To bridge two networks over a wireless link (i.e., perform Layer 2 bridging), MikroTik offers several wireless modes that support bridging:

WDS (Wireless Distribution System) is MikroTik’s mechanism to forward Layer 2 frames over wireless

pseudobridge and pseudobridge-clone attempt to mimic Layer 2 bridging, with some limitations

Option analysis:

A. ✔ Correct – Using AP mode on both ends and enabling WDS allows full Layer 2 bridging

B. ✔ Correct – pseudobridge-clone allows limited bridging by spoofing the MAC address of the connected host

C. ✔ Correct – station-pseudobridge enables partial bridging (one client per MAC)

D. ✘ Incorrect – station mode alone does not support Layer 2 bridging; it performs routing/NAT instead

Extract from MTCNA Course Material – Bridging and Wireless Section:

"To bridge over wireless, you can use WDS or station-pseudobridge(-clone). WDS provides true Layer 2 bridging, while pseudobridge methods simulate it for single hosts."

Extract from René Meneses Study Guide – Wireless Bridging:

“WDS is most reliable for bridging. pseudobridge and pseudobridge-clone work with one client and should be used cautiously.”

Extract from Terry Combs Notes – Wireless Bridging:

“station mode alone is not sufficient for bridging. Use WDS or pseudobridge options.”

===========

The connection-state=established matcher in MikroTik’s firewall refers to packets that are part of an already active connection. These packets are neither new nor related — they are directly associated with a known connection that has been previously accepted or initiated.

MikroTik uses Connection Tracking (enabled by default) to determine the state of each packet:

new: Packet begins a new connection (e.g., TCP SYN)

established: Packet belongs to a previously established connection (reply or subsequent packets)

related: Packet is not part of the connection, but is related (e.g., FTP data channel)

invalid: Packet that does not match any known or valid connection

Therefore:

A. ✅ Correct. “Established” means part of an ongoing, known connection.

B. ❌ This describes “related”

C. ❌ This describes “invalid”

D. ❌ This describes “new”

MTCNA Course Manual – Firewall and Connection Tracking:

“Established – Packet that belongs to an existing connection. This includes replies and ongoing streams.”

René Meneses Study Guide – Firewall Fundamentals:

“Use connection-state=established to allow traffic that is part of previously accepted sessions.”

Terry Combs Notes – Connection States:

“Established = trusted, ongoing session. Essential for return traffic.”

Answer: A QUESTION NO: 32 [PPP]

PPP Secrets are used for:

A. PPPoE clients

B. L2TP clients

C. IPSec clients

D. PPP clients

E. PPTP clients

F. Router users

Answer: A, B, D, E

PPP Secrets is a user authentication mechanism used in MikroTik RouterOS for various PPP-based services. These include:

PPP (Point-to-Point Protocol)

PPPoE (PPP over Ethernet)

PPTP (Point-to-Point Tunneling Protocol)

L2TP (Layer 2 Tunneling Protocol)

Each client authenticates with a username/password combination defined under PPP → Secrets. PPP Secrets is not used for:

IPSec clients → ❌ They use peer configurations and policies

Router users (Winbox/WebFig) → ❌ Use system → users, not PPP secrets

MTCNA PPP Chapter – Secrets Authentication:

“PPP Secrets are used for all PPP services: PPP, PPPoE, L2TP, and PPTP. It defines usernames, passwords, profiles, and IP bindings.”

René Meneses Guide – Tunnels and PPP:

“Any PPP-based tunnel uses PPP secrets for login validation. This includes local dial-in and remote VPN tunnels.”

Terry Combs Notes – PPP Authentication Table:

“PPP Secrets = for PPP, PPPoE, PPTP, and L2TP. Not for IPSec or Winbox.”

Answer: A, B, D, E QUESTION NO: 33 [Licensing]

How long is level 1 (free) license valid?

A. 1 month

B. 24 hours

C. 1 year

D. Infinite time

Answer: D

Level 1 license in MikroTik RouterOS is a free license type. It is included with every installation but has very limited functionality. Despite the limitations, it is valid for an unlimited duration.

Features available in level 1:

Basic configuration

One active user session

Ideal for lab/testing with CHR

Incorrect options:

A. 1 month → ❌ Not time-based

B. 24 hours → ❌ No expiration limit

C. 1 year → ❌ Invalid

D. ✅ Correct → Valid forever, but feature-limited

MTCNA Course Material – Licensing Section:

“Level 1 license is free and does not expire. It provides minimal feature access.”

René Meneses Study Guide – License Levels:

“Level 1 is permanent but restrictive. Great for evaluation or learning.”

Terry Combs Notes – RouterOS Licensing Table:

“Level 1 license = lifetime access to basic RouterOS functionality.”

Answer: D QUESTION NO: 34 [NAT]

What is the correct action for a NAT rule on a router that should intercept SMTP traffic and send it over to a specified mail server?

A. tarpit

B. dst-nat

C. passthrough

D. redirect

Answer: B

To forward traffic from one destination to another (such as from the public IP to an internal mail server), the dst-nat action is used in MikroTik NAT rules.

dst-nat: Modifies the destination IP address and/or port of the packet. Used to forward traffic to an internal resource.

tarpit: Captures and holds TCP connections (used for spam traps or slowing down bots) → ❌

passthrough: Used in mangle rules; allows the packet to be evaluated by the next rule → ❌

redirect: Redirects traffic to the router itself (e.g., proxy or DNS services) → ❌

So, for external SMTP traffic (e.g., TCP port 25), we use a dst-nat rule that forwards the traffic to the internal mail server.

MTCNA NAT Section – Destination NAT:

“To forward SMTP traffic from a public address to a private server, use dst-nat with appropriate port and IP.”

René Meneses Guide – Practical NAT Examples:

“Use dst-nat for port forwarding. Redirect is for internal services like DNS or web proxy.”

Terry Combs Notes – NAT Action Summary:

“dst-nat = most common for external-to-internal mapping (e.g., mail servers, web servers).”

ICMP (Internet Control Message Protocol) is used for diagnostics and error reporting in IP networks. It is encapsulated directly within IP datagrams and not over UDP or TCP. It does not guarantee delivery — it merely provides feedback about problems (e.g., host unreachable, time exceeded).

MTCNA Course Material – ICMP and Network Tools:

“ICMP is used for error messages and operational queries such as ping and destination unreachable. It is encapsulated in IP and does not use TCP or UDP.”

René Meneses MTCNA Study Guide – ICMP Section:

“ICMP provides diagnostic information. It is a Layer 3 protocol encapsulated directly in IP. It does not provide guaranteed delivery.”

MikroTik Wiki – ICMP Overview:

“ICMP packets are carried in IP packets and used for control messages. They are not transported using TCP or UDP.”

Breakdown:

Statement 1: False – ICMP does not guarantee delivery

Statement 2: True – provides network problem feedback

Statement 3: True – encapsulated in IP

Statement 4: False – ICMP is not encapsulated in UDP

Correct set: 2 and 3

Final Answer: B QUESTION NO: 106 [RouterOS Introduction]

Which Layer 4 protocol is used for a Telnet connection?

A. IP

B. TCP

C. TCP/IP

D. UDP

Answer: B

Telnet is a protocol used to access remote devices via command-line over the network. It operates over TCP at Layer 4, using port 23.

MTCNA Course Material – Layer 4 Protocols:

“Telnet uses TCP port 23 for remote shell access. TCP ensures ordered and reliable delivery of commands and responses.”

René Meneses MTCNA Study Guide – TCP/IP Protocols:

“Telnet is an Application Layer protocol using TCP as its transport protocol.”

MikroTik Wiki – Telnet Access:

“Telnet communicates over TCP. It does not use UDP.”

Other options:

A. IP is a Layer 3 protocol

C. TCP/IP is a model, not a single protocol

D. Telnet does not use UDP

Final Answer: B QUESTION NO: 107 [RouterOS Introduction]

Which of the following are layers in the TCP/IP model?

Application

Session

Transport

Internet

Data Link

Physical

A. 1 and 2

B. 1, 3 and 4

C. 2, 3 and 5

D. 3, 4 and 5

Answer: B

The TCP/IP model has four layers:

Application

Transport

Internet

Network Access (includes Data Link & Physical in OSI terms)

Session is part of the OSI model, not TCP/IP.

MTCNA Course Material – TCP/IP vs OSI Model:

“The TCP/IP model has Application, Transport, Internet, and Network Access layers. Application includes OSI’s Session, Presentation, and Application layers.”

René Meneses MTCNA Guide – Model Comparison:

“The TCP/IP model consists of: Application, Transport, Internet, and Network Access (which covers Data Link and Physical). Session layer is part of OSI.”

So, correct TCP/IP layers from the given list:

Application ( ✔ )

Transport ( ✔ )

Internet ( ✔ )

Session is not part of TCP/IP model.

Final Answer: B QUESTION NO: 108 [RouterOS Introduction]

Which statements are true regarding ICMP packets?

They acknowledge receipt of a TCP segment.

They guarantee datagram delivery.

They can provide hosts with information about network problems.

They are encapsulated within IP datagrams.

A. 1 only

B. 2 and 3

C. 3 and 4

D. 2, 3 and 4

Answer: C

Reiterating from earlier:

ICMP does not acknowledge TCP segments; that’s TCP’s job.

ICMP does not guarantee delivery; it’s an unreliable protocol.

ICMP does provide diagnostics (e.g., unreachable, TTL exceeded).

ICMP is encapsulated directly in IP, not over TCP/UDP.

MTCNA Course Material – ICMP Behavior:

“ICMP is used for control messages like ping and unreachable. It provides feedback and is encapsulated in IP.”

René Meneses MTCNA Study Guide – ICMP & IP Layer:

“ICMP is a Layer 3 protocol, not used to acknowledge TCP, and is wrapped in IP datagrams.”

Correct:

Statement 3: True

Statement 4: True