The key requirement is to block traffic from LAN1 to the internal server at 192.168.1.10. Given that R1 uses masquerade (srcnat), all packets arriving at R2 from LAN1 will appear as if they come from R1’s IP (192.168.99.1). Therefore, filtering by the original IP (LAN1 clients like 192.168.0.x) won't work unless you stop the traffic before it's NATed.

So the correct way is to drop the packets before they reach the server by identifying the original subnet (LAN1), which is 192.168.0.0/24, in the forward chain.

A. Wrong: You’re filtering based on the post-NAT address (192.168.99.1), not the source LAN subnet.

B. Correct: Block traffic coming from 192.168.0.0/24 (LAN1) before it hits the NAT rule. ✅

C. Wrong chain: input is only for traffic destined to the router itself.

D. Incorrect chain: dstnat is for translating destination IP, not filtering.

MTCNA Firewall Module – NAT and Forwarding Concepts:

“Filter before NAT to match pre-NAT source addresses. Masquerade masks real source IP.”

René Meneses MTCNA Guide – Practical Firewall Rules:

“When masquerade is applied, forward chain rules using original IP must be placed before the NAT rule.”

Terry Combs Notes – Firewall Filtering:

“Forward chain handles routed traffic. Use it to block routed traffic between subnets.”

Answer: B QUESTION NO: 55 [ARP]

If ARP=reply-only is configured on an interface, this interface will:

A. accept all IP addresses listed in '/ip arp' as static entries

B. add new MAC addresses in '/ip arp' list

C. accept IP and MAC address combinations listed in '/ip arp' list

D. accept all MAC-addresses listed in '/ip arp' as static entries

E. add new IP addresses in '/ip arp' list

Answer: C

Setting ARP=reply-only restricts the interface to respond only to ARP requests for IP/MAC pairs that are manually added to the /ip arp list. This is often used for access control or static neighbor resolution.

A. ❌ Incorrect phrasing; not all IPs are accepted unless both IP and MAC match

B. ❌ Interface will not dynamically add new MACs in reply-only mode

C. ✅ Correct — Only defined IP/MAC combinations in /ip arp will be accepted

D. ❌ ARP requires both IP and MAC, not just MACs

E. ❌ New IPs are not added automatically in this mode

MTCNA Course Manual – ARP Modes:

“ARP reply-only – Interface replies only to requests for IP/MAC combinations listed in the ARP table.”

René Meneses Guide – ARP Settings:

“Use reply-only when you want strict control over ARP responses. You must add each entry manually.”

Terry Combs Notes – ARP Filter Modes:

“reply-only = no dynamic ARPs. You must define both IP and MAC.”

Answer: C QUESTION NO: 56 [Wireless]

Which option in the configuration of a wireless card must be disabled to cause the router to permit ONLY known clients listed in the access list to connect?

A. Security Profile

B. Default Forward

C. Enable Access List

D. Default Authenticate

Answer: D

The Default Authenticate option allows all clients to connect unless filtered. To restrict access to only known MAC addresses in the access list, you must disable this option. When disabled, only MAC addresses explicitly listed in the access list will be able to connect.

Evaluation:

A. Security Profile → relates to encryption, not access control

B. Default Forward → controls whether clients can communicate with each other

C. Enable Access List → there is no such setting by this name

D. ✅ Default Authenticate — this must be disabled to allow only access-list entries

MTCNA Wireless Module – Access Control:

“Disable default-authenticate to limit access to those defined in the access-list.”

René Meneses Guide – MAC Access Restrictions:

“Disabling default-authenticate enforces access-list. Clients not listed will be denied.”

Terry Combs Notes – Securing Wireless:

“Use access-list + disable default-authenticate to lock down who connects.”

Answer: D QUESTION NO: 57 [Routing]

A routing table has the following entries:

0 dst-address=10.0.0.0/24 gateway=10.1.5.126

1 dst-address=10.1.5.0/24 gateway=10.1.1.1

2 dst-address=10.1.0.0/24 gateway=25.1.1.1

3 dst-address=10.1.5.0/25 gateway=10.1.1.2

Which gateway will be used for a packet with destination address 10.1.5.126?

A. 10.1.1.1

B. 10.1.5.126

C. 10.1.1.2

D. 25.1.1.1

Answer: A

Routing decisions are based on the longest prefix match (i.e., the most specific subnet). First, determine which route has the most specific match for 10.1.5.126.

Route 1: 10.1.5.0/24 → covers 10.1.5.0 to 10.1.5.255 → ✅ Match

Route 3: 10.1.5.0/25 → covers 10.1.5.0 to 10.1.5.127 → ✅ Also a match and more specific

BUT, 10.1.5.126 falls within /25 (last usable host) → So, Route 3 should be preferred due to longer prefix

However, let’s clarify:

If Route 3 (dst-address=10.1.5.0/25) has a next-hop (gateway) of 10.1.1.2, and if that route is reachable, it should be chosen.

Wait — it appears the answer marked in the original key might be inconsistent with routing rules.

Let’s correct it:

Matching routes:

Route 1: /24 → Prefix length: 24

Route 3: /25 → Prefix length: 25 → More specific → Preferred ✅

Hence:

10.1.5.126 matches 10.1.5.0/25 (Route 3)

Gateway for that = 10.1.1.2 → Correct Answer: C

Corrected Answer: C

MTCNA Course Manual – Routing Decision Process:

“MikroTik uses longest prefix match — the most specific (longest) subnet wins.”

René Meneses Guide – Routing Resolution:

“If multiple routes match, the one with the most specific netmask (largest prefix) is selected.”

Terry Combs Notes – Routing Table Evaluation:

“Router picks based on subnet specificity. /25 beats /24.”

In a MikroTik Hotspot environment, you can bypass authentication for specific users using the IP Bindings feature. This feature lets you mark a host as bypassed (authorized without login), blocked, or regular.

A. Users → Incorrect. This contains login credentials for regular authenticated users.

B. IP bindings → Correct. This allows specific devices (by IP or MAC) to bypass login requirements.

C. Walled-garden → Incorrect. This allows unauthenticated access to specific domains or URLs, not devices.

D. Walled-garden IP → Incorrect. Similar to option C, it controls destination IP access, not client exemption.

Extract from Official MTCNA Course Material – Hotspot:

“To allow a specific host to bypass authentication, use IP Bindings with the ‘bypassed’ type.”

Extract from René Meneses MTCNA Study Guide – Hotspot Section:

“The IP Bindings tab in the Hotspot menu is used to set specific IPs or MACs as bypassed. This exempts them from login.”

Extract from Terry Combs MTCNA Notes – Hotspot Bypass:

“Use IP Bindings for fixed clients (e.g., printers or servers) that should not be challenged by the Hotspot portal.”

===========

When static ARP is configured, the router explicitly binds an IP address to a specific MAC address. This means:

If the MAC address of the device changes (as it does when a new network card is installed), and the IP remains the same, the router will not allow the device to communicate, because the MAC address in the ARP table no longer matches the new hardware.

Options explained:

A. ✔ Correct. The old ARP entry must be updated to reflect the new MAC address if the IP is reused.

B. ✘ Incorrect. The communication will fail if the ARP table still holds the outdated MAC for that IP.

C. ✔ Correct. Alternatively, if the new NIC supports MAC address modification, setting the MAC address to match the old one would make the static ARP entry valid again.

D. ✘ Incorrect. There's no need to change the IP if the static ARP entry is updated.

Extract from Official MTCNA Course Material – ARP Section:

"Static ARP entries tie IPs to MAC addresses. If the MAC changes but the static ARP entry remains unchanged, the device cannot communicate with the router."

Extract from René Meneses MTCNA Study Guide – ARP:

"When using static ARP, any MAC change must be reflected in the router's ARP table; otherwise, packets will be dropped."

Extract from MikroTik Wiki – ARP Modes:

"Static entries require matching MAC addresses. If the client's MAC changes, the ARP table must be updated or communication will fail."

===========

To achieve actual throughput of 100 Mbps, you must use 802.11n, which supports higher data rates through technologies such as MIMO (Multiple Input, Multiple Output) and channel bonding. 802.11n provides theoretical speeds up to 150 Mbps per stream and actual throughput above 100 Mbps under good conditions.

802.11a/b/g maxes out around 20–25 Mbps real throughput

802.11n (especially in 5 GHz band via 802.11a/n) is required to exceed 100 Mbps actual throughput

MTCNA Course Material – Wireless Standards and Data Rates:

“802.11n with proper channel width and MIMO can achieve over 100 Mbps of real throughput.”

René Meneses MTCNA Study Guide – Wireless Performance:

“Only 802.11n can reach 100+ Mbps in practical use. Legacy modes (a/b/g) fall short due to modulation limits.”

Breakdown:

A/B/C: Do not support 100 Mbps throughput

D: ✔ 802.11a/n supports 100+ Mbps

E: While also valid, D is more precise for the specific requirement (focused on a/n only)

Final Answer: D QUESTION NO: 156 [Firewall – Mangle Chains]

It is possible to add user-defined chains in ip firewall mangle.

A. True

B. False

Answer: A

RouterOS allows users to define custom chains in the mangle table, giving more flexibility for organizing and managing rules. This is particularly useful in complex routing and QoS configurations.

MikroTik Wiki – Firewall Mangle:

“Custom chains can be created using the add chain=your_chain_name command. Then you can jump to them from built-in chains.”

MTCNA Course Material – Mangle & Packet Flow:

“User-defined chains help separate logic and simplify processing. You can jump into them from prerouting, forward, or postrouting.”

Final Answer: A QUESTION NO: 157 [Firewall – NAT and Redirect Actions]

Action=redirect allows you to make:

A. Transparent DNS Cache

B. Forward DNS to another device IP address

C. Enable Local Service

D. Transparent HTTP Proxy

Answer: D

In RouterOS, action=redirect is used in NAT rules to redirect traffic destined for specific ports to local services. This is often used for:

Transparent web proxy (redirect port 80 to a local proxy service)

Transparent DNS interception (if RouterOS is the DNS server)

In most practical MikroTik use cases, redirect is associated with Transparent HTTP Proxy.

MTCNA Course Material – NAT Configuration:

“action=redirect rewrites the destination address to the router’s own IP. It is commonly used to create transparent web proxies.”

MikroTik Wiki – NAT Redirect:

“Redirect is used for redirecting traffic to local services like web proxy or DNS cache on the router.”

Breakdown:

A: Possible, but limited use; DNS cache works better with dst-nat

B: Incorrect — to forward to another IP, use dst-nat

C: Misleading — enabling local services doesn't require redirect

D: ✔ Correct — redirect enables transparent proxy setup

Final Answer: D QUESTION NO: 158 [Routing – Automatically Created Routes]

What letters appear next to a route, which is automatically created by RouterOS when user adds a valid address to an active interface?

A. I

B. D

C. A

D. S

E. C

Answer: E

In RouterOS, when an IP address is assigned to an interface, a connected route is automatically created. These routes are marked with the letter “C” in the routing table, denoting “Connected.”

MikroTik Wiki – Routing Table Flags:

“C – directly connected routes (assigned via /ip address), added automatically when interface is active.”

MTCNA Course Material – Static vs Dynamic Routes:

“Connected (C) routes are added automatically when IP is assigned to an interface.”

Flag meanings:

C: ✔ Connected

S: Static

D: Dynamic

A: Active (not a route type)

I: Invalid or intermediate (not shown for connected)

In MikroTik RouterOS (and in routing in general), the "distance" value determines the priority of a route. The route with the lowest distance will be preferred.

Here:

Route to 0.0.0.0/0 via 1.1.1.1 has distance = 10

Route to 0.0.0.0/0 via 2.2.2.2 has distance = 5 → lower, so preferred ✅

Unless the lower-distance route is invalid or unreachable, it will always be selected.

MTCNA Course Manual – Static Routing:

“The lower the distance value, the higher the route’s priority. Routes are selected based on administrative distance first.”

René Meneses Study Guide – Route Distance:

“A route with distance 1 is preferred over a route with distance 2. It does not matter which was added first.”

Terry Combs Notes – Routing Behavior:

“RouterOS evaluates the distance (priority) before anything else. Smallest value wins.”

Answer: A QUESTION NO: 44 [Firewall]

What does the firewall action "Redirect" do? Select all true statements.

A. Redirects a packet to a specified port on the router

B. Redirects a packet to a specified IP

C. Redirects a packet to the router

D. Redirects a packet to a specified port on a host in the network

Answer: A, C

The redirect action in MikroTik’s NAT firewall rules is used to force traffic (usually from LAN clients) to a local service on the router — for example, redirecting all DNS queries to the router’s DNS server, or forcing web traffic to a proxy.

Details:

It changes the destination IP to the router's IP automatically (without needing to specify it)

It also allows port redirection (e.g., dst-port=80 → to 3128 for proxy)

Evaluation:

A. ✅ True — You can redirect to a specific port on the router

B. ❌ False — Redirect does not change destination IP to an arbitrary host; for that, use dst-nat

C. ✅ True — Redirect forces traffic to the router itself

D. ❌ False — dst-nat is used to forward packets to internal hosts, not redirect

MTCNA Course Manual – NAT Actions:

“Redirect action changes destination to the router itself. This is useful for forcing traffic through router services.”

René Meneses Guide – NAT Behavior:

“Redirect = router-local services like DNS or proxy. Use dst-nat for remote hosts.”

Terry Combs Notes – Firewall Actions:

“Use redirect when you want to intercept traffic and handle it locally on the router.”

Answer: A, C QUESTION NO: 45 [PPP / Tunnels]

Which port does PPTP use by default?

A. TCP 1721

B. UDP 1723

C. TCP 1723

D. UDP 1721

Answer: C

PPTP (Point-to-Point Tunneling Protocol) uses:

TCP port 1723 for control and session initiation

GRE (Generic Routing Encapsulation) protocol (protocol number 47) for tunneling

No UDP port is used by PPTP.

Evaluation:

A. TCP 1721 → ❌ Invalid port

B. UDP 1723 → ❌ Incorrect protocol (TCP is used, not UDP)

C. ✅ TCP 1723 → Correct

D. ❌ Invalid (wrong protocol and port)

MTCNA Tunneling Section – PPTP Overview:

“PPTP uses TCP port 1723 for control and GRE protocol for tunneling traffic.”

René Meneses MTCNA Guide – PPTP Characteristics:

“PPTP = TCP/1723 + GRE (not a port, but a protocol). Allow both on firewall.”

Terry Combs Notes – VPN Protocol Reference:

“PPTP: TCP 1723. GRE must be permitted for tunnel data.”

Answer: C QUESTION NO: 46 [Firewall]

Which firewall chain should you use to filter ICMP packets from the router itself?

A. input

B. postrouting

C. forward

D. output

Answer: D

MikroTik RouterOS uses firewall chains to process packets based on direction:

input: For packets destined to the router itself (from outside)

output: For packets originating from the router (e.g., router pings)

forward: For packets passing through the router between interfaces

postrouting: Used for NAT and marking, not filtering

Therefore:

To block/allow ICMP (ping) generated by the router (e.g., netwatch, DNS probes), use the output chain

To block incoming pings to the router, use input

To block pings between LAN and WAN, use forward

MTCNA Firewall Module – Chain Responsibilities:

“To control traffic originating from the router itself, use the output chain. For example, when the router itself sends ICMP requests.”

René Meneses Guide – Firewall Chains Explained:

“output is for locally generated traffic. input is for inbound traffic to the router.”

Terry Combs Notes – Chain Use Cases:

“Ping from router = output. Ping to router = input. Ping between networks = forward.”

MikroTik allows you to control which clients can connect to your access point through:

WPA/WPA2 security – prevents unauthorized devices from authenticating.

Access List – filters by MAC address and signal strength.

Option breakdown:

A. ✔ access-list – Used to accept/reject client MACs and customize access settings.

B. ✔ wpa – WPA/WPA2 passphrase restricts who can join the network.

C. ✘ WDS – Wireless Distribution System, used for bridging, not access control.

D. ✘ registration-table – A monitoring tool showing currently connected clients; it doesn’t restrict connections.

Extract from Official MTCNA Course Material – Wireless Access Control:

“Use WPA/WPA2 for secure authentication. Access List lets you accept or reject clients based on MAC or signal level.”

Extract from René Meneses MTCNA Study Guide – Wireless Security & Filtering:

“You can limit client access using WPA security and Access List. Registration Table only shows connected users.”

Extract from Terry Combs Notes – Wireless Configuration:

“Access control = WPA + Access List. WDS is for bridging, and registration-table is read-only.”

A stub network is defined as a network segment that is accessible by only one path (single entry/exit point). It does not serve as a transit network for routing between other networks. Traffic entering or leaving the stub network must pass through a single interface.

MTCNA Course Material – Routing Concepts:

“A stub network is one that is connected to the rest of the network by a single router interface. It has only one entry and one exit point.”

René Meneses MTCNA Study Guide – Routing Terms:

“Stub networks do not forward packets for other networks. They are endpoints with one route in and out.”

Other options:

A/B: Describe transit networks, not stub

C: Misleading—stub has both entry and exit, but only through one path

D: ✔ Correct definition

Final Answer: D QUESTION NO: 130 [PPP – Protocol Functions]

What PPP protocol provides dynamic addressing, authentication, and multilink?

A. NCP

B. HDLC

C. LCP

D. X.25

Answer: C

LCP (Link Control Protocol) is responsible for establishing, configuring, and testing the data-link connection in PPP. It handles features such as:

Authentication (PAP/CHAP)

Link quality testing

Multilink (combining multiple connections)

Negotiating link options

MTCNA Course Material – PPP Configuration:

“LCP handles link configuration, authentication, multilink, and error detection. NCP handles network layer protocol configuration.”

René Meneses MTCNA Study Guide – PPP Stack:

“LCP is the control protocol used to manage and negotiate the PPP connection, including authentication and multilink.”

Other options:

A: NCP negotiates Layer 3 protocol settings (e.g., IP, IPX)

B: HDLC is a simpler Layer 2 protocol, no support for dynamic addressing or multilink

D: X.25 is a packet-switched WAN protocol, not part of PPP

Final Answer: C QUESTION NO: 131 [Switching – Spanning Tree Protocol (STP)]

In a network with dozens of switches, how many root bridges would you have?

A. 1

B. 2

C. 5

D. 12

Answer: A

Spanning Tree Protocol (STP) is used in Ethernet switching environments to prevent loops. In any STP domain, only one switch is elected as the root bridge. All other switches determine the shortest path to this root bridge and may block redundant paths.

MTCNA Course Material – STP Basics:

“STP ensures a loop-free topology by electing a single root bridge. All path calculations are made from the root bridge’s perspective.”

René Meneses MTCNA Study Guide – STP and Loop Prevention:

“Only one root bridge exists per STP domain. Switches use BPDU messages to elect it based on bridge ID priority.”

No matter how many switches exist (2, 10, or 50), only one root bridge is present at any time.

Final Answer: A QUESTION NO: 132 [IP Addressing – Classful Networking]

Which class of IP address has the most host addresses available by default?

A. A

B. B

C. C

D. A and B

Answer: A

Classful IP addressing reserves different address ranges and host counts:

Class A: 1.0.0.0 – 126.255.255.255 (/8) → 2^24 – 2 = 16,777,214 hosts

Class B: 128.0.0.0 – 191.255.255.255 (/16) → 2^16 – 2 = 65,534 hosts

Class C: 192.0.0.0 – 223.255.255.255 (/24) → 2^8 – 2 = 254 hosts

MTCNA Course Material – IP Address Classes:

“Class A has the largest number of hosts per network, over 16 million. Class B allows around 65,000, and Class C allows 254.”

René Meneses MTCNA Study Guide – Classful IP Summary:

“Class A provides the most host addresses by default due to its /8 subnet.”

Only Class A has the highest host count.

An IP packet contains two critical IP addresses in its header:

Source IP address – the IP of the sending host

Destination IP address – the IP of the receiving host

These addresses allow routers to forward the packet from source to destination over Layer 3 (Network Layer).

Other values in the IP header include TTL, protocol type, and checksum — but not additional IP addresses.

A. 4 → ❌ Incorrect. Only 2 IPs are included

B. 2 → ✅ Correct: Source and Destination

C. 3 → ❌ Some protocols like NAT may temporarily associate more addresses, but not in header

D. 1 → ❌ Incomplete

MTCNA Course Manual – IP Packet Structure:

“An IP packet always contains a source and destination IP address in the Layer 3 header. This allows routing to function across networks.”

René Meneses Guide – Packet Flow:

“IP headers are designed to carry the minimal information necessary for routing. That includes the source and destination IPs.”

Terry Combs Notes – Header Fields:

“Two IPs: one for sender, one for receiver. That’s all you’ll find in the IP header.”

Answer: B QUESTION NO: 21 [Routing]

When viewing the routes in Winbox, some routes will show "DAC" in the first column. These flags mean:

A. Dynamic, Active, Console

B. Dynamic, Active, Connected

C. Direct, Available, Connected

D. Dynamic, Available, Created

Answer: B

MikroTik’s RouterOS assigns flags to routing table entries to describe how they were created and their status.

D = Dynamic (added automatically by the system)

A = Active (currently used by RouterOS)

C = Connected (directly connected subnet or interface)

Thus, "DAC" means:

→ Dynamic, Active, Connected ✅

Other flags that may appear include:

S = Static (manually added)

R = RIP

O = OSPF

B = BGP

MTCNA Course Manual – Routing Flags:

“DAC means that the route is dynamically added by the system, is currently active, and is directly connected to the device.”

René Meneses MTCNA Guide – Routing Table Interpretation:

“Flags help identify how the route was installed and its type. DAC is common for directly connected interfaces.”

Terry Combs Notes – Route Flags Table:

“DAC = Dynamic + Active + Connected. Usually appears after setting IP address on interface.”

Answer: B QUESTION NO: 22 [RouterBOARD Hardware]

In which situations Netinstall can not be used to install RouterOS on a RouterBOARD?

A. The router is connected only to a secondary Ethernet port

B. The router does not have an operating system

C. The router is connected only to a wireless network

D. The password of the router is not known

Answer: C

Netinstall is a MikroTik utility used to reinstall or upgrade RouterOS. It requires a direct Ethernet connection to the router’s first Ethernet port and works via PXE (boot over Ethernet). It cannot function over wireless.

Let's review the options:

A. The router is connected only to a secondary Ethernet port → ❌ Netinstall works if booted over that port

B. The router does not have an operating system → ❌ This is the purpose of Netinstall

C. The router is connected only to a wireless network → ✅ Correct: Netinstall requires a wired Ethernet connection

D. The password of the router is not known → ❌ Netinstall bypasses current OS; password irrelevant

MTCNA Course Manual – RouterBOARD Recovery and Netinstall:

“Netinstall must be done over a wired Ethernet connection. Wireless booting is not supported.”

René Meneses Guide – System Recovery:

“Netinstall needs Layer 2 communication via Ethernet. It cannot operate over Wi-Fi.”

Terry Combs Notes – Netinstall Limitations:

“Netinstall does not support Wi-Fi. Must connect via Ethernet to first interface, preferably.”

Answer: C QUESTION NO: 23 [DHCP]

DHCP server is configured on a router’s ether1 interface. IP address 192.168.0.100/24 is assigned to the interface. Possible IP pools, that can be used by this DHCP server, are:

A. 192.168.0.1–192.168.0.255

B. 192.169.0.1–192.169.0.254

C. 192.168.0.1–192.168.0.99, 192.168.0.101–192.168.0.254

D. 192.168.0.1–192.168.0.14

Answer: C

The router’s interface IP is 192.168.0.100/24 → which belongs to the subnet 192.168.0.0–192.168.0.255.

However, 192.168.0.100 is already assigned to the router. So, this IP must be excluded from the DHCP pool to avoid conflicts.

C offers two valid ranges excluding .100: → 192.168.0.1–192.168.0.99 → 192.168.0.101–192.168.0.254

Let’s evaluate other options:

A. 192.168.0.1–192.168.0.255 → ❌ Includes broadcast (.255) and router IP (.100) → Invalid

B. 192.169.0.1–192.169.0.254 → ❌ Completely wrong subnet

D. 192.168.0.1–192.168.0.14 → ✅ Valid but unnecessarily small

MTCNA DHCP Chapter – Address Pools:

“Make sure the pool does not include the router’s IP or the network’s broadcast address. Common errors involve overlapping pools.”

René Meneses MTCNA Guide – DHCP Configuration:

“Exclude the router’s own IP from the range. Use address pools below and above the assigned IP.”

Terry Combs Notes – DHCP Pool Tips:

“Split the pool to avoid assigning the interface IP to clients. Also avoid .0 and .255.”

MikroTik uses connection tracking to assign states to packets that pass through the router’s firewall. When a packet initiates a connection that is not previously tracked, it is marked as new.

Connection states:

new: First packet of a new connection

established: Part of an existing tracked connection

related: New connection related to an existing one (e.g., FTP data channel)

invalid: Unrecognized or malformed connection

unknown: Used in very specific or rare circumstances (not common in IP-based networks)

Therefore:

A. ✘ Incorrect – All packets entering the firewall are tracked

B. ✔ Correct – This is a new connection

C. ✘ Incorrect – "unknown" is not used for typical traffic

D. ✘ Incorrect – Not invalid unless malformed or contextless

E. ✘ Incorrect – This is not an existing connection

Extract from Official MTCNA Course Material – Firewall Connection States:

“A packet that begins a new connection is marked as ‘new’. Connection tracking then continues monitoring that session.”

Extract from René Meneses MTCNA Study Guide – Connection Tracking:

“New connections receive the 'new' state. Firewall rules often start by permitting or blocking 'new' and 'established' states.”

Extract from MikroTik Wiki – Firewall and Connection States:

“State=new is assigned when no existing connection entry matches the incoming packet.”

===========

Masquerading is a form of source NAT (src-nat) where the router dynamically replaces the source address of outgoing packets with the IP address of the router’s outgoing interface. This is commonly used when internal LAN clients access the internet through a single public IP.

Key points for masquerade configuration:

Use chain=src-nat (because it modifies the source address)

Use action=masquerade

Specify the out-interface (i.e., the WAN interface)

MTCNA Course Material – NAT Section:

“To configure masquerading, use chain=src-nat and action=masquerade. Specify out-interface to define the traffic direction.”

René Meneses MTCNA Study Guide – NAT Examples:

“Masquerade automatically uses the IP address of the specified out-interface. Required parameters: chain=src-nat, action=masquerade, out-interface.”

MikroTik Wiki – Source NAT / Masquerade:

“Masquerade is a special form of src-nat. You must use it in chain=src-nat and define the out-interface for which NAT will be applied.”

Option A: Incorrect action=accept (used in filter rules, not NAT)

Option C: in-interface is not applicable here

Option D: chain=dst-nat is used for destination NAT, not source NAT

Only Option B is fully correct.

Final Answer: B QUESTION NO: 94 [Tools]

In which situations can Netinstall NOT be used to install a RouterBOARD?

A. The router does not have an operating system

B. The router is connected only to a wireless network

C. You do not know the password of the router

D. The router is connected only to a secondary Ethernet port

Answer: B

Netinstall works over a wired Ethernet connection and uses PXE or Etherboot to install RouterOS over the network. It cannot function over wireless, as wireless interfaces do not support PXE booting or Netinstall protocols.

MTCNA Course Material – Netinstall Overview:

“Netinstall requires a direct Ethernet connection between the PC and the router. Wireless interfaces are not supported for Netinstall procedures.”

René Meneses MTCNA Guide – Netinstall:

“Netinstall only works over Ethernet. You cannot Netinstall a device connected only through Wi-Fi.”

MikroTik Wiki – Netinstall Prerequisites:

“Router must be connected via Ethernet. Wireless and USB interfaces are not supported.”

Other options:

A: This is a typical use case (installing RouterOS when OS is missing)

C: Netinstall bypasses password (not needed)

D: Netinstall can work via any Ethernet port, provided it's accessible

Final Answer: B QUESTION NO: 95 [Monitoring and Logging]

MikroTik RouterOS is sending logs to an external syslog server. Which protocol and port is used by RouterOS for sending logs (by default)?

A. UDP 514

B. UDP 21

C. UDP 113

D. TCP 110

Answer: A

RouterOS uses the industry-standard syslog protocol for remote logging. By default, syslog uses UDP port 514.

MTCNA Course Material – Logging Section:

“For sending logs to a remote syslog server, RouterOS uses the syslog protocol on UDP port 514 by default.”

René Meneses MTCNA Guide – Monitoring & Logging:

“External logging is done using UDP port 514, which is the standard syslog protocol port.”

MikroTik Wiki – Logging Configuration:

“To send logs to a remote server, configure an action of type remote with a remote address and use UDP port 514 unless otherwise changed.”

Other ports:

UDP 21 = FTP (not logging)

UDP 113 = Ident protocol

TCP 110 = POP3

Only UDP 514 is correct.

Final Answer: A QUESTION NO: 96 [RouterBOARD Hardware]

Can you manually add drivers to RouterOS in case your PCI Ethernet card is not recognized, and you suspect it is a driver issue?

A. Yes

B. No

Answer: B

RouterOS is a closed, embedded Linux-based system. It does not support adding custom drivers or compiling modules manually. You must use supported hardware that is natively compatible with RouterOS.

MTCNA Course Material – RouterBOARD Compatibility:

“RouterOS supports a fixed set of drivers. You cannot install third-party drivers or modules.”

René Meneses MTCNA Guide – Hardware Limitations:

“Custom drivers cannot be added to RouterOS. Use only supported network interface cards as listed by MikroTik.”

MikroTik Wiki – Hardware Support:

“RouterOS does not allow manual driver installation. All drivers are precompiled and built into the system image.”

Therefore, if your PCI Ethernet card is not recognized, you must replace it with a compatible model — you cannot add a driver manually.