you to set your Telnet password on a Cisco router?

A. line telnet 0 4

B. line aux 0 4

C. line vty 0 4

D. line con 0

Answer: C

The correct line configuration for remote Telnet (or SSH) access in Cisco IOS is via the virtual terminal (vty) lines. Typically, Cisco routers reserve 5 lines: vty 0 4. You then apply the password and login commands under this context.

Cisco IOS Configuration Guide – Telnet/VTY Setup:

“Use line vty 0 4 to configure access for Telnet sessions. Then use password and login to enforce authentication.”

René Meneses MTCNA Study Guide – Cisco Access Configuration:

“VTY lines (virtual terminal) handle Telnet and SSH sessions. Console and aux lines are for local access.”

Other options:

A: line telnet is not a valid command

B: line aux → used for modem or auxiliary port access

D: line con 0 → used for console (local) access, not remote

────────────────────────────────────────────────────────────

The local PPP database in MikroTik allows control over authentication and access for PPP-based services such as PPTP, L2TP, PPPoE, and SSTP. Several configuration options can be specified per user or profile.

A.✔Correct – You can use the "only-one" setting in PPP profiles to allow/deny multiple logins for the same user.

B.✔Correct – Under the "service" parameter in /ppp secret, you can restrict allowed protocols (e.g., enable PPPoE, PPTP, and disable L2TP).

C.✘Incorrect – Data transfer limits (Rx/Tx) are not enforced directly in PPP profiles or secrets. This is usually handled via queues or hotspot limitations.

D.✔Correct – By setting the "service" to only "pppoe", all other PPP types will be denied.

E.✘Incorrect – Access to services like telnet is managed via firewall rules or user groups, not in PPP profiles.

Extract from Official MTCNA Course Material – PPP Profiles:

“PPP Profiles control session parameters. You can limit simultaneous logins, restrict service types (e.g., PPPoE), and set IP pools.”

Extract from René Meneses MTCNA Study Guide – PPP Configuration:

“Use the ‘only-one’ flag to control concurrent logins. The ‘service’ field allows or restricts protocol types per user.”

Extract from Terry Combs MTCNA Notes – PPP Features:

“To allow a user access only via PPPoE or PPTP, adjust the service types in /ppp secret.”

===========

The action=masquerade is used exclusively in the srcnat chain. It dynamically hides internal IP addresses behind the router's public IP. It cannot be used in the dstnat chain.

A.✘Incorrect – masquerade is not allowed in dstnat regardless of parameters.

B.✘Incorrect – masquerade is not valid in the dstnat chain.

C.✘Incorrect – masquerade does not operate in dstnat, direction does not change this.

D.✔Correct – masquerade must only be used in chain=srcnat.

Extract from MTCNA Course Material – NAT Concepts:

“Masquerade is a special type of source NAT used only in the srcnat chain. It is invalid in dstnat.”

Extract from René Meneses Study Guide – NAT Actions:

“Use action=masquerade in chain=srcnat. RouterOS will not accept it in dstnat.”

Extract from MikroTik Wiki – NAT Rules:

“action=masquerade is not allowed in dstnat chain and will result in error if applied.”

===========

Subnet masks are used in IP networking to define the boundary between the network portion and the host portion of an IP address. A valid subnet mask must consist of a contiguous block of 1s followed by a contiguous block of 0s in its binary representation.

Let’s analyze the given options:

A. 255.192.0.0– This isnot a standard or valid subnet maskbecause the 1s are not contiguous beyond the second octet. This is typically used in class A subnetting but is not commonly considered valid in CIDR or MTCNA context. While technically binary-valid, it’s not recommended or standard for practical subnetting.

B. 255.255.192.255–Invalid, because the last octet is255, which implies all bits are 1s, but in the third octet only partial bits are set (192is11000000). This breaks the required rule of contiguous 1s followed by contiguous 0s.

C. 192.0.0.0–Invalid, as it doesn’t represent a valid subnet mask.192in the first octet (11000000) followed by zeros is not a valid mask – it's actually a network address, not a subnet mask.

D. 255.255.224.0–Valid subnet mask. This represents/19in CIDR notation. In binary:11111111.11111111.11100000.00000000, which follows the correct rule of contiguous 1s followed by contiguous 0s.

Extract from MTCNA Study Guide by René Meneses:

Subnet masks must be a continuous string of 1s followed by a continuous string of 0s. Any deviation or split between the blocks renders the mask invalid.

Extract from MTCNA Official Course Manual:

Valid subnet masks include values such as 255.0.0.0 (/8), 255.255.0.0 (/16), 255.255.255.0 (/24), and also non-classful masks like 255.255.224.0 (/19) are allowed and used for more flexible subnetting.

Conclusion:Option D is the only one meeting the criteria for a valid subnet mask as taught in the MTCNA curriculum.

===========

RouterOS Level 1 license is the demo license that comes with all RouterOS installations (particularly on x86 or CHR before activation). It is unrestricted in time, meaning it never expires, but functionality is extremely limited.

A. 24 hours → Incorrect. There is no such time-limited restriction.

B. Infinite time → Correct. Level 1 license is perpetual but has limited features.

C. 1 month → Incorrect. MikroTik does not impose monthly timeouts on license levels.

D. 1 year → Incorrect. No temporary time-bound license is assigned by default.

Extract from Official MTCNA Course Material – Licensing Section:

“Level 1 (demo) license is unlimited in time but has very limited functionality. It is designed for testing purposes only.”

Extract from René Meneses MTCNA Study Guide – RouterOS Licensing:

“The Level 1 license is not time-limited, but it cannot be used in production due to its lack of key features.”

Extract from MikroTik Wiki – Licensing Model:

“License level 1 is a free demo license that does not expire.”

===========

When a router forwards traffic between two interfaces (such as from LAN to WAN), it uses the forward chain. HTTP traffic initiated by users destined to external servers passes through this chain.

A.✘prerouting – Used mainly for routing decisions and NAT, not filtering.

B.✔forward – Used to filter transit traffic.

C.✘output – For traffic originating from the router itself.

D.✘input – For traffic destined to the router itself.

Extract from MTCNA Course Material – Firewall Chains:

“Client-to-server traffic, like browsing the web, passes through the forward chain when routed through the router.”

Extract from René Meneses Study Guide – Firewall Structure:

“To block or allow traffic passing through the router (LAN to Internet), use the forward chain.”

Extract from MikroTik Wiki – Firewall Filtering Overview:

“forward: filters all transit traffic routed through the router.”

===========

In a MikroTik Hotspot environment, you can bypass authentication for specific users using the IP Bindings feature. This feature lets you mark a host as bypassed (authorized without login), blocked, or regular.

A. Users → Incorrect. This contains login credentials for regular authenticated users.

B. IP bindings → Correct. This allows specific devices (by IP or MAC) to bypass login requirements.

C. Walled-garden → Incorrect. This allows unauthenticated access to specific domains or URLs, not devices.

D. Walled-garden IP → Incorrect. Similar to option C, it controls destination IP access, not client exemption.

Extract from Official MTCNA Course Material – Hotspot:

“To allow a specific host to bypass authentication, use IP Bindings with the ‘bypassed’ type.”

Extract from René Meneses MTCNA Study Guide – Hotspot Section:

“The IP Bindings tab in the Hotspot menu is used to set specific IPs or MACs as bypassed. This exempts them from login.”

Extract from Terry Combs MTCNA Notes – Hotspot Bypass:

“Use IP Bindings for fixed clients (e.g., printers or servers) that should not be challenged by the Hotspot portal.”

===========

The hardware-coded address that uniquely identifies a device's network interface card (NIC) on the local network is called a MAC address. It is “burned in” by the hardware manufacturer and remains constant unless manually overridden.

MAC stands for Media Access Control, and it operates at Layer 2 of the OSI model. It is used to identify devices on a local area network.

A. FQDN (Fully Qualified Domain Name) refers to a human-readable name used in DNS.

B. IP Address is a logical address used for routing at Layer 3.

C. Interface Address is a generic term and not a standard identifier.

D. MAC Address is correct and refers to the physical, hardware-encoded address on an interface.

Extract from MTCNA Course Manual – RouterBOARD Overview:

“A MAC address is a globally unique hardware identifier assigned to each Ethernet or wireless interface. It is used by Layer 2 to ensure local delivery.”

René Meneses Study Guide – MAC & OSI Layering:

“The MAC address is a 48-bit physical identifier, hardcoded by the device vendor and located in the NIC chip.”

Terry Combs MTCNA Notes – Layer 2 Concepts:

“MAC = Physical Address = Layer 2 Identifier. It’s what switches use to forward Ethernet frames.”

===========

In MikroTik queues (especially in simple queues), the "total" limit typically refers to the combined rate of upload and download traffic — i.e., the total bandwidth usage. This is useful when you want to control the full traffic flow for a client or subnet.

A.✘Incorrect – Not just download

B.✔Correct – Total = Download + Upload combined

C.✘Incorrect

D.✘Incorrect – Upload alone is not referred to as "total"

Extract from MTCNA Course Material – Simple Queues:

“The total max-limit or total rate represents both upload and download combined.”

Extract from René Meneses MTCNA Study Guide – Queue Types:

“Use total max-limit to limit overall bandwidth. Individual directions can also be configured.”

Extract from MikroTik Wiki – Simple Queue Options:

“total-max-limit defines the sum of incoming and outgoing traffic rates.”

The /interface wireless access-list in MikroTik is used to define a set of rules that permit or deny wireless clients based on their MAC addresses and signal strength.

This list applies only to clients trying to connect to the router’s wireless interface when it is configured as an Access Point.

Let’s break down the options:

A.✅Correct – Used to allow or deny client MAC addresses and apply settings like rate limits, VLANs, etc.

B.❌That’s the role of the registration table.

C.❌Security profiles are configured separately under /interface wireless security-profiles.

D.❌Hotspot authentication is handled via /ip hotspot, not wireless access lists.

MTCNA Wireless Module – MAC Access Control:

“Access-list matches incoming clients by MAC. You can allow, deny, and apply custom settings.”

René Meneses Study Guide – Wireless Security:

“Access-list is used to explicitly permit or block clients based on their MAC address.”

Terry Combs Notes – Wireless Filtering:

“Think of access-list like a whitelist/blacklist for Wi-Fi clients.”

Answer: AQUESTION NO: 65 [Firewall]

One host on an internal network is accessing an external web page through a MikroTik router that is doing source NAT. Select the correct statement about the packets that flow from that web page to the host:

A. Packets go through the input chain

B. Packets go through the forward chain

C. Packets go through the output chain

D. Packets go through the input chain before the routing decision and after that through output chain

Answer: B

When a host on a LAN accesses a website on the internet via a MikroTik router that’s performing source NAT (e.g., masquerade), the traffic path is as follows:

From LAN host to internet → forward chain → NAT (src-nat)

From internet back to LAN host → forward chain again → connection-tracked → src-nat reversed

Since the router is only routing the packets and is not the originator or final destination, the packet passes through the forward chain.

Clarifying the options:

A.❌input chain is for packets destined to the router itself

B.✅Correct – packet is routed through the router (forwarded)

C.❌output chain is for packets originating from the router

D.❌This description applies to packets sourced by the router itself

MTCNA Course Manual – Packet Flow Diagram:

“Forward chain handles packets that are being routed through the device (not destined to or from the router itself).”

René Meneses Guide – Firewall Chains:

“For routed traffic, the forward chain is used. This includes NATed traffic between LAN and WAN.”

Terry Combs Notes – Packet Flow:

“Understand the router’s role. If it’s just forwarding, only the forward chain applies.”

Answer: BWould you like to continue with Questions 66–70, or generate a full summary (PDF-style) of all 65 completed qu

In MikroTik’s Simple Queues, the target-address field is used to define the IP address of the device (host) to which the queue will apply. This must be an IP address — not a MAC address or an address list name.

Let’s evaluate:

A.❌MAC address is not supported as target-address in simple queues

B.❌"server’s address" is vague; if it means an IP, then it could work, but the best answer is "client’s address"

C.❌Address lists can be used in firewall and mangle rules, but not directly in simple queues

D.✅Correct – An individual IP address (like 192.168.1.100) can be assigned as the target-address

MTCNA Course Manual – Simple Queue Structure:

“Use the target-address field to apply a queue to a specific host by IP.”

René Meneses Guide – Queue Setup:

“Only IP addresses can be used as targets in simple queues. Address lists are not accepted.”

Terry Combs Notes – Bandwidth Limiting:

“Target-address = device IP. MACs and lists are not allowed here.”

Answer: DQUESTION NO: 75 [RouterOS Introduction]

What kind of users are listed in the "/user" menu?

A. router users

B. wireless users

C. Hot-Spot users

D. PPTP users

Answer: A

The /user menu in MikroTik RouterOS lists users who are allowed to log in to the router itself — via Winbox, SSH, WebFig, console, or API. These are administrative users of the RouterOS system.

Let’s evaluate:

A.✅Correct – These are RouterOS users (admin, techs, operators)

B.❌Wireless users are authenticated via security-profiles and access-lists

C.❌Hotspot users are managed under /ip hotspot user

D.❌PPTP users are managed under /ppp secrets

MTCNA User Management Section:

“/user is used to configure login accounts for RouterOS access.”

René Meneses Guide – User Types:

“Only RouterOS admin users are listed under /user. VPN and hotspot users are managed elsewhere.”

Terry Combs Notes – User Menu Summary:

“/user = login to router (Winbox/SSH). Not for PPP or hotspot authentication.”

Answer: AQUESTION NO: 76 [RouterBOARD Hardware]

Which is a default baud-rate of currently manufactured RouterBOARDs?

A. 9600

B. 115200

C. 38400

D. 11520

Answer: B

The default serial console baud rate for most modern MikroTik RouterBOARD devices is 115200 bps. This is important when accessing the router via serial console (e.g., through RS-232 or USB-to-serial adapters).

Let’s evaluate:

A. 9600 →❌Too slow; used in legacy systems

B.✅115200 → Correct default for MikroTik boards

C. 38400 →❌Incorrect

D. 11520 →❌Typo; not a standard rate

MTCNA Hardware Module – Serial Access:

“Default baud-rate is 115200. Use this setting when connecting via serial cable.”

René Meneses Study Guide – RouterBOARD Console Access:

“Use 115200 baud to access RouterBOARD via serial port.”

Terry Combs Notes – Serial Console Tips:

“Almost all modern RouterBOARDs use 115200 as default serial speed.”

Answer: BQUESTION NO: 77 [Routing]

When viewing the routes in Winbox, some routes will show "DAC" in the first column. These flags mean:

A. Dynamic, Available, Created

B. Dynamic, Active, Connected

C. Direct, Available, Connected

D. Dynamic, Active, Console

Answer: B

Route flags in MikroTik indicate how a route was created and its status:

D = Dynamic → Added automatically (e.g., by IP address assignment)

A = Active → Route is currently being used

C = Connected → Directly connected subnet or IP address

So:

DAC = Dynamic + Active + Connected→ Usually created when you assign an IP address to an interface.

Let’s review:

A.❌"Available" and "Created" are not valid flags

B.✅Correct – matches MikroTik routing flag definitions

C.❌“Direct” and “Available” are not valid route flags in MikroTik

D.❌"Console" is not a route flag

MTCNA Routing Section – Route Flag Definitions:

“D – Dynamic, A – Active, C – Connected. These appear when the router creates a route based on interface IP.”

René Meneses Guide – Route Table Interpretation:

“DAC is the most common flag combination. Dynamic and connected routes are automatically active.”

Terry Combs Notes – Route Status Flags:

“D = Dynamic, A = Active, C = Connected. Common on local interfaces.”

════════════════════════════════════════════

The OSI (Open Systems Interconnection) model is a conceptual framework that standardizes the functions of a communication system into seven distinct layers. It is used to understand and design computer networking systems.

The seven layers of the OSI model are:

Application

Presentation

Session

Transport

Network

Data Link

Physical

Each layer has its own specific purpose and interacts with adjacent layers to perform data transmission functions.

MTCNA Official Course Material – OSI Model Chapter:

“The OSI model consists of 7 layers. Understanding these layers is critical for troubleshooting and protocol analysis.”

René Meneses MTCNA Study Guide – OSI Model Section:

“There are exactly seven OSI layers. They range from the Physical Layer (Layer 1) to the Application Layer (Layer 7).”

Terry Combs Notes – OSI Summary Page:

“OSI = 7 Layers. The most important ones for network engineers are Layer 1 through Layer 4.”

Answer: DQUESTION NO: 13 [Routing]

How many usable IP addresses are there in a 20-bit subnet?

A. 4096

B. 4094

C. 2046

D. 2048

E. 2047

Answer: B

A /20 subnet means that 20 bits are used for the network portion, and 12 bits are left for host addresses. The total number of IP addresses available in such a subnet is:

2^12 = 4096 (total addresses)

Usable IP addresses = 4096 - 2 = 4094

→ (1 address is reserved for the network ID, and 1 for the broadcast address)

MTCNA Course Manual – Subnetting and IP Allocation:

“A subnet with n host bits gives 2^n total addresses. Always subtract 2 to account for network and broadcast addresses.”

René Meneses Study Guide – Subnet Calculations:

“/20 = 12 host bits → 4096 total IPs. Usable = 4094. Remember to subtract 2.”

Terry Combs MTCNA Notes – Addressing Math:

“20-bit subnet = 4094 usable IPs. Know how to compute 2^x and subtract 2.”

Answer: BQUESTION NO: 14 [Routing]

You have a router with configuration

Public IP: 202.168.125.45/24

Default gateway: 202.168.125.1

DNS server: 248.115.148.136, 248.115.148.137

Local IP: 192.168.2.1/24

Mark the correct configuration on client PC to access the Internet:

A. IP: 192.168.0.1/24, gateway: 192.168.2.1

B. IP: 192.168.2.253/24, gateway: 202.168.0.1

C. IP: 192.168.2.115/24, gateway: 192.168.2.1

D. IP: 192.168.2.2/24, gateway: 202.168.125.45

E. IP: 192.168.1.223/24, gateway: 248.115.148.136

Answer: C

To correctly configure a host in a private network behind a router:

The IP must match the local subnet (192.168.2.0/24)

The gateway must be the router’s local IP (192.168.2.1)

DNS settings can be default or custom, but IP and gateway must be valid

Let’s evaluate:

A. 192.168.0.1 → Wrong subnet (192.168.0.0/24 ≠ 192.168.2.0/24)❌

B. Gateway 202.168.0.1 → Invalid internal gateway❌

C. IP 192.168.2.115 with gateway 192.168.2.1 →✅Correct subnet and correct gateway

D. Gateway 202.168.125.45 → This is router’s public IP, not the correct gateway for LAN❌

E. IP 192.168.1.223 → Wrong subnet; also, gateway is DNS IP❌

MTCNA NAT Section – Network Configuration:

“Clients should be in the same subnet as the router’s local IP and must use that local IP as their gateway to reach outside networks.”

René Meneses Guide – Gateway and Addressing:

“The client’s IP should belong to the same subnet as the local router interface. Always verify gateway IP points to the internal address.”

Terry Combs Notes – Default Gateway Setup:

“The default gateway for local clients must be the internal router IP — not the public or DNS IP.”

Answer: CQUESTION NO: 15 [RouterBOARD Hardware]

Collisions are possible in full-duplex Ethernet networks:

A. true

B. false

Answer: B

In full-duplex Ethernet, devices can transmit and receive simultaneously on separate physical or logical channels. This eliminates the possibility of collisions because there is no need for devices to listen before transmitting — unlike half-duplex Ethernet, which uses CSMA/CD to manage potential collisions.

Full-duplex connections are the standard in modern switching environments and are always collision-free.

MTCNA Official Course Material – Ethernet & Duplex Modes:

“In full-duplex Ethernet, there are separate transmit and receive paths, and therefore, collisions cannot occur.”

René Meneses Study Guide – Ethernet Basics:

“Full-duplex = simultaneous send/receive = no collisions. Collisions are a legacy issue from half-duplex Ethernet.”

Terry Combs MTCNA Notes – CSMA/CD and Ethernet:

“Collision Detection (CD) is not used in full-duplex. Only half-duplex environments use CSMA/CD to manage access.”

RouterOS allows different types of interfaces, including VLANs and PPP-based interfaces (like PPTP), to be added to a bridge. This creates a Layer 2 network between them, enabling transparent communication.

A.✔TRUE – Supported and commonly used in tunneling + VLAN transport.

B.✘FALSE – Incorrect.

Extract from MTCNA Course Material – Bridging Concepts:

“Bridging can include Ethernet, VLAN, wireless, and virtual interfaces such as PPTP and EOIP.”

Extract from MikroTik Wiki – Bridge Interface:

“Any Layer 2-capable interface (including VLANs, PPP tunnels, and Ethernet) can be included in a bridge.”

Extract from René Meneses Study Guide – Bridging and VLANs:

“It is possible to bridge VLAN interfaces with VPN interfaces for advanced Layer 2 tunneling scenarios.”

===========

To bridge two networks over a wireless link (i.e., perform Layer 2 bridging), MikroTik offers several wireless modes that support bridging:

WDS (Wireless Distribution System) is MikroTik’s mechanism to forward Layer 2 frames over wireless

pseudobridge and pseudobridge-clone attempt to mimic Layer 2 bridging, with some limitations

Option analysis:

A.✔Correct–Using AP mode on both ends and enabling WDS allows full Layer 2 bridging

B.✔Correct–pseudobridge-clone allows limited bridging by spoofing the MAC address of the connected host

C.✔Correct–station-pseudobridge enables partial bridging (one client per MAC)

D.✘Incorrect–station mode alone does not support Layer 2 bridging; it performs routing/NAT instead

Extract from MTCNA Course Material – Bridging and Wireless Section:

"To bridge over wireless, you can use WDS or station-pseudobridge(-clone). WDS provides true Layer 2 bridging, while pseudobridge methods simulate it for single hosts."

Extract from René Meneses Study Guide – Wireless Bridging:

“WDS is most reliable for bridging. pseudobridge and pseudobridge-clone work with one client and should be used cautiously.”

Extract from Terry Combs Notes – Wireless Bridging:

“station mode alone is not sufficient for bridging. Use WDS or pseudobridge options.”

===========

Importing an .rsc (exported) file immediately applies the configuration commands line by line. There is no need to reboot the router for the new settings to take effect. Some services may require restarting manually (e.g., DHCP server), but the RouterOS itself does not require a reboot after import.

Option analysis:

A.✘False–Reboot is not required

B.✔True–Import applies settings immediately during execution

Extract from MTCNA Course Material – Import Functionality:

“Import is immediate and command-by-command. No reboot is necessary unless instructed in the script.”

Extract from René Meneses Study Guide – Import and Export:

“When you import an .rsc file, the configuration takes effect as each command is executed. Reboot is not needed.”

Extract from MikroTik Wiki – Configuration Restore:

"The import file is executed in real-time. Any settings changed are applied immediately."

==================================

To establish a wireless client connection to an access point:

The SSID must match exactly – including capitalization.

The Band must be compatible – i.e., both devices must support and use the same frequency band (2.4GHz or 5GHz).

Radio Name is an identifier for display purposes only and does not affect connectivity.

Option Analysis:

A.✔Required – Matching SSID is essential.

B.✘Not Required – Radio Name is just a display label in tools like Winbox.

C.✔Required – Band compatibility is critical to ensure the device can “see” and connect to the AP.

Extract from Official MTCNA Course Material – Wireless Client Configuration:

“To connect to an AP, the client must use the same SSID and operate on a compatible band and frequency.”

Extract from René Meneses MTCNA Study Guide – Wireless Modes:

“SSID and band must match to connect. Radio name is not used in the authentication or association process.”

Extract from Terry Combs Notes – Wireless Settings:

“SSID is like the network name, and it must be identical. Mismatched bands (e.g., 2.4 vs 5GHz) will prevent discovery.”

==================================

The log action in MikroTik's firewall does not block or drop packets. Instead, it generates a log entry for packets that match the rule and passes the packet to the next rule in the chain. It is used for monitoring, debugging, or auditing network behavior.

MTCNA Official Course Material – Firewall Filters:

“The action 'log' creates a log entry when a packet matches the rule. It does not terminate or alter the packet's flow. The packet continues to be processed by subsequent rules.”

René Meneses MTCNA Study Guide – Firewall Logging:

“Log action is used to generate logs for matched packets. It does not block or modify traffic.”

MikroTik Wiki – Firewall Actions:

“log – This action writes matching packets to the log. Logging rules have no effect on the packet’s behavior.”

Hence, Option D is correct: It logs the packet, nothing more.

Final Answer: DQUESTION NO: 86 [Firewall]

Which of the following is true for connection tracking?

A. Connection tracking must be enabled for NAT'ed network

B. Enabling connection tracking reduces CPU usage in RouterOS

C. Disable connection tracking for mangle to work

D. Connection tracking must be enabled to be able to use all firewall features

Answer: D

Connection tracking (conntrack) is a feature that enables RouterOS to monitor and manage the state of all network connections passing through the router. It is essential for features like NAT, stateful firewalling, and proper use of mangle and filter rules.

MTCNA Course Material – Connection Tracking:

“Most firewall and NAT functionality depends on connection tracking being enabled. Without connection tracking, many features (like NAT) won’t function properly.”

René Meneses MTCNA Study Guide – Firewall Section:

“Connection tracking is required for NAT and most firewall filters. When disabled, connection-state-based filtering or NAT is not possible.”

Terry Combs MTCNA Notes – Conntrack Section:

“Conntrack must be enabled to use full firewall capabilities, including NAT and filtering by connection states like established and related.”

Option A is partially true but not complete.

Option B is incorrect – conntrack may increase CPU load due to session tracking.

Option C is incorrect – mangle rules often depend on connection marks which require conntrack.

Only Option D accurately captures the critical requirement of connection tracking.

Final Answer: DQUESTION NO: 87 [RouterOS Introduction]

Which of the following keystrokes enables safe mode in console?

A. Ctrl+x

B. Ctrl+c

C. Ctrl+d

D. Ctrl+s

Answer: D

Safe Mode in MikroTik CLI is a protective mode that helps revert any unintended changes if you get disconnected. It is activated by pressing Ctrl+X in older versions, but the current standard keybinding for enabling safe mode is Ctrl+S.

MTCNA Course Material – Safe Mode:

“To enable safe mode in the terminal, press Ctrl+S. A confirmation [Safe Mode] will appear in the prompt. If the terminal is closed or disconnected, the changes are rolled back.”

René Meneses MTCNA Study Guide – Terminal Commands:

“Safe Mode can be activated using Ctrl+S. This is useful during remote configuration. It reverts changes if the terminal is closed.”

MikroTik Wiki – Safe Mode Section:

“To enter safe mode, press Ctrl+S in CLI. This ensures configuration rollback if disconnected.”

Other options:

Ctrl+C terminates commands or CLI input

Ctrl+X may not activate safe mode in newer versions

Ctrl+D is used to log out in some Unix-like terminals

Correct answer: Ctrl+S

Final Answer: DQUESTION NO: 88 [Wireless]

Select minimal set of software packages in RouterOS required to configure a wireless AP:

A. Wireless

B. advanced-tools

C. dhcp

D. routing

E. system

Answer: A

To configure a wireless access point (AP) in RouterOS, the only required software package is wireless. All other functionalities like DHCP or routing are optional depending on the network setup. The system package is always present and not removable, so it's not listed as a required dependency in package selection.

MTCNA Course Material – Wireless Configuration Basics:

“Wireless functionality is provided by the wireless package. Without it, no wireless interfaces are present or configurable.”

René Meneses MTCNA Guide – Wireless Module:

“Only the wireless package is required to configure an AP. DHCP is used optionally for IP address assignment.”

MikroTik Wiki – Packages:

“The wireless package is responsible for enabling WLAN interfaces and features such as AP mode, client mode, and security.”

Other packages:

advanced-tools: includes tools like bandwidth-test and traffic generator

dhcp: only needed if the router is issuing IPs

routing: required for static/dynamic routing but not AP setup

Only Option A is required.

The key requirement is to block traffic from LAN1 to the internal server at 192.168.1.10. Given that R1 uses masquerade (srcnat), all packets arriving at R2 from LAN1 will appear as if they come from R1’s IP (192.168.99.1). Therefore, filtering by the original IP (LAN1 clients like 192.168.0.x) won't work unless you stop the traffic before it's NATed.

So the correct way is to drop the packets before they reach the server by identifying the original subnet (LAN1), which is 192.168.0.0/24, in the forward chain.

A. Wrong: You’re filtering based on the post-NAT address (192.168.99.1), not the source LAN subnet.

B. Correct: Block traffic coming from 192.168.0.0/24 (LAN1) before it hits the NAT rule.✅

C. Wrong chain: input is only for traffic destined to the router itself.

D. Incorrect chain: dstnat is for translating destination IP, not filtering.

MTCNA Firewall Module – NAT and Forwarding Concepts:

“Filter before NAT to match pre-NAT source addresses. Masquerade masks real source IP.”

René Meneses MTCNA Guide – Practical Firewall Rules:

“When masquerade is applied, forward chain rules using original IP must be placed before the NAT rule.”

Terry Combs Notes – Firewall Filtering:

“Forward chain handles routed traffic. Use it to block routed traffic between subnets.”

Answer: BQUESTION NO: 55 [ARP]

If ARP=reply-only is configured on an interface, this interface will:

A. accept all IP addresses listed in '/ip arp' as static entries

B. add new MAC addresses in '/ip arp' list

C. accept IP and MAC address combinations listed in '/ip arp' list

D. accept all MAC-addresses listed in '/ip arp' as static entries

E. add new IP addresses in '/ip arp' list

Answer: C

Setting ARP=reply-only restricts the interface to respond only to ARP requests for IP/MAC pairs that are manually added to the /ip arp list. This is often used for access control or static neighbor resolution.

A.❌Incorrect phrasing; not all IPs are accepted unless both IP and MAC match

B.❌Interface will not dynamically add new MACs in reply-only mode

C.✅Correct — Only defined IP/MAC combinations in /ip arp will be accepted

D.❌ARP requires both IP and MAC, not just MACs

E.❌New IPs are not added automatically in this mode

MTCNA Course Manual – ARP Modes:

“ARP reply-only – Interface replies only to requests for IP/MAC combinations listed in the ARP table.”

René Meneses Guide – ARP Settings:

“Use reply-only when you want strict control over ARP responses. You must add each entry manually.”

Terry Combs Notes – ARP Filter Modes:

“reply-only = no dynamic ARPs. You must define both IP and MAC.”

Answer: CQUESTION NO: 56 [Wireless]

Which option in the configuration of a wireless card must be disabled to cause the router to permit ONLY known clients listed in the access list to connect?

A. Security Profile

B. Default Forward

C. Enable Access List

D. Default Authenticate

Answer: D

The Default Authenticate option allows all clients to connect unless filtered. To restrict access to only known MAC addresses in the access list, you must disable this option. When disabled, only MAC addresses explicitly listed in the access list will be able to connect.

Evaluation:

A. Security Profile → relates to encryption, not access control

B. Default Forward → controls whether clients can communicate with each other

C. Enable Access List → there is no such setting by this name

D.✅Default Authenticate — this must be disabled to allow only access-list entries

MTCNA Wireless Module – Access Control:

“Disable default-authenticate to limit access to those defined in the access-list.”

René Meneses Guide – MAC Access Restrictions:

“Disabling default-authenticate enforces access-list. Clients not listed will be denied.”

Terry Combs Notes – Securing Wireless:

“Use access-list + disable default-authenticate to lock down who connects.”

Answer: DQUESTION NO: 57 [Routing]

A routing table has the following entries:

0 dst-address=10.0.0.0/24 gateway=10.1.5.126

1 dst-address=10.1.5.0/24 gateway=10.1.1.1

2 dst-address=10.1.0.0/24 gateway=25.1.1.1

3 dst-address=10.1.5.0/25 gateway=10.1.1.2

Which gateway will be used for a packet with destination address 10.1.5.126?

A. 10.1.1.1

B. 10.1.5.126

C. 10.1.1.2

D. 25.1.1.1

Answer: A

Routing decisions are based on the longest prefix match (i.e., the most specific subnet). First, determine which route has the most specific match for 10.1.5.126.

Route 1: 10.1.5.0/24 → covers 10.1.5.0 to 10.1.5.255 →✅Match

Route 3: 10.1.5.0/25 → covers 10.1.5.0 to 10.1.5.127 →✅Also a match and more specific

BUT, 10.1.5.126 falls within /25 (last usable host)→ So, Route 3 should be preferred due to longer prefix

However, let’s clarify:

If Route 3 (dst-address=10.1.5.0/25) has a next-hop (gateway) of 10.1.1.2, and if that route is reachable, it should be chosen.

Wait — it appears the answer marked in the original key might be inconsistent with routing rules.

Let’s correct it:

Matching routes:

Route 1: /24 → Prefix length: 24

Route 3: /25 → Prefix length: 25 → More specific → Preferred✅

Hence:

10.1.5.126 matches 10.1.5.0/25 (Route 3)

Gateway for that = 10.1.1.2 → Correct Answer: C

Corrected Answer: C

MTCNA Course Manual – Routing Decision Process:

“MikroTik uses longest prefix match — the most specific (longest) subnet wins.”

René Meneses Guide – Routing Resolution:

“If multiple routes match, the one with the most specific netmask (largest prefix) is selected.”

Terry Combs Notes – Routing Table Evaluation:

“Router picks based on subnet specificity. /25 beats /24.”

PPPoE (Point-to-Point Protocol over Ethernet) uses a discovery stage before establishing the actual PPP session. The correct sequence is:

Initialization → Client sends a PADI (PPPoE Active Discovery Initiation)

Offer → Server responds with PADO (PPPoE Active Discovery Offer)

Request → Client sends PADR (PPPoE Active Discovery Request)

Session Confirmation → Server sends PADS (PPPoE Active Discovery Session-confirmation)

A.✘Wrong sequence

B.✔Correct – Matches the technical flow: PADI → PADO → PADR → PADS

C.✘Incorrect order

D.✘Incorrect order

Extract from MTCNA Course Material – PPPoE Process:

“The PPPoE discovery stage includes PADI, PADO, PADR, and PADS messages. This translates to Initialization, Offer, Request, Session confirmation.”

Extract from MikroTik Wiki – PPPoE Protocol:

“The discovery stage is used to establish a PPPoE session and includes four steps: PADI, PADO, PADR, and PADS.”

===========

TheMAC layer (Media Access Control)is asub-layerof theData Link Layer, which is known asLayer 2in theOSI (Open Systems Interconnection) model. This layer is responsible for the delivery of frames between devices on the same local network. The MAC sub-layer controls how a device on the network gains access to the medium and permission to transmit data.

Extract fromRené Meneses MTCNA Study Guide – OSI Model Section:

"The MAC layer, or Media Access Control, is part of Layer 2 (Data Link Layer) in the OSI model. It handles physical addressing and access to the medium, such as Ethernet. MAC addresses are used at this level to identify source and destination interfaces in the same network segment."

Extract fromTerry Combs MTCNA Notes – OSI Layers Overview:

"Layer 2 is the Data Link Layer and contains two sublayers: LLC (Logical Link Control) and MAC (Media Access Control). The MAC sub-layer is the portion that directly interacts with the network interface and is responsible for MAC addressing and frame delivery."

Extract fromMikroTik Wiki – OSI Model & MAC Addressing Section:

"MAC addresses operate at Layer 2 of the OSI model. This layer is responsible for node-to-node data transfer, framing, and access control using MAC addresses."

Breakdown of Each Option:

A. Layer 2✅✔Correct — The MAC layer is a sublayer ofLayer 2(Data Link Layer).

B. Layer 1❌✘Incorrect — This is thePhysical Layer, responsible for transmission of raw bits, not MAC addressing.

C. Layer 6❌✘Incorrect — This is thePresentation Layer, which handles data format translation, not networking functions.

D. Layer 7❌✘Incorrect — This is theApplication Layer, used by end-user software like browsers or email clients.

E. Layer 3❌✘Incorrect — This is theNetwork Layer, responsible for logical addressing and routing using IP addresses, not MAC.

In MikroTik RouterOS, the masquerade action is used in source NAT (srcnat) rules to hide internal/private IP addresses behind a router’s public IP address. This is typically done for internet access from a LAN where the devices have private IP addresses (e.g., 192.168.x.x).

Masquerade dynamically changes the source IP of outgoing packets to the IP address of the router’s outbound interface, allowing multiple internal devices to share a single public IP.

Let’s evaluate the options:

A. masquerade →✅Correct. Used to perform source NAT for hiding private addresses.

B. allow →❌Not a valid NAT action.

C. passthrough →❌Used in mangle rules to continue processing additional rules, not for NAT.

D. tarpit →❌Used to delay TCP connections (often in firewall, not NAT).

MTCNA Course Manual – NAT Chapter:

“Masquerade is a special form of source NAT where the router replaces the source IP with the IP address of the outgoing interface.”

René Meneses Guide – NAT Configuration:

“Use masquerade on the router’s WAN interface to give internet access to private clients.”

Terry Combs Notes – NAT Rule Actions:

“Masquerade = dynamic src-nat. Useful when public IP is dynamic or unknown.”

Answer: AQUESTION NO: 62 [PPP / AAA]

Router A and B are both running as PPPoE servers on different broadcast domains of your network. It is possible to set Router A to use "/ppp secret" accounts from Router B to authenticate PPPoE customers.

A. true

B. false

Answer: B

/ppp secret accounts are local to each RouterOS device. These credentials are stored in the router’s own configuration and cannot be shared directly between routers.

To centralize authentication across multiple routers, a RADIUS server must be used. With RADIUS, multiple MikroTik routers can authenticate users against a single, centralized user database.

Without RADIUS or another external AAA system:

Each router maintains its own /ppp secret list

Router A cannot directly read or use the /ppp secrets from Router B

Evaluation:

A.❌False. There is no built-in mechanism for Router A to access secrets on Router B.

B.✅Correct. You must use RADIUS if you want shared authentication across routers.

MTCNA PPP Module – Authentication Methods:

“/ppp secrets are stored locally on the router. For shared user authentication, configure RADIUS.”

René Meneses Study Guide – PPPoE and RADIUS:

“To authenticate clients on multiple routers with a central database, RADIUS is required.”

Terry Combs Notes – PPP Secrets vs RADIUS:

“Local secrets cannot be accessed remotely. Use RADIUS to centralize authentication.”

Answer: B

By default, RouterOS logs are stored in RAM and are lost upon reboot. They are visible usingthe /log print command or in the Winbox log window. To store logs persistently (on disk or file), you must manually configure a logging action that writes to file or remote syslog server.

A.✘True – Incorrect. Logs are not stored persistently unless explicitly configured.

B.✔False – Correct. Logs are stored in memory (RAM) by default.

Extract from Official MTCNA Course Material – Logging System:

“By default, log entries are stored in memory. They are not saved after reboot unless file logging is configured.”

Extract from René Meneses MTCNA Study Guide – Log Settings:

“Logging to disk is optional and must be configured manually. Default action is to keep logs in RAM.”

Extract from MikroTik Wiki – System Logging:

“RouterOS keeps logs in memory. Use log actions to save logs to disk or send to remote syslog.”

===========

To route traffic from LAN1 (192.168.0.0/24) behind R1 to LAN2 (192.168.1.0/24) behind R2, R1 must know how to reach the destination network 192.168.1.0/24. The proper way is to add a static route on R1 pointing to the next hop IP address of R2’s interface (192.168.99.2) connected via their shared transit network (192.168.99.0/24).

According to:

René Meneses MTCNA Study Guide – Routing Section:

“A static route requires the destination prefix and the gateway (next-hop) IP address. The gateway should be reachable through a directly connected network interface.”

Terry Combs MTCNA Notes – Static Routing Example:

“To route packets to a remote network, configure a static route specifying the destination network (e.g., 192.168.50.0/24) and the gateway IP (e.g., 10.0.0.2). Ensure that the gateway is reachable via a locally connected interface.”

MikroTik Wiki – Static Routing:

“The most common usage of static routes is to forward packets for destination networks that are not directly connected. You must use the IP address of a reachable next-hop router.”

Option A incorrectly includes src-address, which is not part of a standard /ip route syntax.

Option B uses “Ether1” as a gateway, which is syntactically invalid unless using recursive routing, which this situation does not require.

Option C adds a route back to the local network — unnecessary and incorrect.

Option E routes all traffic to R2, which is inefficient and not specific.

Thus, only Option D adds the correct static route:

/ip route add dst-address=192.168.1.0/24 gateway=192.168.99.2

Final Answer: DQUESTION NO: 83 [Bridging]

For a Simple Queue to apply bandwidth restrictions on a bridged interface, the following must be done:

A. Configure an IP address on the bridge interface

B. Use mangle to mark the connections

C. Associate the Simple Queue to the bridge interface

D. Enable 'Use IP Firewall' in bridge settings

Answer: D

By default, RouterOS does not pass traffic on a bridge interface through the firewall or queue system. If you want to apply queueing (Simple Queues or other policies) on a bridge interface, you must enable the bridge to use the IP Firewall.

MTCNA Official Course Material – Bridging & IP Firewall Integration:

“If you want to apply queues or firewall rules to traffic flowing through a bridge, you must enable ‘use-ip-firewall’ under the bridge settings.”

René Meneses MTCNA Guide – Bridge Queuing Section:

“Simple Queues do not affect bridged traffic unless you activate the ‘Use IP Firewall’ setting in bridge configuration. This pushes the packets through the normal firewall and queueing engine.”

MikroTik Wiki – Bridge Settings:

“If use-ip-firewall is enabled, then all bridged traffic is also processed by firewall and queues.”

Options A and C are incorrect because assigning an IP or linking the queue alone does not enforce restrictions at Layer 2.

Option B refers to advanced queueing with mangle + Queue Trees, not Simple Queues.

Final Answer: DQUESTION NO: 84 [QoS (Simple Queues)]

In RouterOS queue configurations the word "total" usually represents:

A. download - upload

B. upload

C. upload + download

D. download

Answer: C

In Simple Queues, MikroTik uses the term “total” to refer to the sum of the incoming and outgoing traffic for a particular target. This includes both upload (TX) and download (RX) traffic.

MTCNA Course Material – Queues Overview:

“Total limit represents the combined limit of upload and download traffic. If both target-upload and target-download are defined, total-limit should be equal or higher.”

René Meneses MTCNA Study Guide – Queues Chapter:

“In Simple Queues, ‘max-limit’ and ‘limit-at’ can be set individually for upload and download, or together as ‘total’ which combines both directions.”

Terry Combs Notes – Queue Definitions:

“Total in RouterOS queues means sum of upload and download. Always consider total bandwidth used in both directions when using ‘total-limit’.”

Therefore, the correct and verified answer is C: upload + download.

Mangle rules that mark routing (using the routing-mark property) can only be applied in the following chains:

prerouting: For traffic arriving at the router

output: For traffic generated by the router itself

Other chains like forward, input, postrouting do not support routing-mark.

A.✔Correct – prerouting and output are used for routing-mark

B.✘forward does not support routing-mark

C.✘forward is invalid for routing-mark

D.✘input does not support routing decisions

E.✘postrouting is used for NAT, not routing

Extract from MTCNA Course Material – Mangle and Routing Marks:

“Routing-mark is applied only in prerouting (for transit traffic) and output (for router-generated traffic).”

Extract from MikroTik Wiki – Mangle:

“routing-mark can be used only in prerouting and output chains.”

Extract from René Meneses Study Guide – Mangle and PBR:

“To perform policy-based routing, use prerouting or output to assign routing-marks.”

===========

Netinstall is a MikroTik utility used to reinstall or repair RouterOS on RouterBOARD devices. It can be used to:

Reinstall RouterOS while preserving the existing license (✔B)

Install a different version of RouterOS – either older or newer (✔C)

Limitations:

A.✘Incorrect – Netinstall will erase the configuration; it cannot recover a lost admin password without wiping the device.

D.✘Incorrect – You can only install software meant for the specific hardware architecture of the RouterBOARD.

Extract from Official MTCNA Course Material – Netinstall Tool:

“Netinstall can be used to reinstall RouterOS and change its version. It does not erase the license key.”

Extract from René Meneses MTCNA Study Guide – Recovery Tools:

“Netinstall allows you to load any RouterOS version compatible with your device. It does not delete the license.”

Extract from MikroTik Wiki – Netinstall Overview:

“Netinstall reinstalls the OS, can change versions, and retains license. It cannot recover configuration or passwords.”