RouterOS allows different types of interfaces, including VLANs and PPP-based interfaces (like PPTP), to be added to a bridge. This creates a Layer 2 network between them, enabling transparent communication.

A.✔TRUE – Supported and commonly used in tunneling + VLAN transport.

B.✘FALSE – Incorrect.

Extract from MTCNA Course Material – Bridging Concepts:

“Bridging can include Ethernet, VLAN, wireless, and virtual interfaces such as PPTP and EOIP.”

Extract from MikroTik Wiki – Bridge Interface:

“Any Layer 2-capable interface (including VLANs, PPP tunnels, and Ethernet) can be included in a bridge.”

Extract from René Meneses Study Guide – Bridging and VLANs:

“It is possible to bridge VLAN interfaces with VPN interfaces for advanced Layer 2 tunneling scenarios.”

===========

Simple Queues in MikroTik are the most straightforward way to manage bandwidth per IP address or subnet. To apply bandwidth limitations, you primarily need:

target-address (the IP address or subnet you're shaping)

max-limit (the maximum allowable upload/download bandwidth)

Other fields like dst-address can be used for advanced matching, but they are not required for basic bandwidth limiting.

A. Correct. This is the minimum required configuration.

B. Incorrect. dst-address is optional and unnecessary unless shaping traffic only to specific destinations.

C. Incorrect. Lacks max-limit, which is essential for any bandwidth cap.

D. Incorrect. Without target-address, the queue doesn’t know which host or network to apply the rule to.

Extract from Official MTCNA Course Material – QoS Section:

"To shape traffic in a simple queue, the most basic configuration requires target-address and max-limit. Target-address specifies which host or network to affect. Max-limit defines upload/download caps."

Extract from René Meneses MTCNA Study Guide – QoS:

"A simple queue needs at least two values: target (the IP or range) and max-limit (limits for up/down in bits per second). Everything else is optional for basic shaping."

Extract from Terry Combs Notes – Queues:

“Without a max-limit value, the queue does not restrict bandwidth. dst-address is rarely used in simple queues unless traffic is routed externally.”

===========

RouterBOARD devices (such as RB1000) typically do not have a battery-backed hardware clock (RTC). This means the system time resets after each reboot. To keep time accurate, you must configure the router to synchronize with an external NTP (Network Time Protocol) server.

A.✘Inefficient and non-scalable solution.

B.✘The /system ntp server is used to act as an NTP server for others — not for receiving time.

C.✔Correct – You must enable /system ntp client and point to a reachable NTP server to get the correct time on boot.

D.✘Irrelevant – RouterBOARDs do not have CMOS batteries for timekeeping like traditional PCs.

Extract from MTCNA Course Material – Time Synchronization:

“To maintain correct system time, configure NTP client to sync with a public or internal time server after reboot.”

Extract from René Meneses Study Guide – Clock and Scheduler:

“RouterBOARD devices don’t have battery-backed RTC. Use the NTP client to update time after reboot.”

Extract from MikroTik Wiki – NTP Setup:

“Use /system ntp client to sync time. /system clock alone will reset on reboot without NTP.”

===========

When multiple gateways are used in an ECMP (Equal Cost Multi-Path) configuration, the check-gateway option ensures that RouterOS will actively monitor the health of each gateway using ping (or ARP). If a gateway becomes unreachable, RouterOS temporarily removes it from the active ECMP gateway list.

A.✘Incorrect – Unreachable gateways are excluded from packet forwarding.

B.✔Correct – Only reachable gateways are used in the ECMP round robin logic.

C.✘Incorrect – The entire ECMP route remains active; only the failed gateway is excluded.

Extract from MTCNA Course Material – ECMP Routing:

“With check-gateway enabled, RouterOS will exclude unreachable gateways from ECMP rotation.”

Extract from MikroTik Wiki – Check-Gateway Option:

“When a gateway is unreachable, it is skipped in ECMP logic until it becomes reachable again.”

Extract from René Meneses Study Guide – ECMP and Gateway Monitoring:

“Check-gateway helps prevent blackholing by skipping dead gateways. The route remains active.”

==================================

Mangle rules that mark routing (using the routing-mark property) can only be applied in the following chains:

prerouting: For traffic arriving at the router

output: For traffic generated by the router itself

Other chains like forward, input, postrouting do not support routing-mark.

A.✔Correct – prerouting and output are used for routing-mark

B.✘forward does not support routing-mark

C.✘forward is invalid for routing-mark

D.✘input does not support routing decisions

E.✘postrouting is used for NAT, not routing

Extract from MTCNA Course Material – Mangle and Routing Marks:

“Routing-mark is applied only in prerouting (for transit traffic) and output (for router-generated traffic).”

Extract from MikroTik Wiki – Mangle:

“routing-mark can be used only in prerouting and output chains.”

Extract from René Meneses Study Guide – Mangle and PBR:

“To perform policy-based routing, use prerouting or output to assign routing-marks.”

===========

MikroTik RouterOS uses the /system scheduler to execute scripts or commands at defined times or intervals. It allows for automation of tasks such as backups, reboots, updates, and more.

Evaluation:

A. /system watchdog →❌Used for hardware monitoring and rebooting if the system freezes.

B. /system cron →❌Not available in MikroTik RouterOS (RouterOS doesn’t use cron syntax).

C. /system scheduler →✅Correct. Built-in RouterOS feature for scheduled command execution.

MTCNA Course Manual – System Scheduler Section:

“Use /system scheduler to run scripts or commands at regular intervals or specific times.”

René Meneses Guide – Automating Tasks:

“Scheduler is the only built-in time-based job handler in RouterOS.”

Terry Combs Notes – Script Automation:

“RouterOS uses scheduler, not cron. Schedule by time or interval.”

Answer: CQUESTION NO: 67 [Firewall / Tools]

Where can you monitor (see addresses and ports) real-time connections which are processed by the router?

A. Firewall Connection Tracking

B. Firewall Counters

C. Tool Torch

D. Queue Tree

Answer: A

Firewall Connection Tracking (also known as conntrack) is used to monitor real-time connections that pass through the router. It shows source and destination IPs, ports, protocols, connection states (established, new, related), and more.

Let’s evaluate the options:

A.✅Correct – Shows live connection table with IPs, ports, and statuses

B.❌Shows rule match counters only — no detailed connection info

C.❌Torch shows per-interface traffic; useful for bandwidth, but not a connection list

D.❌Queue Tree is used for traffic shaping, not for viewing connections

MTCNA Course Manual – Firewall Concepts:

“Connection tracking shows all active sessions through the router with IP and port details.”

René Meneses Guide – Firewall Tools:

“Use connection tracking to diagnose connection states and NAT behavior.”

Terry Combs Notes – Monitoring Tools:

“conntrack is your real-time connection monitor. Torch is per-interface, not per-flow.”

Answer: AQUESTION NO: 68 [Wireless]

How many wireless clients can connect, when wireless card is configured to mode=bridge?

A. 1

B. 100

C. 2007

D. 2

Answer: A

In MikroTik RouterOS, if a wireless card is configured to mode=bridge (also referred to as "station-bridge"), it can only be used to connect a single client device (MAC address) behind it. This is due to limitations in how 802.11 bridges MAC addresses.

So:

A.✅Correct – Only 1 MAC address can pass via wireless bridge mode (unless using WDS or 4-address mode)

B, C →❌Too many clients for bridge mode

D.❌Incorrect – Still only one client allowed per interface in bridge mode

MTCNA Wireless Module – Wireless Modes:

“Bridge mode allows one client only unless extended bridging protocols are used.”

René Meneses Guide – Wireless Bridging:

“mode=bridge = one MAC behind the station. Use WDS for multiple MACs.”

Terry Combs Notes – Wireless Modes:

“Station-bridge mode works like Ethernet, but only supports one MAC address unless using WDS.”

Answer: AQUESTION NO: 69 [Routing]

In the Route List, the identification DAb for a route stands for:

A. direct - active - bgp

B. direct - acknowledge - backup

C. dynamic - active - backup

D. dynamic - active - bgp

Answer: D

In MikroTik RouterOS, route flags provide quick insight into how the route was created and its status:

D = Dynamic → The route was added dynamically by a protocol (like BGP, OSPF, RIP)

A = Active → This route is currently being used

b = BGP → Indicates that the route was learned via the BGP routing protocol

Therefore, DAb means:

→ D = Dynamic

→ A = Active

→ b = BGP

MTCNA Routing Section – Route Flags Explanation:

“D = dynamically added, A = currently active, b = learned via BGP.”

René Meneses Guide – Understanding Route Lists:

“DAb → dynamic + active + BGP route. Route is learned and installed via BGP.”

Terry Combs Notes – Route Symbols:

“Check the route list: b = BGP, o = OSPF, r = RIP, s = static, c = connected.”

Static routing is a core feature of MikroTik RouterOS and is included in the default 'system' package. You do not need to install any additional packages (like the "routing" package) for simple static routing.

The routing package is only needed for advanced dynamic routing protocols like BGP, OSPF, and RIP. For manually configured static routes, the system package alone is sufficient.

Let’s evaluate:

A.✅Correct. Static routing is part of the default system.

B.❌advanced-tools are for diagnostics and tools like traceroute, bandwidth-test, etc.

C.❌routing package is for dynamic protocols (OSPF, BGP, etc.), not static routes

D.❌dhcp is unrelated to routing — used for dynamic host IP assignment

MTCNA Course Manual – Routing Fundamentals:

“Static routing requires no additional package — it is included in the base system.”

René Meneses Guide – Routing Overview:

“For static routes, you do not need the 'routing' package. That’s only for protocols like BGP or OSPF.”

Terry Combs Notes – Routing Concepts:

“No extra packages needed for static routes. Just use /ip route.”

Answer: AQUESTION NO: 40 [Tools]

You want to transfer existing '/ip firewall filter' configuration from one router to a new system.

Choose the best possible way to do:

A. Export global configuration and remove everything apart from '/ip firewall filter'

B. Export only '/ip firewall filter'

C. Create backup, edit backup file and restore on target router

D. Create backup only of '/ip firewall filter' rules

Answer: B

The best way to transfer only the firewall filter rules is to export just that section of the configuration. This avoids unrelated settings (like IP addresses, user accounts, etc.) that could cause issues on the new router.

MikroTik allows you to selectively export parts of the configuration using:

/ip firewall filter export

This command outputs the firewall filter rules in script format, which can then be copied and applied to another router using import or pasting into terminal.

Evaluations:

A.❌Inefficient and error-prone. Exporting everything then removing parts increases the chance of mistakes.

B.✅Best method. Selective export via command line is clean and precise.

C.❌Backups are binary and system-specific — cannot be safely edited or restored on different hardware.

D.❌Backup doesn’t work selectively per section; export is the proper method.

MTCNA Course Manual – Backup vs Export:

“Use export when you need partial configurations. Backup is for full system state and cannot be selectively restored.”

René Meneses Study Guide – Configuration Transfer:

“Export is human-readable and editable. Use it for transferring only desired parts.”

Terry Combs Notes – Best Practices for Configuration Migration:

“Don’t use backups for partial transfer. Use export for readable and editable results.”

Answer: BQUESTION NO: 41 [QoS – PCQ]

You want to use PCQ and allow 256k maximum download and upload for each client. Choose correct argument values for the required queue.

A. kind=pcq pcq-rate=256000 pcq-classifier=src-address

B. kind=pcq pcq-rate=1256000 pcq-classifier=dst-address

C. kind=pcq pcq-rate=256000 pcq-classifier=dst-address

D. kind=pcq pcq-rate=5000000 pcq-classifier=src-address

E. kind=pcq pcq-rate=5000000 pcq-classifier=dst-address

Answer: A, C

PCQ (Per Connection Queue) is used in MikroTik to enforce bandwidth fairness across multiple users. To limit each client to 256k:

pcq-rate=256000 → sets maximum bandwidth per client to 256,000 bps (256 kbps)

pcq-classifier=src-address → used in upload queues

pcq-classifier=dst-address → used in download queues

So:

A.✅Used for upload: src-address

C.✅Used for download: dst-address

The other options have incorrect rates or classifiers:

B.❌Incorrect rate (1256000 ≠ 256k)

D & E.❌Incorrect rate (5000000 = 5 Mbps)

MTCNA Course Manual – PCQ Explanation:

“Use pcq-classifier=src-address for upload, and dst-address for download. pcq-rate sets per-client limit.”

René Meneses Study Guide – Queue Management:

“To cap clients to 256k, configure pcq-rate=256000. Adjust classifiers based on traffic direction.”

Terry Combs Notes – PCQ Parameters:

“Classifier is the key. src-address = upload, dst-address = download. Don’t mix.”

Answer: A, CQUESTION NO: 42 [Routing]

Which of the following Route statuses are possible?

A. A = Active

B. C = Connected

C. S = Static

D. D = Drop

Answer: A, B, C

In the MikroTik routing table, route status flags describe the type and status of each route:

A = Active → The route is being used to forward packets✅

C = Connected → The route is to a directly connected subnet✅

S = Static → The route was added manually by the administrator✅

D = Drop →❌There is no such routing flag; “drop” may be an action in firewall or route rules but not a route status

Correct route flags in MikroTik include:

D = Dynamic

A = Active

C = Connected

S = Static

r = RIP

o = OSPF

b = BGP

MTCNA Routing Section – Route Flags Overview:

“Static routes show as S, connected routes as C, and routes in use are marked with A.”

René Meneses Guide – Routing Table Flags:

“Check route flags: A (Active), C (Connected), S (Static). Drop is not a valid route flag.”

Terry Combs Notes – Route Status Flags:

“Drop = firewall action, not route flag. Don’t confuse it with routing status.”

MikroTik’s NAT (Network Address Translation) is part of the connection tracking mechanism. NAT rules are applied only to the first packet of a connection. Subsequent packets belonging to the same connection are automatically handled by the connection tracking module using the same translation mappings established by that first packet.

Option Analysis:

A.✔True – NAT is evaluated only on the first packet of a new connection.

B.✘False – Subsequent packets are not re-evaluated against NAT rules.

Extract from Official MTCNA Course Material – Firewall & NAT Section:

“NAT rules apply to the first packet in a connection. After that, RouterOS uses the tracked connection entry.”

Extract from René Meneses MTCNA Study Guide – NAT & Firewall Concepts:

“Once the initial packet matches a NAT rule, connection tracking applies it to the whole session.”

Extract from MikroTik Wiki – NAT Implementation:

“NAT is evaluated on the first packet. Other packets in the same connection follow the established NAT mapping.”

===========

ICMP (Internet Control Message Protocol) is used for diagnostics and error reporting in IP networks. It is encapsulated directly within IP datagrams and not over UDP or TCP. It does not guarantee delivery — it merely provides feedback about problems (e.g., host unreachable, time exceeded).

MTCNA Course Material – ICMP and Network Tools:

“ICMP is used for error messages and operational queries such as ping and destination unreachable. It is encapsulated in IP and does not use TCP or UDP.”

René Meneses MTCNA Study Guide – ICMP Section:

“ICMP provides diagnostic information. It is a Layer 3 protocol encapsulated directly in IP. It does not provide guaranteed delivery.”

MikroTik Wiki – ICMP Overview:

“ICMP packets are carried in IP packets and used for control messages. They are not transported using TCP or UDP.”

Breakdown:

Statement 1: False – ICMP does not guarantee delivery

Statement 2: True – provides network problem feedback

Statement 3: True – encapsulated in IP

Statement 4: False – ICMP is not encapsulated in UDP

Correct set: 2 and 3

Final Answer: BQUESTION NO: 106 [RouterOS Introduction]

Which Layer 4 protocol is used for a Telnet connection?

A. IP

B. TCP

C. TCP/IP

D. UDP

Answer: B

Telnet is a protocol used to access remote devices via command-line over the network. It operates over TCP at Layer 4, using port 23.

MTCNA Course Material – Layer 4 Protocols:

“Telnet uses TCP port 23 for remote shell access. TCP ensures ordered and reliable delivery of commands and responses.”

René Meneses MTCNA Study Guide – TCP/IP Protocols:

“Telnet is an Application Layer protocol using TCP as its transport protocol.”

MikroTik Wiki – Telnet Access:

“Telnet communicates over TCP. It does not use UDP.”

Other options:

A. IP is a Layer 3 protocol

C. TCP/IP is a model, not a single protocol

D. Telnet does not use UDP

Final Answer: BQUESTION NO: 107 [RouterOS Introduction]

Which of the following are layers in the TCP/IP model?

Application

Session

Transport

Internet

Data Link

Physical

A. 1 and 2

B. 1, 3 and 4

C. 2, 3 and 5

D. 3, 4 and 5

Answer: B

The TCP/IP model has four layers:

Application

Transport

Internet

Network Access (includes Data Link & Physical in OSI terms)

Session is part of the OSI model, not TCP/IP.

MTCNA Course Material – TCP/IP vs OSI Model:

“The TCP/IP model has Application, Transport, Internet, and Network Access layers. Application includes OSI’s Session, Presentation, and Application layers.”

René Meneses MTCNA Guide – Model Comparison:

“The TCP/IP model consists of: Application, Transport, Internet, and Network Access (which covers Data Link and Physical). Session layer is part of OSI.”

So, correct TCP/IP layers from the given list:

Application (✔)

Transport (✔)

Internet (✔)

Session is not part of TCP/IP model.

Final Answer: BQUESTION NO: 108 [RouterOS Introduction]

Which statements are true regarding ICMP packets?

They acknowledge receipt of a TCP segment.

They guarantee datagram delivery.

They can provide hosts with information about network problems.

They are encapsulated within IP datagrams.

A. 1 only

B. 2 and 3

C. 3 and 4

D. 2, 3 and 4

Answer: C

Reiterating from earlier:

ICMP does not acknowledge TCP segments; that’s TCP’s job.

ICMP does not guarantee delivery; it’s an unreliable protocol.

ICMP does provide diagnostics (e.g., unreachable, TTL exceeded).

ICMP is encapsulated directly in IP, not over TCP/UDP.

MTCNA Course Material – ICMP Behavior:

“ICMP is used for control messages like ping and unreachable. It provides feedback and is encapsulated in IP.”

René Meneses MTCNA Study Guide – ICMP & IP Layer:

“ICMP is a Layer 3 protocol, not used to acknowledge TCP, and is wrapped in IP datagrams.”

Correct:

Statement 3: True

Statement 4: True

MikroTik allows you to control which clients can connect to your access point through:

WPA/WPA2 security – prevents unauthorized devices from authenticating.

Access List – filters by MAC address and signal strength.

Option breakdown:

A.✔access-list – Used to accept/reject client MACs and customize access settings.

B.✔wpa – WPA/WPA2 passphrase restricts who can join the network.

C.✘WDS – Wireless Distribution System, used for bridging, not access control.

D.✘registration-table – A monitoring tool showing currently connected clients; it doesn’t restrict connections.

Extract from Official MTCNA Course Material – Wireless Access Control:

“Use WPA/WPA2 for secure authentication. Access List lets you accept or reject clients based on MAC or signal level.”

Extract from René Meneses MTCNA Study Guide – Wireless Security & Filtering:

“You can limit client access using WPA security and Access List. Registration Table only shows connected users.”

Extract from Terry Combs Notes – Wireless Configuration:

“Access control = WPA + Access List. WDS is for bridging, and registration-table is read-only.”

To establish a wireless client connection to an access point:

The SSID must match exactly – including capitalization.

The Band must be compatible – i.e., both devices must support and use the same frequency band (2.4GHz or 5GHz).

Radio Name is an identifier for display purposes only and does not affect connectivity.

Option Analysis:

A.✔Required – Matching SSID is essential.

B.✘Not Required – Radio Name is just a display label in tools like Winbox.

C.✔Required – Band compatibility is critical to ensure the device can “see” and connect to the AP.

Extract from Official MTCNA Course Material – Wireless Client Configuration:

“To connect to an AP, the client must use the same SSID and operate on a compatible band and frequency.”

Extract from René Meneses MTCNA Study Guide – Wireless Modes:

“SSID and band must match to connect. Radio name is not used in the authentication or association process.”

Extract from Terry Combs Notes – Wireless Settings:

“SSID is like the network name, and it must be identical. Mismatched bands (e.g., 2.4 vs 5GHz) will prevent discovery.”

==================================

The OSI Layer 1, also known as the Physical Layer, is responsible for the transmission and reception of raw binary data over a physical medium. The most fundamental unit at this layer is the bit.

Bit = Binary Digit (0 or 1)

It is transmitted over physical media (cables, radio signals, etc.)

Frames (A) exist at Layer 2 (Data Link Layer), not Layer 1.

Bytes (C) are groups of 8 bits, but bits are still the smallest indivisible transmission unit.

Headers (D) are metadata used at Layers 2–7; not relevant to Layer 1.

MTCNA Official Training Manual – OSI Model Chapter:

“Layer 1 transmits raw bits over a transmission medium. These bits form the foundation for higher-layer data structures.”

René Meneses MTCNA Guide – OSI Model Breakdown:

“Physical Layer (Layer 1) carries bits, not frames or bytes. It's concerned with voltages, cables, connectors, and signal encoding.”

Terry Combs Notes – OSI Layers:

“Layer 1 = Bits. Nothing more. Frames come into play in Layer 2.”

Answer: B 

DNS primarily uses UDP port 53 for most query/response operations. However, TCP port 53 is also used, particularly for larger responses (such as DNS zone transfers or DNSSEC).

A.✔UDP – Used for standard DNS queries due to lower overhead.

B.✔TCP port 53 – Used when UDP is insufficient, especially for zone transfers (AXFR/IXFR).

Extract from MTCNA Course Material – DNS and Networking Services:

“DNS typically uses UDP/53, but falls back to TCP/53 for larger queries or zone transfers.”

Extract from MikroTik Wiki – DNS Settings:

“DNS uses UDP for general queries. TCP is used when UDP cannot accommodate the size of the response.”

===========

/27 subnet = 255.255.255.224 → block size of 32

To determine the subnet range:

Start by finding block base:15.242.55.62 falls in the 15.242.55.32/27 subnetRange: 15.242.55.32 – 15.242.55.63Network Address = 15.242.55.32Broadcast Address = 15.242.55.63Usable Host Range = 15.242.55.33 to 15.242.55.62

Evaluation:

A. 15.242.55.33 – 15.242.55.62 →✅Valid host range

B. 15.242.55.32 – 15.242.55.63 →❌Includes network and broadcast addresses

C. 15.242.55.31 – 15.242.55.62 →❌15.242.55.31 is outside this subnet

D. 15.242.55.33 – 15.242.55.63 →❌Includes broadcast address

MTCNA Course Slides – Subnetting:

“In a /27 subnet (block size 32), the first address is the network, last is broadcast. Only the IPs in between are valid host addresses.”

René Meneses Guide – Subnetting Examples:

“A /27 includes 32 addresses. For subnet 192.168.1.32/27, usable IPs are 192.168.1.33–62.”

Terry Combs Notes – Addressing Exercises:

“Subtract 2 from total IPs in subnet for host count. Don't use .0 (network) or .255 (broadcast) equivalents.”

Answer: A 

In MikroTik RouterOS, the masquerade action is used in source NAT (srcnat) rules to hide internal/private IP addresses behind a router’s public IP address. This is typically done for internet access from a LAN where the devices have private IP addresses (e.g., 192.168.x.x).

Masquerade dynamically changes the source IP of outgoing packets to the IP address of the router’s outbound interface, allowing multiple internal devices to share a single public IP.

Let’s evaluate the options:

A. masquerade →✅Correct. Used to perform source NAT for hiding private addresses.

B. allow →❌Not a valid NAT action.

C. passthrough →❌Used in mangle rules to continue processing additional rules, not for NAT.

D. tarpit →❌Used to delay TCP connections (often in firewall, not NAT).

MTCNA Course Manual – NAT Chapter:

“Masquerade is a special form of source NAT where the router replaces the source IP with the IP address of the outgoing interface.”

René Meneses Guide – NAT Configuration:

“Use masquerade on the router’s WAN interface to give internet access to private clients.”

Terry Combs Notes – NAT Rule Actions:

“Masquerade = dynamic src-nat. Useful when public IP is dynamic or unknown.”

Answer: AQUESTION NO: 62 [PPP / AAA]

Router A and B are both running as PPPoE servers on different broadcast domains of your network. It is possible to set Router A to use "/ppp secret" accounts from Router B to authenticate PPPoE customers.

A. true

B. false

Answer: B

/ppp secret accounts are local to each RouterOS device. These credentials are stored in the router’s own configuration and cannot be shared directly between routers.

To centralize authentication across multiple routers, a RADIUS server must be used. With RADIUS, multiple MikroTik routers can authenticate users against a single, centralized user database.

Without RADIUS or another external AAA system:

Each router maintains its own /ppp secret list

Router A cannot directly read or use the /ppp secrets from Router B

Evaluation:

A.❌False. There is no built-in mechanism for Router A to access secrets on Router B.

B.✅Correct. You must use RADIUS if you want shared authentication across routers.

MTCNA PPP Module – Authentication Methods:

“/ppp secrets are stored locally on the router. For shared user authentication, configure RADIUS.”

René Meneses Study Guide – PPPoE and RADIUS:

“To authenticate clients on multiple routers with a central database, RADIUS is required.”

Terry Combs Notes – PPP Secrets vs RADIUS:

“Local secrets cannot be accessed remotely. Use RADIUS to centralize authentication.”

Answer: B

A hub is a simple Layer 1 (Physical Layer) device that does not understand MAC addresses or IP addresses. It simply repeats electrical signals to all connected ports without inspection or filtering.

MTCNA Course Material – OSI Layer Device Roles:

“Hubs operate at the Physical Layer. They do not process frames or packets and function purely as repeaters.”

René Meneses MTCNA Study Guide – OSI Devices:

“Hubs are Layer 1 devices. They send bits — not frames — and have no concept of MAC addresses.”

Other options:

A: Session layer is Layer 5, handles sessions between applications

C: Switches/bridges operate at the Data Link layer (Layer 2)

D: Application layer (Layer 7) is for user-level software like HTTP, FTP, etc.

Final Answer: BQUESTION NO: 138 [Cisco IOS – Access List Verification]

Which command is used to determine if an IP access list is enabled on a particular interface?

A. show access-lists

B. show interface

C. show ip interface

D. show interface access-lists

Answer: C

The command show ip interface displays the status of IP-level interface parameters, including whether an access list (ACL) is applied inbound or outbound.

Cisco IOS Command Reference – Interface ACL Check:

“Use show ip interface to verify whether an access list is applied to the interface and in which direction (in or out).”

René Meneses MTCNA Study Guide – Cisco Access List Monitoring:

“To verify ACL assignment to an interface, use show ip interface. It provides ACL status along with IP addressing info.”

Breakdown:

A: show access-lists → shows ACL contents, not interface bindings

B: show interface → shows interface stats, not ACL usage

D: Invalid syntax in Cisco IOS

Final Answer: CQUESTION NO: 139 [RouterOS Introduction – Transport Protocols]

Which protocol does DHCP use at the Transport layer?

A. IP

B. TCP

C. UDP

D. ARP

Answer: C

DHCP (Dynamic Host Configuration Protocol) operates over UDP:

Client uses UDP port 68

Server uses UDP port 67

It is a connectionless protocol, and because clients typically do not yet have IP addresses, UDP is used due to its simplicity.

MTCNA Course Material – DHCP Protocol Layering:

“DHCP uses UDP for communication between clients and servers. TCP is not used due to the stateless, broadcast nature of DHCP discovery.”

René Meneses MTCNA Study Guide – Port Assignments:

“UDP 67/68 are used by DHCP. TCP is not used because clients lack IPs initially.”

Other options:

A: IP is the network layer, not transport

B: TCP is used by reliable services (FTP, HTTP)

D: ARP resolves IP-to-MAC; unrelated to DHCP transport

Final Answer: CQUESTION NO: 140 [Cisco IOS – Remote Access Configuration]

Which of the following commands will allow you to set your Telnet password on a Cisco router?

A. line telnet 0 4

B. line aux 0 4

C. line vty 0 4

D. line con 0

Answer: C

The correct line configuration for remote Telnet (or SSH) access in Cisco IOS is via the virtual terminal (vty) lines. Typically, Cisco routers reserve 5 lines: vty 0 4. You then apply the password and login commands under this context.

Cisco IOS Configuration Guide – Telnet/VTY Setup:

“Use line vty 0 4 to configure access for Telnet sessions. Then use password and login to enforce authentication.”

René Meneses MTCNA Study Guide – Cisco Access Configuration:

“VTY lines (virtual terminal) handle Telnet and SSH sessions. Console and aux lines are for local access.”

Other options:

A: line telnet is not a valid command

B: line aux → used for modem or auxiliary port access

D: line con 0 → used for console (local) access, not remote

────────────────────────────────────────────────────────────

Masquerading is a form of source NAT (src-nat) where the router dynamically replaces the source address of outgoing packets with the IP address of the router’s outgoing interface. This is commonly used when internal LAN clients access the internet through a single public IP.

Key points for masquerade configuration:

Use chain=src-nat (because it modifies the source address)

Use action=masquerade

Specify the out-interface (i.e., the WAN interface)

MTCNA Course Material – NAT Section:

“To configure masquerading, use chain=src-nat and action=masquerade. Specify out-interface to define the traffic direction.”

René Meneses MTCNA Study Guide – NAT Examples:

“Masquerade automatically uses the IP address of the specified out-interface. Required parameters: chain=src-nat, action=masquerade, out-interface.”

MikroTik Wiki – Source NAT / Masquerade:

“Masquerade is a special form of src-nat. You must use it in chain=src-nat and define the out-interface for which NAT will be applied.”

Option A: Incorrect action=accept (used in filter rules, not NAT)

Option C: in-interface is not applicable here

Option D: chain=dst-nat is used for destination NAT, not source NAT

Only Option B is fully correct.

Final Answer: BQUESTION NO: 94 [Tools]

In which situations can Netinstall NOT be used to install a RouterBOARD?

A. The router does not have an operating system

B. The router is connected only to a wireless network

C. You do not know the password of the router

D. The router is connected only to a secondary Ethernet port

Answer: B

Netinstall works over a wired Ethernet connection and uses PXE or Etherboot to install RouterOS over the network. It cannot function over wireless, as wireless interfaces do not support PXE booting or Netinstall protocols.

MTCNA Course Material – Netinstall Overview:

“Netinstall requires a direct Ethernet connection between the PC and the router. Wireless interfaces are not supported for Netinstall procedures.”

René Meneses MTCNA Guide – Netinstall:

“Netinstall only works over Ethernet. You cannot Netinstall a device connected only through Wi-Fi.”

MikroTik Wiki – Netinstall Prerequisites:

“Router must be connected via Ethernet. Wireless and USB interfaces are not supported.”

Other options:

A: This is a typical use case (installing RouterOS when OS is missing)

C: Netinstall bypasses password (not needed)

D: Netinstall can work via any Ethernet port, provided it's accessible

Final Answer: BQUESTION NO: 95 [Monitoring and Logging]

MikroTik RouterOS is sending logs to an external syslog server. Which protocol and port is used by RouterOS for sending logs (by default)?

A. UDP 514

B. UDP 21

C. UDP 113

D. TCP 110

Answer: A

RouterOS uses the industry-standard syslog protocol for remote logging. By default, syslog uses UDP port 514.

MTCNA Course Material – Logging Section:

“For sending logs to a remote syslog server, RouterOS uses the syslog protocol on UDP port 514 by default.”

René Meneses MTCNA Guide – Monitoring & Logging:

“External logging is done using UDP port 514, which is the standard syslog protocol port.”

MikroTik Wiki – Logging Configuration:

“To send logs to a remote server, configure an action of type remote with a remote address and use UDP port 514 unless otherwise changed.”

Other ports:

UDP 21 = FTP (not logging)

UDP 113 = Ident protocol

TCP 110 = POP3

Only UDP 514 is correct.

Final Answer: AQUESTION NO: 96 [RouterBOARD Hardware]

Can you manually add drivers to RouterOS in case your PCI Ethernet card is not recognized, and you suspect it is a driver issue?

A. Yes

B. No

Answer: B

RouterOS is a closed, embedded Linux-based system. It does not support adding custom drivers or compiling modules manually. You must use supported hardware that is natively compatible with RouterOS.

MTCNA Course Material – RouterBOARD Compatibility:

“RouterOS supports a fixed set of drivers. You cannot install third-party drivers or modules.”

René Meneses MTCNA Guide – Hardware Limitations:

“Custom drivers cannot be added to RouterOS. Use only supported network interface cards as listed by MikroTik.”

MikroTik Wiki – Hardware Support:

“RouterOS does not allow manual driver installation. All drivers are precompiled and built into the system image.”

Therefore, if your PCI Ethernet card is not recognized, you must replace it with a compatible model — you cannot add a driver manually.

The /interface wireless access-list in MikroTik is used to define a set of rules that permit or deny wireless clients based on their MAC addresses and signal strength.

This list applies only to clients trying to connect to the router’s wireless interface when it is configured as an Access Point.

Let’s break down the options:

A.✅Correct – Used to allow or deny client MAC addresses and apply settings like rate limits, VLANs, etc.

B.❌That’s the role of the registration table.

C.❌Security profiles are configured separately under /interface wireless security-profiles.

D.❌Hotspot authentication is handled via /ip hotspot, not wireless access lists.

MTCNA Wireless Module – MAC Access Control:

“Access-list matches incoming clients by MAC. You can allow, deny, and apply custom settings.”

René Meneses Study Guide – Wireless Security:

“Access-list is used to explicitly permit or block clients based on their MAC address.”

Terry Combs Notes – Wireless Filtering:

“Think of access-list like a whitelist/blacklist for Wi-Fi clients.”

Answer: AQUESTION NO: 65 [Firewall]

One host on an internal network is accessing an external web page through a MikroTik router that is doing source NAT. Select the correct statement about the packets that flow from that web page to the host:

A. Packets go through the input chain

B. Packets go through the forward chain

C. Packets go through the output chain

D. Packets go through the input chain before the routing decision and after that through output chain

Answer: B

When a host on a LAN accesses a website on the internet via a MikroTik router that’s performing source NAT (e.g., masquerade), the traffic path is as follows:

From LAN host to internet → forward chain → NAT (src-nat)

From internet back to LAN host → forward chain again → connection-tracked → src-nat reversed

Since the router is only routing the packets and is not the originator or final destination, the packet passes through the forward chain.

Clarifying the options:

A.❌input chain is for packets destined to the router itself

B.✅Correct – packet is routed through the router (forwarded)

C.❌output chain is for packets originating from the router

D.❌This description applies to packets sourced by the router itself

MTCNA Course Manual – Packet Flow Diagram:

“Forward chain handles packets that are being routed through the device (not destined to or from the router itself).”

René Meneses Guide – Firewall Chains:

“For routed traffic, the forward chain is used. This includes NATed traffic between LAN and WAN.”

Terry Combs Notes – Packet Flow:

“Understand the router’s role. If it’s just forwarding, only the forward chain applies.”

Answer: BWould you like to continue with Questions 66–70, or generate a full summary (PDF-style) of all 65 completed qu

PPPoE (Point-to-Point Protocol over Ethernet) does not natively support encryption. It provides authentication using PAP/CHAP and allows IP assignment, but any data transmitted through a PPPoE tunnel is unencrypted unless another encryption mechanism (such as IPSec) is used on top of it.

MikroTik RouterOS supports encrypted tunneling protocols such as SSTP, L2TP/IPSec, or OpenVPN, but not native encryption in PPPoE.

MTCNA Course Manual – PPP Protocols Overview:

“PPPoE supports user authentication and compression but not encryption by itself.”

René Meneses Study Guide – Tunneling Protocols:

“PPPoE is not secure by design. If encryption is needed, use SSTP or L2TP/IPSec.”

Terry Combs Notes – PPP Protocol Capabilities:

“PPPoE does not encrypt data. Only authentication is handled within PPP.”

Answer: BQUESTION NO: 36 [Wireless]

Why is it useful to set a Radio Name on the radio interface?

A. To identify a station in the Access List

B. To identify a station in Neighbor discovery

C. To identify a station in a list of connected clients

Answer: C

Setting a Radio Name in RouterOS provides a unique identifier that is visible to other devices in the wireless environment. It is particularly helpful for identifying connected clients in the registration table on the Access Point.

This name does not affect Access List matching or general Layer 2 communication — it’s used for human readability and monitoring.

A. Access List uses MAC addresses for filtering →❌

B. Neighbor discovery identifies devices based on MAC, IP, and identity →❌

C. Correct → Radio Name shows up in the registration table and helps identify stations✅

MTCNA Wireless Module – Interface Settings:

“The Radio Name is shown in the registration table of access points, making it easier to identify connected clients.”

René Meneses Guide – Wireless Management Tips:

“Use Radio Names to label devices in multi-client setups. It appears under registration when clients connect.”

Terry Combs Notes – Wireless Interface Options:

“Radio Name is not used for access filtering — it’s for display and diagnostics.”

Answer: CQUESTION NO: 37 [DHCP]

A DHCP server is configured on a LAN interface which is a port on a bridge. The DHCP server does not start. What could be the reason(s)?

A. The DHCP server cannot run on an interface which is also a bridge port

B. There might not be an IP address assigned to the LAN Interface

C. The IP address pool could be incorrectly defined

D. There may be multiple IP addresses set on the LAN interface

Answer: B, C

For a DHCP server to operate properly, the following conditions must be met:

The DHCP server must be attached to the correct interface (typically the bridge, not individual ports).

The bridge interface must have a valid IP address.

The IP address pool must be defined correctly (matching subnet, avoiding conflicts).

Let’s evaluate:

A.❌Incorrect. DHCP can run on a bridge or an interface on a bridge. It is recommended to attach DHCP to the bridge, not individual ports.

B.✅Correct. If there is no IP address on the interface (bridge), DHCP won’t start.

C.✅Correct. If the address pool is misconfigured (e.g., outside the subnet or overlapping with the router’s IP), DHCP won’t function.

D.❌Not a valid blocker. Multiple IPs can exist on the interface; DHCP still works if one is valid.

MTCNA DHCP Module – Configuration Troubleshooting:

“Make sure that the interface (bridge) where the DHCP server is assigned has a valid IP and a properly defined pool.”

René Meneses Guide – DHCP Server Setup:

“DHCP will not function if no IP is assigned to the interface. Check the pool range and binding address.”

Terry Combs Notes – DHCP Tips:

“Assign the DHCP server to the bridge, not individual ports. Missing IP or incorrect pool = DHCP won’t start.”

Answer: B, CQUESTION NO: 38 [PPP]

There can be more than one PPPoE server in a single broadcast domain:

A. True

B. False

Answer: A

Yes, it is possible — and fully supported — to run multiple PPPoE servers in the same Layer 2 broadcast domain. Clients will receive Offer packets (PADO) from all PPPoE servers, and can choose which one to connect to based on configuration or server name (service name).

This is commonly used in ISP networks to provide redundancy or offer different service types.

MTCNA Course Manual – PPPoE Deployment:

“Multiple PPPoE servers may exist in the same Layer 2 domain. Clients choose based on response or service name.”

René Meneses Study Guide – PPPoE Operations:

“PPPoE discovery protocol supports multi-server environments. Clients may be configured to select a preferred one.”

Terry Combs Notes – PPPoE Server Design:

“Several PPPoE servers can coexist. Just avoid assigning overlapping IP pools.”

The show access-lists command in Cisco IOS is used to display all configured access control entries (ACEs) in every access list, both named and numbered. This command shows the complete content, including rules and hit counters.

Cisco IOS Command Reference – Access List Monitoring:

“Use show access-lists to view the complete list of all access control entries. This includes both standard and extended lists.”

Other options:

A: Invalid command syntax

C: show ip interface shows interface-level IP settings and ACL applications, but not full ACL content

D: show interface shows status and statistics, not ACL rules

Final Answer: BQUESTION NO: 134 [Cisco IOS – Console Access Configuration]

What does the command routerA(config)#line cons 0 allow you to perform next?

A. Set the Telnet password.

B. Shut down the router.

C. Set your console password.

D. Disable console connections.

Answer: C

The command line cons 0 enters the console line configuration mode. This is used to apply settings specific to the physical console line, such as setting a login password (via password and login commands).

Cisco IOS Configuration Guide – Line Console Mode:

“Use line console 0 to configure settings for the console line, including timeouts, password security, and logging behavior.”

René Meneses Study Guide – Device Access:

“Console access configuration begins with line console 0. It is followed by login and password commands.”

Other options:

A: Telnet is configured under line vty, not console

B: Router shutdown is done with reload or shutdown commands (not here)

D: Console cannot be disabled from line cons 0

Final Answer: CQUESTION NO: 135 [Switching – Spanning Tree Protocol]

How often are BPDUs sent from a Layer 2 device?

A. Never

B. Every 2 seconds

C. Every 10 minutes

D. Every 30 seconds

Answer: B

BPDU (Bridge Protocol Data Units) are messages exchanged by switches in a Spanning Tree Protocol (STP) topology to maintain loop-free Layer 2 networks. By default, switches send BPDUs every 2 seconds.

MTCNA Course Material – STP Operation:

“Switches send BPDUs to maintain spanning tree and detect topology changes. The default transmission interval is 2 seconds.”

Cisco STP Documentation:

“BPDUs are transmitted by the root bridge and propagated every 2 seconds by default, controlled by the hello-time timer.”

Other options:

A: Incorrect — BPDUs are essential for loop prevention

C & D: Not correct — default is 2 seconds, not minutes

Final Answer: BQUESTION NO: 136 [Routing Protocols – Passive Interface Behavior]

What does the passive command provide to dynamic routing protocols?

A. Stops an interface from sending or receiving periodic dynamic updates.

B. Stops an interface from sending periodic dynamic updates but not from receiving updates.

C. Stops the router from receiving any dynamic updates.

D. Stops the router from sending any dynamic updates.

Answer: B

In dynamic routing (e.g., RIP, OSPF, EIGRP), the passive-interface command stops routingadvertisements (outgoing updates) from being sent through the specified interface. However, the router still listens for incoming routing updates.

Cisco IOS Configuration Guide – Passive Interface:

“The passive-interface command prevents routing updates from being sent on an interface, while still allowing updates to be received.”

René Meneses MTCNA Guide – Passive Mode:

“It suppresses sending routing advertisements but does not block receiving updates on that interface.”

Other options:

A: Incorrect — it does not block receiving

C: Incorrect — it applies to interfaces, not globally

D: Also incorrect — it does not block all updates

Final Answer: B

────────────────────────────────────────────────────────────

To bridge two networks over a wireless link (i.e., perform Layer 2 bridging), MikroTik offers several wireless modes that support bridging:

WDS (Wireless Distribution System) is MikroTik’s mechanism to forward Layer 2 frames over wireless

pseudobridge and pseudobridge-clone attempt to mimic Layer 2 bridging, with some limitations

Option analysis:

A.✔Correct–Using AP mode on both ends and enabling WDS allows full Layer 2 bridging

B.✔Correct–pseudobridge-clone allows limited bridging by spoofing the MAC address of the connected host

C.✔Correct–station-pseudobridge enables partial bridging (one client per MAC)

D.✘Incorrect–station mode alone does not support Layer 2 bridging; it performs routing/NAT instead

Extract from MTCNA Course Material – Bridging and Wireless Section:

"To bridge over wireless, you can use WDS or station-pseudobridge(-clone). WDS provides true Layer 2 bridging, while pseudobridge methods simulate it for single hosts."

Extract from René Meneses Study Guide – Wireless Bridging:

“WDS is most reliable for bridging. pseudobridge and pseudobridge-clone work with one client and should be used cautiously.”

Extract from Terry Combs Notes – Wireless Bridging:

“station mode alone is not sufficient for bridging. Use WDS or pseudobridge options.”

===========

PPPoE (Point-to-Point Protocol over Ethernet) relies on Ethernet broadcast and discovery mechanisms. It uses a discovery stage (PPPoE Active Discovery Initiation – PADI) which is sent as a broadcast. Therefore, PPPoE only works within the same Layer 2 broadcast domain.

If a router (Layer 3 device) exists between the client and PPPoE server, it breaks the Layer 2 broadcast domain, making it impossible for the client to reach the server.

A.✘False – Routers break the broadcast domain; PPPoE will fail.

B.✔True – PPPoE requires L2 adjacency.

Extract from Official MTCNA Course Material – PPPoE Concepts:

“PPPoE operates only over Ethernet broadcast domains. If routed, PADI packets will not reach the PPPoE server.”

Extract from René Meneses MTCNA Study Guide – PPPoE:

“PPPoE discovery is broadcast-based and does not traverse routers.”

Extract from MikroTik Wiki – PPPoE Limitations:

“PPPoE cannot function over routed networks. Server and client must be in the same broadcast domain.”

===========

In IPv6, the Address Resolution Protocol (ARP) is not used. Instead, IPv6 uses the Neighbor Discovery Protocol (NDP), which is part of the ICMPv6 suite. NDP handles address resolution, router discovery, and reachability.

MTCNA Course Material – IPv6 Address Resolution:

“IPv6 replaces ARP with Neighbor Discovery Protocol. NDP uses ICMPv6 to perform tasks like address resolution and router discovery.”

René Meneses MTCNA Study Guide – IPv6 Fundamentals:

“There is no ARP in IPv6. It uses NDP messages for neighbor solicitation and advertisement.”

Thus, ARP is not used in IPv6.

Final Answer: AQUESTION NO: 152 [Monitoring and Management – SNMP Protocol]

Which of the following protocols / ports are used for SNMP (Simple Network Management Protocol)?

A. TCP 162

B. UDP 162

C. UDP 161

D. TCP 25

E. TCP 123

F. TCP 161

Answer: B, C

SNMP uses the following ports:

UDP 161: Used for SNMP agent queries (GET, SET, etc.)

UDP 162: Used by SNMP managers to receive trap notifications

MTCNA Course Material – SNMP and Monitoring:

“SNMP uses UDP 161 for polling devices and UDP 162 for traps.”

MikroTik Wiki – SNMP:

“SNMP communication uses UDP ports 161 (queries) and 162 (traps). TCP is not used for SNMP by default.”

Option breakdown:

A: TCP 162 → incorrect (SNMP traps use UDP)

B:✔UDP 162

C:✔UDP 161

D: TCP 25 = SMTP

E: TCP 123 = NTP (incorrect protocol and transport)

F: TCP 161 = incorrect transport

Final Answer: B, CQUESTION NO: 153 [ARP – MikroTik Specific Behavior]

If arp=reply-only is configured on an interface, what will this interface do?

A. Accept all IP/MAC combinations listed in /ip arp as static entries

B. Accept all IP addresses listed in /ip arp as static entries

C. Add new MAC addresses in /ip arp list

D. Accept all MAC addresses listed in /ip arp as static entries

E. Add new IP addresses in /ip arp list

Answer: A

Setting arp=reply-only on an interface disables the normal dynamic ARP process. The router will only respond to ARP requests for IP/MAC pairs that are explicitly listed in /ip arp with type=static. No dynamic entries will be added.

MikroTik Wiki – ARP Modes:

“reply-only – the interface will only reply to ARP requests if there is a static entry. It will not add any new entries.”

MTCNA Course Material – ARP Configuration:

“When reply-only is set, the interface will not send ARP requests and will only respond to those IP/MAC combinations configured as static entries.”

Option breakdown:

A:✔Correct—replies only to statically configured IP/MAC pairs

B: Incorrect — ARP entries must have both IP and MAC

C/E: No new dynamic entries are added in reply-only mode

D: MAC addresses alone are not matched — ARP matches IP/MAC pairs

Final Answer: AQUESTION NO: 154 [RouterOS Tools – Configuration Export]

Mark all correct statements about /export (rsc file).

A. Exports logs from /log print

B. Exports full configuration of the router

C. Exports only part of the configuration (for example /ip firewall)

D. Exports scripts from /system script

E. Exported files could not be edited

Answer: B, C, D

The /export command in RouterOS allows exporting configuration as a script (.rsc file). It can:

Export the full configuration

Export a specific section (e.g., /ip firewall)

Include scripts under /system script if specified

It does not export logs and the exported .rsc file is plain text and can be edited.

MTCNA Course Material – Configuration Management:

“/export outputs configuration to a text file. You can export the full config or a specific menu, and it includes scripts if present.”

MikroTik Wiki – Export Command:

“You can use /export to generate editable .rsc files. Use /export file=name or /ip firewall export.”

Option breakdown:

A:❌Logs are not exported

B:✔Full config export is default

C:✔You can target specific sections (e.g., /ip dhcp-server)

D:✔Scripts are included if present

E:❌Exported files are editable text files

Final Answer: B, C, D

Address Resolution Protocol (ARP) is used in IPv4 to resolve IP addresses into MAC addresses. However, in IPv6, ARP is completely replaced by the Neighbor Discovery Protocol (NDP), which is part of ICMPv6. Therefore, ARP is not used in IPv6 at all.

A. True → Incorrect. ARP is exclusive to IPv4.

B. False → Correct. IPv6 replaces ARP with ICMPv6-based mechanisms.

Extract from Official MTCNA Course Material – IPv6 Overview:

“IPv6 does not use ARP. Instead, it uses the Neighbor Discovery Protocol (NDP), which provides similar functionality using ICMPv6 messages.”

Extract from René Meneses MTCNA Study Guide – IPv6 Chapter:

“In IPv6, the legacy ARP protocol is replaced with Neighbor Solicitation and Advertisement messages as part of the Neighbor Discovery Protocol.”

Extract from MikroTik Wiki – IPv6 Concepts:

“ARP is not used in IPv6. Instead, Neighbor Discovery Protocol handles address resolution, router discovery, and prefix information.”

When a router forwards traffic between two interfaces (such as from LAN to WAN), it uses the forward chain. HTTP traffic initiated by users destined to external servers passes through this chain.

A.✘prerouting – Used mainly for routing decisions and NAT, not filtering.

B.✔forward – Used to filter transit traffic.

C.✘output – For traffic originating from the router itself.

D.✘input – For traffic destined to the router itself.

Extract from MTCNA Course Material – Firewall Chains:

“Client-to-server traffic, like browsing the web, passes through the forward chain when routed through the router.”

Extract from René Meneses Study Guide – Firewall Structure:

“To block or allow traffic passing through the router (LAN to Internet), use the forward chain.”

Extract from MikroTik Wiki – Firewall Filtering Overview:

“forward: filters all transit traffic routed through the router.”

===========

Nstreme is a proprietary point-to-point wireless protocol developed by MikroTik to improve performance on long-distance wireless links. It enhances frame aggregation, reduces latency, and replaces standard 802.11 MAC timing behavior with a custom approach. Because of its specific mechanism, it imposes certain compatibility restrictions:

A. WDS between two station-wds devices is not compatible with Nstreme. This setup doesn't conform to proper AP-client architecture required by Nstreme, which operates in a master/slave role — typically ap-bridge and station.

B. Encryption (e.g., using WEP or WPA) is supported in Nstreme; however, MikroTik recommends encryption at higher layers like IPsec when performance is critical.

C. WDS between ap-bridge and station-wds is compatible with Nstreme. This is the standard pairing used when bridging two networks via wireless.

D. Bridging a station with an ap-bridge device using standard station mode (not station-wds or station-bridge) is not compatible for full Layer 2 bridging. Only station-wds or station-bridge supports bridging with ap-bridge mode.

Extract from Official MTCNA Course Material – Wireless Section:

"Nstreme is supported only between a device in ap-bridge mode and a device in station or station-wds mode. Both ends must support Nstreme. WDS is supported with station-wds and ap-bridge combinations. Encryption is supported, although optional."

Extract from Terry Combs MTCNA Notes – Nstreme Notes:

"Only ap-bridge <-> station-wds (or station-bridge in RouterOS v6+) is valid for bridging over Nstreme. Encryption like WPA2 is supported but optional."

Extract from René Meneses Study Guide – Wireless Features:

“Nstreme does not support station-station WDS. Proper implementation requires ap-bridge on one side and station-wds or station-bridge on the other. Basic encryption (WEP/WPA) is allowed.”

===========

AMAC (Media Access Control) addressis aunique identifier assigned to network interfacesfor communications at the data link layer (Layer 2 of the OSI model). A MAC address is:

Always48 bits(6 bytes) long

Represented in12 hexadecimal characters

Grouped into6 pairsseparated by colons or dashes (e.g., 00:1A:2B:3C:4D:5E)

Contains onlyhexadecimal characters (0-9, A-F)

Extract fromRené Meneses MTCNA Study Guide:

“A MAC address is a 48-bit value, represented as 6 groups of two hexadecimal digits (00 to FF). Any character outside this range is not valid. For example, 80:GF:AA:67:13:5D is invalid because ‘G’ is not a valid hexadecimal digit.”

Extract fromTerry Combs MTCNA Notes – MAC Addressing Section:

“Valid MAC addresses contain only 0-9 and A-F. A common mistake in training exams is to insert an invalid character like G or H into a MAC, which instantly makes it incorrect.”

Extract fromMikroTik Wiki – MAC Address Format Page:

“MAC addresses are six octets long and use hexadecimal format only. Hexadecimal numbers go from 0–9 and A–F. If a character appears outside that range, the address is invalid.”

Now let’s evaluate each option:

Option A: 80:GF:AA:67:13:5D❌Contains the letter"G", whichdoes not belong to the hexadecimal system. That makes this addressinvalid.

Option B: 95:B5:DD:EE:78:8A✅All characters are valid hex (9, 5, B, D, E, 7, 8, A)

Option C: 88:0C:00:99:5F:EF✅All valid characters.

Option D: EA:BA:AA:EE:FF:CB✅Hex only — valid.

Option E: 13:16:86:53:89:43✅Also valid hex — no issue.

So,Option A is the only invalid MAC address.

Winbox is the graphical configuration utility for MikroTik routers. By default, Winbox connects to RouterOS over TCP port 8291.

A.✘UDP/5678 – Used for Winbox neighbor discovery, not for connecting.

B.✘TCP/22 – SSH service.

C.✔TCP/8291 – Default and official port for Winbox connections.

D.✘TCP/8080 – Often used for HTTP proxy; unrelated to Winbox.

Extract from MTCNA Course Material – RouterOS Access Methods:

“Winbox uses TCP port 8291 to establish connections to RouterOS.”

Extract from René Meneses MTCNA Study Guide – Access Tools:

“Winbox connects via TCP 8291. Neighbor discovery uses UDP 5678.”

Extract from MikroTik Wiki – Winbox Port Info:

“TCP/8291 is the default port for Winbox. Ensure it is not blocked by firewall.”

The action=masquerade is used exclusively in the srcnat chain. It dynamically hides internal IP addresses behind the router's public IP. It cannot be used in the dstnat chain.

A.✘Incorrect – masquerade is not allowed in dstnat regardless of parameters.

B.✘Incorrect – masquerade is not valid in the dstnat chain.

C.✘Incorrect – masquerade does not operate in dstnat, direction does not change this.

D.✔Correct – masquerade must only be used in chain=srcnat.

Extract from MTCNA Course Material – NAT Concepts:

“Masquerade is a special type of source NAT used only in the srcnat chain. It is invalid in dstnat.”

Extract from René Meneses Study Guide – NAT Actions:

“Use action=masquerade in chain=srcnat. RouterOS will not accept it in dstnat.”

Extract from MikroTik Wiki – NAT Rules:

“action=masquerade is not allowed in dstnat chain and will result in error if applied.”

===========