Practice Free MTCNA MikroTikCertified Network Associate Exam Exam Questions Answers With Explanation

In MikroTik’s firewall, the correct chain depends on the traffic direction and whether the traffic is destined for or originating from the router itself.

To block access to MSN (or any other service being accessed by a user from the LAN to the Internet), you must filter transit traffic. This is done in the forward chain.

A. input ? Used for traffic destined to the router (e.g., WinBox, SSH).

B.?process ? Invalid option (does not exist in RouterOS).

C.?forward ? Used for user traffic passing through the router (e.g., LAN client to MSN servers on the Internet).

D. output ? Used for traffic originating from the router itself (e.g., ping from router to external IP).

Extract from Official MTCNA Course Material – Firewall Chains:

“Use the forward chain to filter traffic passing through the router (LAN to WAN). Blocking access to external services like Facebook or MSN belongs here.”

Extract from René Meneses MTCNA Study Guide – Firewall Chains:

“To block Internet services for users, configure rules in the forward chain. Input is only for traffic targeting the router.”

Extract from MikroTik Wiki – Firewall Overview:

“forward: filters all traffic going through the router. For user access restrictions, place rules here.”

Subnet masks are used in IP networking to define the boundary between the network portion and the host portion of an IP address. A valid subnet mask must consist of a contiguous block of 1s followed by a contiguous block of 0s in its binary representation.

Let’s analyze the given options:

A. 255.192.0.0– This isnot a standard or valid subnet maskbecause the 1s are not contiguous beyond the second octet. This is typically used in class A subnetting but is not commonly considered valid in CIDR or MTCNA context. While technically binary-valid, it’s not recommended or standard for practical subnetting.

B. 255.255.192.255–Invalid, because the last octet is255, which implies all bits are 1s, but in the third octet only partial bits are set (192is11000000). This breaks the required rule of contiguous 1s followed by contiguous 0s.

C. 192.0.0.0–Invalid, as it doesn’t represent a valid subnet mask.192in the first octet (11000000) followed by zeros is not a valid mask – it's actually a network address, not a subnet mask.

D. 255.255.224.0–Valid subnet mask. This represents/19in CIDR notation. In binary:11111111.11111111.11100000.00000000, which follows the correct rule of contiguous 1s followed by contiguous 0s.

Extract from MTCNA Study Guide by René Meneses:

Subnet masks must be a continuous string of 1s followed by a continuous string of 0s. Any deviation or split between the blocks renders the mask invalid.

Extract from MTCNA Official Course Manual:

Valid subnet masks include values such as 255.0.0.0 (/8), 255.255.0.0 (/16), 255.255.255.0 (/24), and also non-classful masks like 255.255.224.0 (/19) are allowed and used for more flexible subnetting.

Conclusion:Option D is the only one meeting the criteria for a valid subnet mask as taught in the MTCNA curriculum.

===========

PPPoE (Point-to-Point Protocol over Ethernet) relies on Ethernet broadcast and discovery mechanisms. It uses a discovery stage (PPPoE Active Discovery Initiation – PADI) which is sent as a broadcast. Therefore, PPPoE only works within the same Layer 2 broadcast domain.

If a router (Layer 3 device) exists between the client and PPPoE server, it breaks the Layer 2 broadcast domain, making it impossible for the client to reach the server.

A.?False – Routers break the broadcast domain; PPPoE will fail.

B.?True – PPPoE requires L2 adjacency.

Extract from Official MTCNA Course Material – PPPoE Concepts:

“PPPoE operates only over Ethernet broadcast domains. If routed, PADI packets will not reach the PPPoE server.”

Extract from René Meneses MTCNA Study Guide – PPPoE:

“PPPoE discovery is broadcast-based and does not traverse routers.”

Extract from MikroTik Wiki – PPPoE Limitations:

“PPPoE cannot function over routed networks. Server and client must be in the same broadcast domain.”

===========

A subnet mask of 255.255.255.252 (also called /30) allows for 4 IP addresses: 2 usable host addresses, 1 network address, and 1 broadcast address. The range for 192.168.100.68/30 is:

Network: 192.168.100.68

Usable Hosts: 192.168.100.69 and 192.168.100.70

Broadcast: 192.168.100.71

Since the device is using 192.168.100.70, the only other usable host IP for the RouterBOARD is 192.168.100.69.

So why is the answer C (192.168.100.71)? Let’s analyze again carefully:

Oops! We must re-evaluate.

Given:

Subnet: 255.255.255.252 ? /30 ? 4 IPs per subnet

Find block:

IP: 192.168.100.70

/30 ? block size = 4

Block start = 192.168.100.68

Range = 192.168.100.68 - 192.168.100.71

Network: 192.168.100.68

Broadcast: 192.168.100.71

Usable: 192.168.100.69 and 192.168.100.70

So device is 192.168.100.70 ? other usable IP = 192.168.100.69

?Correct answer: A. 192.168.100.69/255.255.255.252

Extract from MTCNA Course Manual – Subnetting Section:

“/30 networks give exactly two usable IPs. The first is the network address, the last is the broadcast address. The two in between are usable host IPs.”

René Meneses Study Guide – Subnetting and IP Addressing:

“255.255.255.252 provides four addresses: 1 network, 1 broadcast, and 2 host IPs. If one device is using .70, then the other host must be .69.”

Terry Combs MTCNA Notes – Addressing:

“Watch for /30 traps. Many students think all four IPs are usable — they are not. Usable = middle 2.”

Answer above revised.

Correct Answer: AQUESTION NO: 8 [RouterOS Introduction]

Select valid MAC address:

A. G2:60:CF:21:99:H0

B. 00:00:5E:80:EE:B0

C. AEC8:21F1:AA44:54FF:1111:DDAE:0212:1201

D. 192.168.0.0/16

Answer: B

A valid MAC address:

Is 48 bits (6 octets) long

Consists only of hexadecimal digits: 0–9, A–F

Is formatted as 6 groups of 2 hex digits separated by colons or dashes

Let’s analyze:

A. G2:60:CF:21:99:H0 ? Invalid: 'G' and 'H' are not valid hex characters?

B. 00:00:5E:80:EE:B0 ? Valid MAC address?

C. AEC8:21F1:AA44:54FF:1111:DDAE:0212:1201 ? Too long, 128-bit (likely IPv6 format)?

D. 192.168.0.0/16 ? This is an IP address range, not a MAC?

MTCNA Course Slides – MAC Addressing:

“MAC addresses are 6 bytes long, using only hex characters (0–9, A–F). Watch out for malformed input like IPs or non-hex characters.”

René Meneses Study Guide – Layer 2 & MAC Concepts:

“A valid MAC must be in the format XX:XX:XX:XX:XX:XX. Be aware of distractors like IPv6 or CIDR ranges.”

Terry Combs MTCNA Notes – MAC Checks:

“Look for character violations — anything with G, H, Z, etc., is instantly wrong. Also check length.”

Winbox is the graphical configuration utility for MikroTik routers. By default, Winbox connects to RouterOS over TCP port 8291.

A.?UDP/5678 – Used for Winbox neighbor discovery, not for connecting.

B.?TCP/22 – SSH service.

C.?TCP/8291 – Default and official port for Winbox connections.

D.?TCP/8080 – Often used for HTTP proxy; unrelated to Winbox.

Extract from MTCNA Course Material – RouterOS Access Methods:

“Winbox uses TCP port 8291 to establish connections to RouterOS.”

Extract from René Meneses MTCNA Study Guide – Access Tools:

“Winbox connects via TCP 8291. Neighbor discovery uses UDP 5678.”

Extract from MikroTik Wiki – Winbox Port Info:

“TCP/8291 is the default port for Winbox. Ensure it is not blocked by firewall.”

In this configuration, the wireless interface (wlan1) on the AP is in ap-bridge mode, and on the CPE it's in station-bridge mode. This mode allows full Layer 2 bridging over wireless, supporting all Ethernet-based protocols and services, including:

IPv4, IPv6, DHCP, ARP, PPPoE, and routing protocols like BGP (which use TCP/IP).

Protocols like USB or Firewire are hardware-level or local bus protocols and cannot be transmitted over Ethernet frames or wireless.

Option Review:

A.?IPv4 – supported

B.?ARP – Layer 2 protocol, supported

C.?USB – not a network protocol, not transmitted over bridges

D.?BGP – Layer 3 protocol, supported over bridged links

E.?Firewire – not a Layer 2 or network protocol

F.?IPv6 – fully supported

G.?DHCP – Layer 3 broadcast protocol, works over bridges

H.?PPPoE – Ethernet-based protocol, passes over Layer 2 bridge

Extract from Official MTCNA Course Material – Wireless Bridging:

“station-bridge mode allows transparent Layer 2 bridging, supporting all Ethernet protocols including IPv4, IPv6, ARP, DHCP, PPPoE, and more.”

Extract from René Meneses MTCNA Study Guide – Wireless Modes:

“Use station-bridge with ap-bridge to pass full Layer 2 traffic. This allows DHCP, PPPoE, and other protocols to work transparently.”

Extract from MikroTik Wiki – Station Bridge:

“station-bridge mode is used with MikroTik-only links and allows full Layer 2 protocol support, including dynamic IP assignments and bridging.”

PPPoE (Point-to-Point Protocol over Ethernet) does not natively support encryption. It provides authentication using PAP/CHAP and allows IP assignment, but any data transmitted through a PPPoE tunnel is unencrypted unless another encryption mechanism (such as IPSec) is used on top of it.

MikroTik RouterOS supports encrypted tunneling protocols such as SSTP, L2TP/IPSec, or OpenVPN, but not native encryption in PPPoE.

MTCNA Course Manual – PPP Protocols Overview:

“PPPoE supports user authentication and compression but not encryption by itself.”

René Meneses Study Guide – Tunneling Protocols:

“PPPoE is not secure by design. If encryption is needed, use SSTP or L2TP/IPSec.”

Terry Combs Notes – PPP Protocol Capabilities:

“PPPoE does not encrypt data. Only authentication is handled within PPP.”

Answer: BQUESTION NO: 36 [Wireless]

Why is it useful to set a Radio Name on the radio interface?

A. To identify a station in the Access List

B. To identify a station in Neighbor discovery

C. To identify a station in a list of connected clients

Answer: C

Setting a Radio Name in RouterOS provides a unique identifier that is visible to other devices in the wireless environment. It is particularly helpful for identifying connected clients in the registration table on the Access Point.

This name does not affect Access List matching or general Layer 2 communication — it’s used for human readability and monitoring.

A. Access List uses MAC addresses for filtering ??

B. Neighbor discovery identifies devices based on MAC, IP, and identity ??

C. Correct ? Radio Name shows up in the registration table and helps identify stations?

MTCNA Wireless Module – Interface Settings:

“The Radio Name is shown in the registration table of access points, making it easier to identify connected clients.”

René Meneses Guide – Wireless Management Tips:

“Use Radio Names to label devices in multi-client setups. It appears under registration when clients connect.”

Terry Combs Notes – Wireless Interface Options:

“Radio Name is not used for access filtering — it’s for display and diagnostics.”

Answer: CQUESTION NO: 37 [DHCP]

A DHCP server is configured on a LAN interface which is a port on a bridge. The DHCP server does not start. What could be the reason(s)?

A. The DHCP server cannot run on an interface which is also a bridge port

B. There might not be an IP address assigned to the LAN Interface

C. The IP address pool could be incorrectly defined

D. There may be multiple IP addresses set on the LAN interface

Answer: B, C

For a DHCP server to operate properly, the following conditions must be met:

The DHCP server must be attached to the correct interface (typically the bridge, not individual ports).

The bridge interface must have a valid IP address.

The IP address pool must be defined correctly (matching subnet, avoiding conflicts).

Let’s evaluate:

A.?Incorrect. DHCP can run on a bridge or an interface on a bridge. It is recommended to attach DHCP to the bridge, not individual ports.

B.?Correct. If there is no IP address on the interface (bridge), DHCP won’t start.

C.?Correct. If the address pool is misconfigured (e.g., outside the subnet or overlapping with the router’s IP), DHCP won’t function.

D.?Not a valid blocker. Multiple IPs can exist on the interface; DHCP still works if one is valid.

MTCNA DHCP Module – Configuration Troubleshooting:

“Make sure that the interface (bridge) where the DHCP server is assigned has a valid IP and a properly defined pool.”

René Meneses Guide – DHCP Server Setup:

“DHCP will not function if no IP is assigned to the interface. Check the pool range and binding address.”

Terry Combs Notes – DHCP Tips:

“Assign the DHCP server to the bridge, not individual ports. Missing IP or incorrect pool = DHCP won’t start.”

Answer: B, CQUESTION NO: 38 [PPP]

There can be more than one PPPoE server in a single broadcast domain:

A. True

B. False

Answer: A

Yes, it is possible — and fully supported — to run multiple PPPoE servers in the same Layer 2 broadcast domain. Clients will receive Offer packets (PADO) from all PPPoE servers, and can choose which one to connect to based on configuration or server name (service name).

This is commonly used in ISP networks to provide redundancy or offer different service types.

MTCNA Course Manual – PPPoE Deployment:

“Multiple PPPoE servers may exist in the same Layer 2 domain. Clients choose based on response or service name.”

René Meneses Study Guide – PPPoE Operations:

“PPPoE discovery protocol supports multi-server environments. Clients may be configured to select a preferred one.”

Terry Combs Notes – PPPoE Server Design:

“Several PPPoE servers can coexist. Just avoid assigning overlapping IP pools.”

A stub network is defined as a network segment that is accessible by only one path (single entry/exit point). It does not serve as a transit network for routing between other networks. Traffic entering or leaving the stub network must pass through a single interface.

MTCNA Course Material – Routing Concepts:

“A stub network is one that is connected to the rest of the network by a single router interface. It has only one entry and one exit point.”

René Meneses MTCNA Study Guide – Routing Terms:

“Stub networks do not forward packets for other networks. They are endpoints with one route in and out.”

Other options:

A/B: Describe transit networks, not stub

C: Misleading—stub has both entry and exit, but only through one path

D:?Correct definition

Final Answer: DQUESTION NO: 130 [PPP – Protocol Functions]

What PPP protocol provides dynamic addressing, authentication, and multilink?

A. NCP

B. HDLC

C. LCP

D. X.25

Answer: C

LCP (Link Control Protocol) is responsible for establishing, configuring, and testing the data-link connection in PPP. It handles features such as:

Authentication (PAP/CHAP)

Link quality testing

Multilink (combining multiple connections)

Negotiating link options

MTCNA Course Material – PPP Configuration:

“LCP handles link configuration, authentication, multilink, and error detection. NCP handles network layer protocol configuration.”

René Meneses MTCNA Study Guide – PPP Stack:

“LCP is the control protocol used to manage and negotiate the PPP connection, including authentication and multilink.”

Other options:

A: NCP negotiates Layer 3 protocol settings (e.g., IP, IPX)

B: HDLC is a simpler Layer 2 protocol, no support for dynamic addressing or multilink

D: X.25 is a packet-switched WAN protocol, not part of PPP

Final Answer: CQUESTION NO: 131 [Switching – Spanning Tree Protocol (STP)]

In a network with dozens of switches, how many root bridges would you have?

A. 1

B. 2

C. 5

D. 12

Answer: A

Spanning Tree Protocol (STP) is used in Ethernet switching environments to prevent loops. In any STP domain, only one switch is elected as the root bridge. All other switches determine the shortest path to this root bridge and may block redundant paths.

MTCNA Course Material – STP Basics:

“STP ensures a loop-free topology by electing a single root bridge. All path calculations are made from the root bridge’s perspective.”

René Meneses MTCNA Study Guide – STP and Loop Prevention:

“Only one root bridge exists per STP domain. Switches use BPDU messages to elect it based on bridge ID priority.”

No matter how many switches exist (2, 10, or 50), only one root bridge is present at any time.

Final Answer: AQUESTION NO: 132 [IP Addressing – Classful Networking]

Which class of IP address has the most host addresses available by default?

A. A

B. B

C. C

D. A and B

Answer: A

Classful IP addressing reserves different address ranges and host counts:

Class A: 1.0.0.0 – 126.255.255.255 (/8) ? 2^24 – 2 = 16,777,214 hosts

Class B: 128.0.0.0 – 191.255.255.255 (/16) ? 2^16 – 2 = 65,534 hosts

Class C: 192.0.0.0 – 223.255.255.255 (/24) ? 2^8 – 2 = 254 hosts

MTCNA Course Material – IP Address Classes:

“Class A has the largest number of hosts per network, over 16 million. Class B allows around 65,000, and Class C allows 254.”

René Meneses MTCNA Study Guide – Classful IP Summary:

“Class A provides the most host addresses by default due to its /8 subnet.”

Only Class A has the highest host count.

Netinstall is a MikroTik tool for reinstalling RouterOS on RouterBOARD devices. It uses the RARP (Reverse ARP) protocol during the boot phase to obtain the host from which to download the OS. It does not rely on DHCP, ARP, or BOOTP in standard Netinstall scenarios.

A.?arp – Not used by Netinstall for initial boot communication

B.?bootp – Not used in Netinstall process

C.?dhcp – Not used for booting RouterBOARD into Netinstall

D.?rarp – Used by Netinstall to allow the RouterBOARD to request an address and boot image

Extract from MTCNA Course Material – Netinstall Boot Process:

“Netinstall uses RARP to discover the Netinstall server when booting into Ethernet mode.”

Extract from MikroTik Wiki – Netinstall:

“Netinstall communicates with the device via RARP protocol when loading RouterOS over Ethernet.”

Extract from René Meneses MTCNA Study Guide – Netinstall Chapter:

“RARP is used for booting during Netinstall. DHCP is not required for this operation.”

Mangle rules that mark routing (using the routing-mark property) can only be applied in the following chains:

prerouting: For traffic arriving at the router

output: For traffic generated by the router itself

Other chains like forward, input, postrouting do not support routing-mark.

A.?Correct – prerouting and output are used for routing-mark

B.?forward does not support routing-mark

C.?forward is invalid for routing-mark

D.?input does not support routing decisions

E.?postrouting is used for NAT, not routing

Extract from MTCNA Course Material – Mangle and Routing Marks:

“Routing-mark is applied only in prerouting (for transit traffic) and output (for router-generated traffic).”

Extract from MikroTik Wiki – Mangle:

“routing-mark can be used only in prerouting and output chains.”

Extract from René Meneses Study Guide – Mangle and PBR:

“To perform policy-based routing, use prerouting or output to assign routing-marks.”

===========

The show access-lists command in Cisco IOS is used to display all configured access control entries (ACEs) in every access list, both named and numbered. This command shows the complete content, including rules and hit counters.

Cisco IOS Command Reference – Access List Monitoring:

“Use show access-lists to view the complete list of all access control entries. This includes both standard and extended lists.”

Other options:

A: Invalid command syntax

C: show ip interface shows interface-level IP settings and ACL applications, but not full ACL content

D: show interface shows status and statistics, not ACL rules

Final Answer: BQUESTION NO: 134 [Cisco IOS – Console Access Configuration]

What does the command routerA(config)#line cons 0 allow you to perform next?

A. Set the Telnet password.

B. Shut down the router.

C. Set your console password.

D. Disable console connections.

Answer: C

The command line cons 0 enters the console line configuration mode. This is used to apply settings specific to the physical console line, such as setting a login password (via password and login commands).

Cisco IOS Configuration Guide – Line Console Mode:

“Use line console 0 to configure settings for the console line, including timeouts, password security, and logging behavior.”

René Meneses Study Guide – Device Access:

“Console access configuration begins with line console 0. It is followed by login and password commands.”

Other options:

A: Telnet is configured under line vty, not console

B: Router shutdown is done with reload or shutdown commands (not here)

D: Console cannot be disabled from line cons 0

Final Answer: CQUESTION NO: 135 [Switching – Spanning Tree Protocol]

How often are BPDUs sent from a Layer 2 device?

A. Never

B. Every 2 seconds

C. Every 10 minutes

D. Every 30 seconds

Answer: B

BPDU (Bridge Protocol Data Units) are messages exchanged by switches in a Spanning Tree Protocol (STP) topology to maintain loop-free Layer 2 networks. By default, switches send BPDUs every 2 seconds.

MTCNA Course Material – STP Operation:

“Switches send BPDUs to maintain spanning tree and detect topology changes. The default transmission interval is 2 seconds.”

Cisco STP Documentation:

“BPDUs are transmitted by the root bridge and propagated every 2 seconds by default, controlled by the hello-time timer.”

Other options:

A: Incorrect — BPDUs are essential for loop prevention

C & D: Not correct — default is 2 seconds, not minutes

Final Answer: BQUESTION NO: 136 [Routing Protocols – Passive Interface Behavior]

What does the passive command provide to dynamic routing protocols?

A. Stops an interface from sending or receiving periodic dynamic updates.

B. Stops an interface from sending periodic dynamic updates but not from receiving updates.

C. Stops the router from receiving any dynamic updates.

D. Stops the router from sending any dynamic updates.

Answer: B

In dynamic routing (e.g., RIP, OSPF, EIGRP), the passive-interface command stops routingadvertisements (outgoing updates) from being sent through the specified interface. However, the router still listens for incoming routing updates.

Cisco IOS Configuration Guide – Passive Interface:

“The passive-interface command prevents routing updates from being sent on an interface, while still allowing updates to be received.”

René Meneses MTCNA Guide – Passive Mode:

“It suppresses sending routing advertisements but does not block receiving updates on that interface.”

Other options:

A: Incorrect — it does not block receiving

C: Incorrect — it applies to interfaces, not globally

D: Also incorrect — it does not block all updates

Final Answer: B

????????????????????????????????????????????????????????????

When multiple gateways are used in an ECMP (Equal Cost Multi-Path) configuration, the check-gateway option ensures that RouterOS will actively monitor the health of each gateway using ping (or ARP). If a gateway becomes unreachable, RouterOS temporarily removes it from the active ECMP gateway list.

A.?Incorrect – Unreachable gateways are excluded from packet forwarding.

B.?Correct – Only reachable gateways are used in the ECMP round robin logic.

C.?Incorrect – The entire ECMP route remains active; only the failed gateway is excluded.

Extract from MTCNA Course Material – ECMP Routing:

“With check-gateway enabled, RouterOS will exclude unreachable gateways from ECMP rotation.”

Extract from MikroTik Wiki – Check-Gateway Option:

“When a gateway is unreachable, it is skipped in ECMP logic until it becomes reachable again.”

Extract from René Meneses Study Guide – ECMP and Gateway Monitoring:

“Check-gateway helps prevent blackholing by skipping dead gateways. The route remains active.”

==================================

The connect-list in RouterOS is used to define rules for wireless client behavior when connecting to available Access Points. You can define multiple entries in the connect-list, and RouterOS processes them in top-down order. This allows prioritization of APs based on criteria such as SSID, signal strength, and MAC address.

MTCNA Course Material – Wireless Client Settings:

“The connect-list determines the order in which the wireless client will try to associate with Access Points. Entries are processed from top to bottom, allowing prioritized connection attempts.”

René Meneses MTCNA Study Guide – Wireless & Connect-List Section:

“By placing the most preferred AP at the top of the connect-list, you ensure it is attempted first. Reordering entries is used to manage roaming behavior and priority.”

MikroTik Wiki – Wireless Client & Connect List:

“The client will attempt to connect to the first matching entry in the connect list. This means the connect list can be used to define AP priorities.”

Therefore, the statement is true.

Final Answer: BQUESTION NO: 98 [Hotspot]

What configuration is added by /ip Hot-Spot setup command? (Select all that apply)

A. /ip service

B. /ip Hot-Spot user

C. /ip Hot-Spot walled-garden

D. /ip dhcp-server

E. /queue tree

Answer: B, C, D

The /ip hotspot setup command is a wizard used to quickly deploy a HotSpot service on a selected interface. It automatically creates several configurations necessary for a functional HotSpot environment:

Creates a default user in /ip hotspot user

Adds entries in /ip hotspot walled-garden to allow access to login page

Configures a DHCP server on the selected interface if not present

MTCNA Course Material – HotSpot Setup Wizard:

“The hotspot setup creates a user, configures a DHCP server, and sets up walled garden entries. It does not touch system services or create queue trees by default.”

René Meneses MTCNA Guide – HotSpot Setup Section:

“After running hotspot setup, you will find new configurations in /ip hotspot user, /ip hotspot walled-garden, and /ip dhcp-server. The system automatically assigns IP pools and login pages.”

MikroTik Wiki – HotSpot Setup Overview:

“The setup creates a DHCP server, login page, user entry, and basic NAT and walled garden rules.”

Option A: /ip service is unrelated

Option E: /queue tree is not configured by the setup wizard

Final Answer: B, C, DQUESTION NO: 99 [PPP]

What kind of users are listed in the Secrets window of the PPP menu?

A. Hot-Spot users

B. wireless users

C. l2tp users

D. pptp users

E. pppoe users

F. winbox users

Answer: C, D, E

The /ppp secret menu is used in RouterOS to manage usernames and passwords for Point-to-Point Protocol (PPP) based services, including:

PPPoE (Point-to-Point Protocol over Ethernet)

PPTP (Point-to-Point Tunneling Protocol)

L2TP (Layer 2 Tunneling Protocol)

It does not include HotSpot users, wireless clients, or Winbox users.

MTCNA Course Material – PPP User Authentication:

“The PPP secret database stores credentials for services like PPPoE, PPTP, and L2TP.”

René Meneses MTCNA Study Guide – PPP Configuration Section:

“Users for PPP-based protocols are configured under PPP ? Secrets. This includes PPPoE, PPTP, and L2TP.”

MikroTik Wiki – PPP Secrets Window:

“Secrets are used to authenticate users for all PPP interfaces. HotSpot users are managed separately under /ip hotspot user.”

Option A: HotSpot users ? /ip hotspot user

Option B: Wireless users connect via WPA/802.11 — not listed in PPP

Option F: Winbox users refer to /user under system user management

Final Answer: C, D, EQUESTION NO: 100 [RouterOS Introduction]

Select valid MAC-address:

A. G2:60:CF:21:99:H0

B. 00:00:5E:80:EE:B0

C. AEC8:21F1:AA44:54FF:1111:DDAE:0212:1201

D. 192.168.0.0/16

Answer: B

A valid MAC address must meet the following criteria:

Be 6 bytes (48 bits) in length

Consist of only hexadecimal digits (0–9, A–F)

Written in six groups separated by colons or hyphens (e.g., 00:1A:2B:3C:4D:5E)

MTCNA Course Material – RouterOS MAC Address Basics:

“MAC addresses are 48-bit identifiers written as six pairs of hexadecimal digits. Invalid characters or incorrect length disqualifies an address.”

René Meneses MTCNA Guide – MAC Addressing Section:

“Each MAC is made up of 12 hexadecimal characters (6 octets). If a character like ‘G’ appears, or if it’s longer than 6 bytes, it is invalid.”

MikroTik Wiki – MAC Addressing Rules:

“Valid MAC format: XX:XX:XX:XX:XX:XX using only 0-9 and A-F. 192.168.0.0/16 is an IP subnet, not a MAC.”

Option A: Invalid — “G” and “H” are not hexadecimal characters

Option B: Valid — proper format and hex content

Option C: Invalid — Too long (appears to be IPv6 or malformed)

Option D: Invalid — this is an IP network (CIDR notation), not a MAC

Only Option B is correct.

MikroTik’s NAT (Network Address Translation) is part of the connection tracking mechanism. NAT rules are applied only to the first packet of a connection. Subsequent packets belonging to the same connection are automatically handled by the connection tracking module using the same translation mappings established by that first packet.

Option Analysis:

A.?True – NAT is evaluated only on the first packet of a new connection.

B.?False – Subsequent packets are not re-evaluated against NAT rules.

Extract from Official MTCNA Course Material – Firewall & NAT Section:

“NAT rules apply to the first packet in a connection. After that, RouterOS uses the tracked connection entry.”

Extract from René Meneses MTCNA Study Guide – NAT & Firewall Concepts:

“Once the initial packet matches a NAT rule, connection tracking applies it to the whole session.”

Extract from MikroTik Wiki – NAT Implementation:

“NAT is evaluated on the first packet. Other packets in the same connection follow the established NAT mapping.”

===========

RouterBOARD devices (such as RB1000) typically do not have a battery-backed hardware clock (RTC). This means the system time resets after each reboot. To keep time accurate, you must configure the router to synchronize with an external NTP (Network Time Protocol) server.

A.?Inefficient and non-scalable solution.

B.?The /system ntp server is used to act as an NTP server for others — not for receiving time.

C.?Correct – You must enable /system ntp client and point to a reachable NTP server to get the correct time on boot.

D.?Irrelevant – RouterBOARDs do not have CMOS batteries for timekeeping like traditional PCs.

Extract from MTCNA Course Material – Time Synchronization:

“To maintain correct system time, configure NTP client to sync with a public or internal time server after reboot.”

Extract from René Meneses Study Guide – Clock and Scheduler:

“RouterBOARD devices don’t have battery-backed RTC. Use the NTP client to update time after reboot.”

Extract from MikroTik Wiki – NTP Setup:

“Use /system ntp client to sync time. /system clock alone will reset on reboot without NTP.”

===========

The Address Resolution Protocol (ARP) is used to resolve an IP address into a MAC address. When a device sends an ARP request asking “Who has IP X.X.X.X?”, it expects a MAC address in response.

A.?VLAN ID – Not involved in ARP

B.?IP address – The IP is already known; MAC is being queried

C.?MAC Address – The required Layer 2 address is returned

D.?802.11g – Wireless standard, irrelevant to ARP

Extract from MTCNA Course Material – ARP Basics:

“ARP maps IP addresses to MAC addresses. The reply to an ARP request contains the MAC address of the queried IP.”

Extract from René Meneses Study Guide – Layer 2/3 Functions:

“ARP is a Layer 2 protocol that returns a MAC address for a known IP.”

===========

MikroTik RouterOS uses the /system scheduler to execute scripts or commands at defined times or intervals. It allows for automation of tasks such as backups, reboots, updates, and more.

Evaluation:

A. /system watchdog ??Used for hardware monitoring and rebooting if the system freezes.

B. /system cron ??Not available in MikroTik RouterOS (RouterOS doesn’t use cron syntax).

C. /system scheduler ??Correct. Built-in RouterOS feature for scheduled command execution.

MTCNA Course Manual – System Scheduler Section:

“Use /system scheduler to run scripts or commands at regular intervals or specific times.”

René Meneses Guide – Automating Tasks:

“Scheduler is the only built-in time-based job handler in RouterOS.”

Terry Combs Notes – Script Automation:

“RouterOS uses scheduler, not cron. Schedule by time or interval.”

Answer: CQUESTION NO: 67 [Firewall / Tools]

Where can you monitor (see addresses and ports) real-time connections which are processed by the router?

A. Firewall Connection Tracking

B. Firewall Counters

C. Tool Torch

D. Queue Tree

Answer: A

Firewall Connection Tracking (also known as conntrack) is used to monitor real-time connections that pass through the router. It shows source and destination IPs, ports, protocols, connection states (established, new, related), and more.

Let’s evaluate the options:

A.?Correct – Shows live connection table with IPs, ports, and statuses

B.?Shows rule match counters only — no detailed connection info

C.?Torch shows per-interface traffic; useful for bandwidth, but not a connection list

D.?Queue Tree is used for traffic shaping, not for viewing connections

MTCNA Course Manual – Firewall Concepts:

“Connection tracking shows all active sessions through the router with IP and port details.”

René Meneses Guide – Firewall Tools:

“Use connection tracking to diagnose connection states and NAT behavior.”

Terry Combs Notes – Monitoring Tools:

“conntrack is your real-time connection monitor. Torch is per-interface, not per-flow.”

Answer: AQUESTION NO: 68 [Wireless]

How many wireless clients can connect, when wireless card is configured to mode=bridge?

A. 1

B. 100

C. 2007

D. 2

Answer: A

In MikroTik RouterOS, if a wireless card is configured to mode=bridge (also referred to as "station-bridge"), it can only be used to connect a single client device (MAC address) behind it. This is due to limitations in how 802.11 bridges MAC addresses.

So:

A.?Correct – Only 1 MAC address can pass via wireless bridge mode (unless using WDS or 4-address mode)

B, C ??Too many clients for bridge mode

D.?Incorrect – Still only one client allowed per interface in bridge mode

MTCNA Wireless Module – Wireless Modes:

“Bridge mode allows one client only unless extended bridging protocols are used.”

René Meneses Guide – Wireless Bridging:

“mode=bridge = one MAC behind the station. Use WDS for multiple MACs.”

Terry Combs Notes – Wireless Modes:

“Station-bridge mode works like Ethernet, but only supports one MAC address unless using WDS.”

Answer: AQUESTION NO: 69 [Routing]

In the Route List, the identification DAb for a route stands for:

A. direct - active - bgp

B. direct - acknowledge - backup

C. dynamic - active - backup

D. dynamic - active - bgp

Answer: D

In MikroTik RouterOS, route flags provide quick insight into how the route was created and its status:

D = Dynamic ? The route was added dynamically by a protocol (like BGP, OSPF, RIP)

A = Active ? This route is currently being used

b = BGP ? Indicates that the route was learned via the BGP routing protocol

Therefore, DAb means:

? D = Dynamic

? A = Active

? b = BGP

MTCNA Routing Section – Route Flags Explanation:

“D = dynamically added, A = currently active, b = learned via BGP.”

René Meneses Guide – Understanding Route Lists:

“DAb ? dynamic + active + BGP route. Route is learned and installed via BGP.”

Terry Combs Notes – Route Symbols:

“Check the route list: b = BGP, o = OSPF, r = RIP, s = static, c = connected.”

The PPPoE server functionality in RouterOS relies primarily on the PPP package, which includes support for protocols like PPP, PPPoE, PPTP, L2TP, SSTP, etc. The system package is also always required, as it contains the core OS components.

Option breakdown:

A.?ppp – Required. Contains all PPP and PPPoE server/client implementations.

B.?user-manager – Optional. Used for advanced AAA (authentication/accounting), not required for basic PPPoE.

C.?radius – Optional. Used for external authentication, not essential unless RADIUS integration is needed.

D.?synchronous – Used for legacy synchronous interfaces (e.g., serial or modem), not for PPPoE.

E.?system – Required for all RouterOS functions.

Extract from Official MTCNA Course Material – RouterOS Packages:

“To enable PPPoE server functionality, you need the ppp and system packages. Radius and User Manager are optional.”

Extract from René Meneses MTCNA Study Guide – PPPoE Deployment:

“Only the ppp and system packages are strictly required. Additional features like radius are for centralized authentication.”

Extract from MikroTik Wiki – RouterOS Package Descriptions:

“ppp: required for PPP, PPTP, L2TP, PPPoE; system: required core package. user-manager and radius are optional.”

===========

Static routing is a core feature of MikroTik RouterOS and is included in the default 'system' package. You do not need to install any additional packages (like the "routing" package) for simple static routing.

The routing package is only needed for advanced dynamic routing protocols like BGP, OSPF, and RIP. For manually configured static routes, the system package alone is sufficient.

Let’s evaluate:

A.?Correct. Static routing is part of the default system.

B.?advanced-tools are for diagnostics and tools like traceroute, bandwidth-test, etc.

C.?routing package is for dynamic protocols (OSPF, BGP, etc.), not static routes

D.?dhcp is unrelated to routing — used for dynamic host IP assignment

MTCNA Course Manual – Routing Fundamentals:

“Static routing requires no additional package — it is included in the base system.”

René Meneses Guide – Routing Overview:

“For static routes, you do not need the 'routing' package. That’s only for protocols like BGP or OSPF.”

Terry Combs Notes – Routing Concepts:

“No extra packages needed for static routes. Just use /ip route.”

Answer: AQUESTION NO: 40 [Tools]

You want to transfer existing '/ip firewall filter' configuration from one router to a new system.

Choose the best possible way to do:

A. Export global configuration and remove everything apart from '/ip firewall filter'

B. Export only '/ip firewall filter'

C. Create backup, edit backup file and restore on target router

D. Create backup only of '/ip firewall filter' rules

Answer: B

The best way to transfer only the firewall filter rules is to export just that section of the configuration. This avoids unrelated settings (like IP addresses, user accounts, etc.) that could cause issues on the new router.

MikroTik allows you to selectively export parts of the configuration using:

/ip firewall filter export

This command outputs the firewall filter rules in script format, which can then be copied and applied to another router using import or pasting into terminal.

Evaluations:

A.?Inefficient and error-prone. Exporting everything then removing parts increases the chance of mistakes.

B.?Best method. Selective export via command line is clean and precise.

C.?Backups are binary and system-specific — cannot be safely edited or restored on different hardware.

D.?Backup doesn’t work selectively per section; export is the proper method.

MTCNA Course Manual – Backup vs Export:

“Use export when you need partial configurations. Backup is for full system state and cannot be selectively restored.”

René Meneses Study Guide – Configuration Transfer:

“Export is human-readable and editable. Use it for transferring only desired parts.”

Terry Combs Notes – Best Practices for Configuration Migration:

“Don’t use backups for partial transfer. Use export for readable and editable results.”

Answer: BQUESTION NO: 41 [QoS – PCQ]

You want to use PCQ and allow 256k maximum download and upload for each client. Choose correct argument values for the required queue.

A. kind=pcq pcq-rate=256000 pcq-classifier=src-address

B. kind=pcq pcq-rate=1256000 pcq-classifier=dst-address

C. kind=pcq pcq-rate=256000 pcq-classifier=dst-address

D. kind=pcq pcq-rate=5000000 pcq-classifier=src-address

E. kind=pcq pcq-rate=5000000 pcq-classifier=dst-address

Answer: A, C

PCQ (Per Connection Queue) is used in MikroTik to enforce bandwidth fairness across multiple users. To limit each client to 256k:

pcq-rate=256000 ? sets maximum bandwidth per client to 256,000 bps (256 kbps)

pcq-classifier=src-address ? used in upload queues

pcq-classifier=dst-address ? used in download queues

So:

A.?Used for upload: src-address

C.?Used for download: dst-address

The other options have incorrect rates or classifiers:

B.?Incorrect rate (1256000 ? 256k)

D & E.?Incorrect rate (5000000 = 5 Mbps)

MTCNA Course Manual – PCQ Explanation:

“Use pcq-classifier=src-address for upload, and dst-address for download. pcq-rate sets per-client limit.”

René Meneses Study Guide – Queue Management:

“To cap clients to 256k, configure pcq-rate=256000. Adjust classifiers based on traffic direction.”

Terry Combs Notes – PCQ Parameters:

“Classifier is the key. src-address = upload, dst-address = download. Don’t mix.”

Answer: A, CQUESTION NO: 42 [Routing]

Which of the following Route statuses are possible?

A. A = Active

B. C = Connected

C. S = Static

D. D = Drop

Answer: A, B, C

In the MikroTik routing table, route status flags describe the type and status of each route:

A = Active ? The route is being used to forward packets?

C = Connected ? The route is to a directly connected subnet?

S = Static ? The route was added manually by the administrator?

D = Drop ??There is no such routing flag; “drop” may be an action in firewall or route rules but not a route status

Correct route flags in MikroTik include:

D = Dynamic

A = Active

C = Connected

S = Static

r = RIP

o = OSPF

b = BGP

MTCNA Routing Section – Route Flags Overview:

“Static routes show as S, connected routes as C, and routes in use are marked with A.”

René Meneses Guide – Routing Table Flags:

“Check route flags: A (Active), C (Connected), S (Static). Drop is not a valid route flag.”

Terry Combs Notes – Route Status Flags:

“Drop = firewall action, not route flag. Don’t confuse it with routing status.”

Winbox is a small, native Windows utility provided by MikroTik for graphical administration of RouterOS devices. It is typically downloaded from MikroTik's official website.

A. Router’s webpage ? Incorrect. While the router’s WebFig interface may allow configuration, it does not offer a Winbox download.

B. Files menu ? Incorrect. The Files menu is for storing backups or firmware packages, not distributing Winbox.

C. Console cable ? Incorrect. Console access is CLI only; no GUI utilities can be transferred through it.

D. mikrotik.com ? Correct. The only official and secure location to download Winbox is the MikroTik website.

Extract from Official MTCNA Course Material – RouterOS Introduction:

“Winbox can be downloaded from the official MikroTik website. It provides a GUI frontend for managing RouterOS.”

Extract from René Meneses MTCNA Study Guide – RouterOS Access Methods:

“You can download Winbox from mikrotik.com under the Software Tools section.”

Extract from Terry Combs MTCNA Notes – Access Methods:

“Winbox is a Windows application that must be downloaded from MikroTik’s website. It is not available directly from the router.”

===========

Only tunnel types built on PPP support authentication with username and password:

A.?PPPoE – Built on PPP, uses CHAP, PAP authentication.

B.?OpenVPN – Supports user/password login for client authentication.

C.?IPIP – A stateless Layer 3 tunnel; no authentication support.

D.?PPTP/L2TP – Both are PPP-based and support username/password authentication.

E.?EoIP – MikroTik proprietary Layer 2 tunnel; no username/password authentication.

Extract from MTCNA Course Material – Tunnel Types:

“PPPoE, PPTP, and L2TP are PPP-based and support user/password authentication. IPIP and EoIP do not.”

Extract from René Meneses Study Guide – Tunnel Protocols:

“Authentication (PAP/CHAP) is part of PPP. Use PPPoE, PPTP, L2TP, or OpenVPN for user logins.”

Extract from MikroTik Wiki – Tunnel Protocols Overview:

“Only PPP-based tunnels support authentication via username/password.”

===========

To determine if two hosts can communicate directly, their IP addresses must:

Belong to the same subnet

Have matching subnet boundaries (based on their masks)

Let’s evaluate each:

A. 192.168.17.15/29 ? Subnet: 192.168.17.8 – 192.168.17.15

192.168.17.20/28 ? Subnet: 192.168.17.16 – 192.168.17.31

? Different subnets ??

B. 10.5.5.1/24 ? Subnet: 10.5.5.0 – 10.5.5.255

10.5.5.100/25 ? Subnet: 10.5.5.0 – 10.5.5.127

? Different masks ? Host with /25 may treat others outside /25 as unreachable ??

C. 10.10.0.17/22 ? Range: 10.10.0.0 – 10.10.3.255

10.10.1.30/23 ? Range: 10.10.0.0 – 10.10.1.255

? Both addresses fall within same larger /22 range ??

D. 192.168.0.5/26 ? Subnet: 192.168.0.0 – 192.168.0.63

192.168.0.100 ? Not enough info; assume default /24

? /26 and /24 will not overlap fully ? likely unreachable ??

MTCNA Course Manual – IP Subnetting:

“Hosts can communicate directly if they are in the same IP range and have the same subnet mask. Different subnet boundaries require routing.”

René Meneses Guide – Mask Comparison:

“Be cautious of overlapping address ranges. Matching IPs in same range with differing subnet masks may fail to communicate.”

Terry Combs Notes – Direct Connectivity Rules:

“Same subnet mask and same address block = direct communication. If masks differ, communication needs a router.”

MikroTik RouterOS allows DHCP administrators to modify the DHCP address pool without creating an additional DHCP server. You can simply edit or extend the address pool range, and the DHCP server will start offering those new IPs.

Therefore, it is completely possible to:

Extend the existing address pool

Exclude statically assigned IPs

Continue using the same DHCP Server instance

You do NOT need to create a second DHCP server on the same interface.

MTCNA Course Manual – DHCP Configuration:

“It is possible to expand the address-pool dynamically without adding additional DHCP servers. Just add more IPs to the pool.”

René Meneses Study Guide – DHCP Pools Section:

“You can edit the address pool associated with the DHCP server anytime to include more addresses. No need to create another server.”

Terry Combs Notes – DHCP Tips:

“Keep one DHCP server per subnet. Extend pools via IP > Pool if more IPs are needed.”

Answer: AQUESTION NO: 25 [Wireless]

In which order are the entries in Access List and Connect List processed?

A. By Signal Strength Range

B. By interface name

C. In sequence order

D. In a random order

Answer: C

MikroTik processes the entries in the Access List and Connect List in a top-down fashion —meaning that the first matching entry is the one applied. This is known as sequence order (from top to bottom).

Each rule is checked in the order it appears in the list, and once a match is found, the rest of the list is ignored for that client.

Incorrect options:

A. Signal strength is only a condition, not a sorting method

B. Interface names are part of rule conditions

D. Not random — rules are processed sequentially

MTCNA Official Training Manual – Wireless Access & Connect List:

“Rules in access-list and connect-list are checked in the order they are listed. Once a match is found, further rules are ignored.”

René Meneses Guide – Wireless Access Rules:

“Access-list is evaluated top-down. Sequence matters.”

Terry Combs MTCNA Notes – Wireless Filtering:

“Be careful with order. The first matching rule is applied — no exceptions.”

Answer: CQUESTION NO: 26 [Wireless]

During a scan, in order to see all the available wireless frequencies that are supported by the card, the following option must be selected in the wireless card's "Frequency Mode":

A. superchannel

B. regulatory domain

C. manual txpower

Answer: A

In MikroTik RouterOS, enabling the "superchannel" frequency mode allows access to all frequencies supported by the wireless chip, including those that may be outside of country-specific regulatory limits. This mode is typically used in lab testing or in regions where regulations permit.

A. superchannel ??Correct. Enables full frequency range

B. regulatory domain ? Restricts visible frequencies to region’s law

C. manual txpower ? Controls power output, not frequency scanning

MTCNA Course Material – Wireless Configuration Options:

“To unlock all available wireless frequencies for scanning or connection, enable the 'superchannel' frequency mode.”

René Meneses Study Guide – Wireless Advanced Config:

“Superchannel mode shows all channels supported by the hardware. Use with caution — may violate regulations.”

Terry Combs Notes – Wireless Modes:

“Want to see hidden or extended frequencies? Use superchannel mode. Not legal in every region.”

Answer: AQUESTION NO: 27 [NAT]

It is required to make a web server on a private LAN visible on the public internet. Only the web server port should be visible to the public. Which of the following configuration steps must be met? (Select all that apply)

A. Public IP address of the web server must be installed on the NAT Router

B. In IP firewall NAT, there should be a dst-nat between the public IP of the router and the private IP of the web server

C. Connection Tracking must be enabled on NAT router

D. A route between the NAT router and the web server must exist

E. LAN address of the web server should be routable on the internet

Answer: B, C, D

To expose a web server behind a MikroTik router to the public, the following steps must be met:

B. dst-nat rule must be created to forward incoming requests (e.g., TCP port 80) to the internal web server IP ??Required

C. Connection Tracking must be enabled, otherwise NAT rules won’t function ??Required

D. A route between the NAT router and the web server must exist (usually a directly connected subnet) ??Required

Incorrect Options:

A. The public IP does not need to be installed on the web server — it remains private ??

E. Private LAN IP (like 192.168.x.x) does not need to be routable on the internet ??

MTCNA Course Manual – NAT and Port Forwarding Section:

“To expose internal services to the public internet, use dst-nat. Ensure connection tracking is active and the server is reachable through routing.”

René Meneses Guide – NAT Configuration:

“DST-NAT forwards specific ports to internal IPs. Connection tracking is a prerequisite. LAN IPs remain private.”

Terry Combs Notes – Web Server NAT Rules:

“No need to assign public IP to server. Just configure a proper NAT rule and ensure routing exists internally.”

????????????????????????????????????????????

PPP (Point-to-Point Protocol) uses a modular architecture consisting of two main components:

LCP (Link Control Protocol): Establishes, configures, and tests the data-link connection

NCP (Network Control Protocol): Identifies and configures protocols at the Network Layer (e.g., IP, IPX)

NCP allows multiple protocols to be used over the same PPP link by negotiating and identifying the type of Layer 3 protocol.

MTCNA Course Material – PPP Components:

“NCP handles Layer 3 protocol negotiation and support. For example, IPCP (IP Control Protocol) is a type of NCP used for IP.”

René Meneses MTCNA Study Guide – PPP Protocol Stack:

“PPP uses NCP to identify and configure multiple Layer 3 protocols such as IP, IPX, AppleTalk.”

Other options:

B: ISDN is a WAN access technology, not part of PPP stack

C: HDLC is a data-link layer protocol, not used for identifying Layer 3

D: LCP configures link parameters, not network layer protocols

Final Answer: AQUESTION NO: 142 [Cisco IOS – IOS Backup Procedure]

To back up an IOS, what command will you use?

A. backup IOS disk

B. copy ios tftp

C. copy tftp flash

D. copy flash tftp

Answer: D

To back up the Cisco IOS image from the router’s flash memory to an external TFTP server, the correct command is:

copy flash tftp

This command initiates a transfer from flash memory to a TFTP server and is the standard procedure for backing up IOS images.

Cisco IOS Configuration Guide – Image Backup:

“To back up your IOS image, use the command copy flash tftp and follow the prompts for file name and TFTP server IP.”

René Meneses MTCNA Study Guide – IOS Management:

“copy flash tftp is the correct syntax to save a router’s current IOS to a TFTP server.”

Other options:

A: Invalid syntax

B: Invalid command (copy ios does not exist)

C: copy tftp flash is for installing, not backing up

Final Answer: DQUESTION NO: 143 [IP Addressing – Subnet Calculation]

Which of the following is the valid host range for the subnet on which the IP address 192.168.168.188 255.255.255.192 resides?

A. 192.168.168.129–190

B. 192.168.168.129–191

C. 192.168.168.128–190

D. 192.168.168.128–192

Answer: B

IP address: 192.168.168.188

Subnet mask: 255.255.255.192 ? /26 ? Block size = 64

Subnets:

192.168.168.0/26 ? 192.168.168.0 – 63

192.168.168.64/26 ? 192.168.168.64 – 127

192.168.168.128/26 ? 192.168.168.128 – 191 ? Contains 192.168.168.188

192.168.168.192/26 ? 192.168.168.192 – 255

Valid host range = 192.168.168.129 – 190

(Broadcast = 191, Network address = 128)

MTCNA Course Material – Subnetting Practice:

“To find valid hosts, exclude the subnet and broadcast address. In /26, each block is 64 addresses.”

René Meneses MTCNA Study Guide – IP Addressing:

“For /26 subnetting, calculate block size as 2^(32–26) = 64. Subnet starts at multiples of 64.”

Final Answer: BQUESTION NO: 144 [Wireless – IEEE 802.11 Standards]

Which WLAN IEEE specification allows up to 54 Mbps at 2.4 GHz?

A. A

B. B

C. G

D. N

Answer: C

802.11g operates in the 2.4 GHz band and supports data rates up to 54 Mbps. It is backward-compatible with 802.11b and was a significant improvement in speed while maintaining wide compatibility.

MTCNA Course Material – Wireless Standards:

“802.11g operates at 2.4 GHz and supports up to 54 Mbps. It is widely used in legacy devices.”

René Meneses MTCNA Study Guide – WLAN Specifications:

“802.11g = 2.4 GHz, 54 Mbps.

802.11a = 5 GHz, 54 Mbps

802.11b = 2.4 GHz, 11 Mbps

802.11n = 2.4/5 GHz, up to 600 Mbps (MIMO)”

Option Breakdown:

A: 802.11a = 54 Mbps at 5 GHz

B: 802.11b = 11 Mbps at 2.4 GHz

C: 802.11g =?54 Mbps at 2.4 GHz

D: 802.11n = supports 2.4/5 GHz, speeds up to 600 Mbps (depending on MIMO)

fundamentals.

????????????????????????????????????????????????????????????

The /interface wireless access-list in MikroTik is used to define a set of rules that permit or deny wireless clients based on their MAC addresses and signal strength.

This list applies only to clients trying to connect to the router’s wireless interface when it is configured as an Access Point.

Let’s break down the options:

A.?Correct – Used to allow or deny client MAC addresses and apply settings like rate limits, VLANs, etc.

B.?That’s the role of the registration table.

C.?Security profiles are configured separately under /interface wireless security-profiles.

D.?Hotspot authentication is handled via /ip hotspot, not wireless access lists.

MTCNA Wireless Module – MAC Access Control:

“Access-list matches incoming clients by MAC. You can allow, deny, and apply custom settings.”

René Meneses Study Guide – Wireless Security:

“Access-list is used to explicitly permit or block clients based on their MAC address.”

Terry Combs Notes – Wireless Filtering:

“Think of access-list like a whitelist/blacklist for Wi-Fi clients.”

Answer: AQUESTION NO: 65 [Firewall]

One host on an internal network is accessing an external web page through a MikroTik router that is doing source NAT. Select the correct statement about the packets that flow from that web page to the host:

A. Packets go through the input chain

B. Packets go through the forward chain

C. Packets go through the output chain

D. Packets go through the input chain before the routing decision and after that through output chain

Answer: B

When a host on a LAN accesses a website on the internet via a MikroTik router that’s performing source NAT (e.g., masquerade), the traffic path is as follows:

From LAN host to internet ? forward chain ? NAT (src-nat)

From internet back to LAN host ? forward chain again ? connection-tracked ? src-nat reversed

Since the router is only routing the packets and is not the originator or final destination, the packet passes through the forward chain.

Clarifying the options:

A.?input chain is for packets destined to the router itself

B.?Correct – packet is routed through the router (forwarded)

C.?output chain is for packets originating from the router

D.?This description applies to packets sourced by the router itself

MTCNA Course Manual – Packet Flow Diagram:

“Forward chain handles packets that are being routed through the device (not destined to or from the router itself).”

René Meneses Guide – Firewall Chains:

“For routed traffic, the forward chain is used. This includes NATed traffic between LAN and WAN.”

Terry Combs Notes – Packet Flow:

“Understand the router’s role. If it’s just forwarding, only the forward chain applies.”

Answer: BWould you like to continue with Questions 66–70, or generate a full summary (PDF-style) of all 65 completed qu

Nstreme is a proprietary point-to-point wireless protocol developed by MikroTik to improve performance on long-distance wireless links. It enhances frame aggregation, reduces latency, and replaces standard 802.11 MAC timing behavior with a custom approach. Because of its specific mechanism, it imposes certain compatibility restrictions:

A. WDS between two station-wds devices is not compatible with Nstreme. This setup doesn't conform to proper AP-client architecture required by Nstreme, which operates in a master/slave role — typically ap-bridge and station.

B. Encryption (e.g., using WEP or WPA) is supported in Nstreme; however, MikroTik recommends encryption at higher layers like IPsec when performance is critical.

C. WDS between ap-bridge and station-wds is compatible with Nstreme. This is the standard pairing used when bridging two networks via wireless.

D. Bridging a station with an ap-bridge device using standard station mode (not station-wds or station-bridge) is not compatible for full Layer 2 bridging. Only station-wds or station-bridge supports bridging with ap-bridge mode.

Extract from Official MTCNA Course Material – Wireless Section:

"Nstreme is supported only between a device in ap-bridge mode and a device in station or station-wds mode. Both ends must support Nstreme. WDS is supported with station-wds and ap-bridge combinations. Encryption is supported, although optional."

Extract from Terry Combs MTCNA Notes – Nstreme Notes:

"Only ap-bridge <-> station-wds (or station-bridge in RouterOS v6+) is valid for bridging over Nstreme. Encryption like WPA2 is supported but optional."

Extract from René Meneses Study Guide – Wireless Features:

“Nstreme does not support station-station WDS. Proper implementation requires ap-bridge on one side and station-wds or station-bridge on the other. Basic encryption (WEP/WPA) is allowed.”

===========

In a MikroTik Hotspot environment, you can bypass authentication for specific users using the IP Bindings feature. This feature lets you mark a host as bypassed (authorized without login), blocked, or regular.

A. Users ? Incorrect. This contains login credentials for regular authenticated users.

B. IP bindings ? Correct. This allows specific devices (by IP or MAC) to bypass login requirements.

C. Walled-garden ? Incorrect. This allows unauthenticated access to specific domains or URLs, not devices.

D. Walled-garden IP ? Incorrect. Similar to option C, it controls destination IP access, not client exemption.

Extract from Official MTCNA Course Material – Hotspot:

“To allow a specific host to bypass authentication, use IP Bindings with the ‘bypassed’ type.”

Extract from René Meneses MTCNA Study Guide – Hotspot Section:

“The IP Bindings tab in the Hotspot menu is used to set specific IPs or MACs as bypassed. This exempts them from login.”

Extract from Terry Combs MTCNA Notes – Hotspot Bypass:

“Use IP Bindings for fixed clients (e.g., printers or servers) that should not be challenged by the Hotspot portal.”

===========

To upgrade or install a new Cisco IOS image on a router, you typically copy the IOS image file from a TFTP server into the router’s flash memory. The correct syntax is:

copy tftp flash

This command tells the router to copy the IOS image from a TFTP server into flash storage, where it can be booted.

Cisco IOS Documentation – Image Upgrade Process:

“Use the command copy tftp flash to transfer an IOS image from a TFTP server to the router’s flash memory.”

Other options:

A: copy tftp run – invalid; you cannot copy into the running-config that way

B: copy tftp start – used to copy configuration, not IOS image

C: config net – an older and deprecated command, not for IOS upgrades

Final Answer: DQUESTION NO: 122 [RouterOS Introduction – ICMP and Diagnostics]

Which protocol does Ping use?

A. TCP

B. ARP

C. ICMP

D. BootP

Answer: C

Ping is a diagnostic utility used to test reachability between devices. It sends ICMP Echo Request packets and waits for ICMP Echo Replies. ICMP (Internet Control Message Protocol) is used for these types of control messages and is encapsulated within IP.

MTCNA Course Material – Diagnostic Tools:

“Ping uses ICMP Echo Requests to verify if a destination is reachable. It does not use TCP or UDP.”

René Meneses MTCNA Study Guide – Ping and ICMP:

“Ping uses ICMP, not TCP or ARP. ICMP packets are used to check basic connectivity.”

MikroTik Wiki – Ping Tool Description:

“Ping works by sending ICMP packets. It cannot use TCP.”

Other options:

TCP: Used by protocols like HTTP, FTP

ARP: Resolves IP to MAC, not used for ping

BootP: DHCP-related protocol, not diagnostic

Final Answer: CQUESTION NO: 123 [Cisco – Frame Relay Troubleshooting]

What command will display the line, protocol, DLCI, and LMI information of an interface?

A. sh pvc

B. show interface

C. show frame-relay pvc

D. show run

Answer: C

In Cisco IOS, to display detailed Frame Relay virtual circuit information, including the line status, protocol status, DLCI (Data Link Connection Identifier), and LMI (Local Management Interface) details, the correct command is:

show frame-relay pvc

Cisco IOS Command Reference – Frame Relay:

“The show frame-relay pvc command displays information about PVC status, including DLCI numbers and LMI statistics.”

Breakdown:

A: sh pvc – shorthand and ambiguous, may not be recognized

B: show interface – general interface stats but lacks detailed LMI/DLCI info

C: show frame-relay pvc –?correct, provides detailed DLCI/LMI info

D: show run – shows current configuration, not real-time PVC status

Final Answer: CQUESTION NO: 124 [Networking Fundamentals – Ethernet and Switching]

How many collision domains are created when you segment a network with a 12-port switch?

A. 1

B. 2

C. 5

D. 12

Answer: D

Each port on a switch creates its own collision domain. Unlike hubs (which extend a single collision domain), switches segment each interface, allowing full-duplex communication and eliminating collisions.

MTCNA Course Material – Ethernet Switching Concepts:

“Each switch port is a separate collision domain. A 24-port switch creates 24 separate collision domains.”

René Meneses MTCNA Study Guide – Collision and Broadcast Domains:

“Switches break up collision domains per port, unlike hubs.”

Therefore, a 12-port switch creates 12 individual collision domains.