MTCNA MikroTikCertified Network Associate Exam Free Practice Exam Questions (2025 Updated)

The TCP/IP or DoD model includes the following layers:

Application

Host-to-Host

Internet

Network Access

The Internet layer in the DoD model is responsible for logical addressing and routing — matching the function of the OSI model's Layer 3 (Network Layer), which handles IP addressing and packet forwarding.

MTCNA Course Material – TCP/IP vs OSI Model:

“The Internet layer of the TCP/IP model maps directly to the OSI’s Network Layer and is responsible for logical addressing and routing.”

René Meneses MTCNA Study Guide – Layer Mapping Table:

“TCP/IP Internet Layer = OSI Network Layer. Handles IP routing, addressing.”

Other mappings:

Application = OSI Layers 5–7

Host-to-Host = OSI Layer 4 (Transport)

Network Access = OSI Layers 1–2

Final Answer: CQUESTION NO: 114 [RouterOS Introduction – ARP]

Which of the following allows a router to respond to an ARP request that is intended for a remote host?

A. Gateway DP

B. Reverse ARP (RARP)

C. Proxy ARP

D. Inverse ARP (IARP)

Answer: C

Proxy ARP allows a router to answer ARP requests on behalf of another device. It is often used in networks where hosts don't have proper default gateways but still need to communicate with devices in different subnets.

MTCNA Course Material – ARP Types:

“Proxy ARP allows a router to respond to an ARP request for an IP address that is not on the local subnet, effectively acting as a proxy.”

René Meneses MTCNA Guide – ARP Configuration:

“Proxy ARP is useful for bridging two IP networks or for clients that do not have default gateways defined.”

MikroTik Wiki – ARP Modes:

“When Proxy ARP is enabled, the router replies to ARP requests for hosts that are not on the same subnet.”

Other options:

A: Gateway DP is not a standard term or protocol.

B: RARP maps MAC to IP — outdated and not used in this context.

D: Inverse ARP is used in Frame Relay, not Ethernet/IP networks.

Final Answer: CQUESTION NO: 115 [DHCP]

You want to implement a mechanism that automates the IP configuration, including IP address, subnet mask, default gateway, and DNS information. Which protocol will you use to accomplish this?

A. SMTP

B. SNMP

C. DHCP

D. ARP

Answer: C

DHCP (Dynamic Host Configuration Protocol) is specifically designed to assign IP configuration details automatically to clients on a network, including:

IP address

Subnet mask

Default gateway

DNS servers

MTCNA Course Material – DHCP Server Function:

“DHCP is a service that dynamically assigns IP settings to clients, removing the need for manual configuration.”

René Meneses MTCNA Study Guide – DHCP Operation:

“DHCP provides automatic configuration of network parameters including IP, mask, DNS, and gateway.”

Other options:

A: SMTP is for email

B: SNMP is for monitoring

D: ARP resolves IP-to-MAC addresses

Final Answer: CQUESTION NO: 116 [DHCP]

Which of the following describe the DHCP Discover message?

It uses FF:FF:FF:FF:FF:FF as a layer 2 broadcast.

It uses UDP as the Transport layer protocol.

It uses TCP as the Transport layer protocol.

It does not use a layer 2 destination address.

A. 1 only

B. 1 and 2

C. 3 and 4

D. 4 only

Answer: B

When a client sends a DHCP Discover message:

It does not yet have an IP address, so it sends a Layer 2 broadcast (FF:FF:FF:FF:FF:FF).

DHCP uses UDP, not TCP.

Specifically, it uses UDP port 67 (server) and 68 (client).

Layer 2 destination is broadcast — it certainly does use a Layer 2 address.

MTCNA Course Material – DHCP Process:

“The client broadcasts a DHCP Discover message to FF:FF:FF:FF:FF:FF using UDP ports 67 and 68.”

René Meneses MTCNA Study Guide – DHCP Message Types:

“DHCP uses UDP. Discovery messages are Layer 2 broadcasts to locate a DHCP server.”

MikroTik Wiki – DHCP Protocol Behavior:

“The Discover message uses UDP and broadcast MAC addressing.”

Statements:

1: True (Layer 2 broadcast)

2: True (Uses UDP)

3: False (TCP not used)

4: False (Layer 2 destination address is broadcast)

────────────────────────────────────────────────────────────

Destination NAT (dst-nat) is used to redirect packets arriving at the router to a different internal destination. It is most commonly used to allow public access to internal services such as web servers or mail servers.

You can:

Change the destination IP address (redirect to an internal host)

Change the destination port (e.g., port 8080 to port 80)

But:

C. Changing the source port is a function of src-nat, not dst-nat →❌

D. Hiding the local network from the Internet is done via masquerade or src-nat →❌

MTCNA Course Manual – NAT Section:

“Use dst-nat to forward traffic to a private host. Port translation can also be applied (e.g., from 81 to 80).”

René Meneses Study Guide – NAT Configuration:

“dst-nat changes the destination IP/port of packets arriving on a specific interface. Common use case: access to LAN services from WAN.”

Terry Combs Notes – NAT Rule Summary:

“dst-nat = port forwarding. src-nat/masquerade = hide internal addresses.”

Answer: A, BQUESTION NO: 48 [RouterOS Introduction]

Which is the default port of IP-Winbox?

A. UDP 8291

B. TCP 80

C. TCP 8291

D. TCP 8192

Answer: C

Winbox is MikroTik’s GUI-based configuration tool. It communicates with RouterOS over TCP port 8291 by default. This port is used for both IP-based Winbox connections and MAC-based sessions (in combination with layer-2 discovery protocol).

Evaluation:

A. UDP 8291 →❌Wrong protocol

B. TCP 80 →❌Used for HTTP (WebFig)

C. TCP 8291 →✅Correct default Winbox port

D. TCP 8192 →❌Invalid / non-standard

MTCNA Course Manual – RouterOS Management Tools:

“Winbox uses TCP port 8291 by default. It is possible to change this port in the /ip service settings.”

René Meneses MTCNA Guide – Winbox Access:

“Default access via TCP 8291. Check firewall filters to ensure it’s not blocked.”

Terry Combs Notes – Remote Management:

“Winbox = TCP/8291. WebFig = TCP/80 or 443.”

Answer: CQUESTION NO: 49 [PPP]

It is possible to create an encrypted PPPoE tunnel in RouterOS:

A. true

B. false

Answer: B

PPPoE (Point-to-Point Protocol over Ethernet) does not include encryption by default. It can authenticate users using PAP or CHAP, but the data payload is transmitted in cleartext unless another secure tunneling protocol (e.g., IPSec) is layered on top.

MikroTik supports encryption in other tunneling protocols, such as:

SSTP (uses SSL)

L2TP with IPSec

OpenVPN (SSL-based)

IPsec itself (for IP layer encryption)

MTCNA Tunneling Chapter – PPP Protocol Features:

“PPPoE offers authentication, compression, but no native encryption. Use IPSec if encryption is needed.”

René Meneses Guide – Tunnel Comparison Table:

“PPPoE is not encrypted. SSTP and L2TP/IPSec are alternatives when encryption is a requirement.”

Terry Combs Notes – PPP Family Summary:

“PPPoE: Authentication = Yes, Encryption = No. Use with caution over untrusted networks.”

Answer: BQUESTION NO: 50 [Wireless]

Why is it useful to set a Radio Name on the radio interface?

A. To identify a station in a list of connected clients

B. To identify a station in Neighbor discovery

C. To identify a station in the Access List

Answer: A

The Radio Name is a human-readable identifier assigned to a wireless interface. It becomes visible in the Registration Table (i.e., the list of connected clients) on an access point. It helps network administrators distinguish between multiple connected devices.

Evaluation:

A.✅Correct — Radio Name is shown in the Registration Table (list of connected clients)

B.❌Neighbor discovery uses MAC and device identity, not radio name

C.❌Access List uses MAC addresses, not radio name, for matching

MTCNA Wireless Module – Interface Settings:

“Radio Name is shown in the registration table on the AP. It helps in client identification.”

René Meneses Guide – Wireless Monitoring:

“The AP uses the client’s Radio Name to label them in the list of associated stations.”

Terry Combs Notes – Best Practice:

“Set radio-name so you can easily tell which device is which in the registration list.”

Answer: A

In MikroTik’s firewall, the correct chain depends on the traffic direction and whether the traffic is destined for or originating from the router itself.

To block access to MSN (or any other service being accessed by a user from the LAN to the Internet), you must filter transit traffic. This is done in the forward chain.

A. input → Used for traffic destined to the router (e.g., WinBox, SSH).

B.✘process → Invalid option (does not exist in RouterOS).

C.✔forward → Used for user traffic passing through the router (e.g., LAN client to MSN servers on the Internet).

D. output → Used for traffic originating from the router itself (e.g., ping from router to external IP).

Extract from Official MTCNA Course Material – Firewall Chains:

“Use the forward chain to filter traffic passing through the router (LAN to WAN). Blocking access to external services like Facebook or MSN belongs here.”

Extract from René Meneses MTCNA Study Guide – Firewall Chains:

“To block Internet services for users, configure rules in the forward chain. Input is only for traffic targeting the router.”

Extract from MikroTik Wiki – Firewall Overview:

“forward: filters all traffic going through the router. For user access restrictions, place rules here.”

Winbox is a small, native Windows utility provided by MikroTik for graphical administration of RouterOS devices. It is typically downloaded from MikroTik's official website.

A. Router’s webpage → Incorrect. While the router’s WebFig interface may allow configuration, it does not offer a Winbox download.

B. Files menu → Incorrect. The Files menu is for storing backups or firmware packages, not distributing Winbox.

C. Console cable → Incorrect. Console access is CLI only; no GUI utilities can be transferred through it.

D. mikrotik.com → Correct. The only official and secure location to download Winbox is the MikroTik website.

Extract from Official MTCNA Course Material – RouterOS Introduction:

“Winbox can be downloaded from the official MikroTik website. It provides a GUI frontend for managing RouterOS.”

Extract from René Meneses MTCNA Study Guide – RouterOS Access Methods:

“You can download Winbox from mikrotik.com under the Software Tools section.”

Extract from Terry Combs MTCNA Notes – Access Methods:

“Winbox is a Windows application that must be downloaded from MikroTik’s website. It is not available directly from the router.”

===========

MikroTik processes entries in the Access List and Connect List in the order they are listed — from top to bottom. This is referred to as “sequence order.” The first rule that matches the client’s MAC address and interface conditions will be applied, and no further rules are evaluated after a match.

Incorrect options:

A. Signal strength can be used as a condition, but is not the order of evaluation.

C. Random order is never used in rule-based systems.

D. Interface names are used as match conditions, not ordering criteria.

MTCNA Wireless Module – Access and Connect List Order:

“Rules are checked from the top of the list down. The first matching rule is applied, then processing stops.”

René Meneses Guide – Wireless Security and MAC Filtering:

“Sequence matters. If multiple rules could apply, only the first one is enforced.”

Terry Combs Notes – Wireless Filtering:

“Don’t misplace rules. Connect-list and access-list are evaluated in listed order.”

Answer: BQUESTION NO: 59 [Queues – QoS]

Simple Queue number 0 defines 2M for upload and download for target IP 10.10.0.33.

Simple Queue number 1 defines 4M for upload and download for the same target IP 10.10.0.33.

Client 10.10.0.33 will be able to obtain:

A. 6M upload/download

B. 0M upload/download

C. 4M upload/download

D. 2M upload/download

Answer: D

In MikroTik RouterOS, when multiple simple queues are configured for the same target (IP address), only the first matching queue in sequence is processed. This means that:

If queue 0 (2M) comes before queue 1 (4M), the 2M limit will be enforced.

The second queue is ignored, even if it provides a higher rate.

MikroTik does not sum the bandwidth of multiple queues. The first applicable queue (based on order) wins.

MTCNA Course Manual – Simple Queues:

“Simple Queues are matched top-down. Only the first matching queue is applied per packet.”

René Meneses MTCNA Guide – QoS Queue Behavior:

“Queue order matters. The first rule that matches is the one used. Lower queues override lower ones if placed first.”

Terry Combs Notes – Queue Troubleshooting:

“If two queues match the same IP, only the first is active. Don’t stack queues unless using a queue tree.”

Answer: DQUESTION NO: 60 [RouterOS Packages]

Which features are removed when the advanced-tools package is uninstalled?

A. neighbors

B. LCD support

C. ip-scan

D. ping

E. netwatch

F. bandwidth-test

Answer: C, E, F

The advanced-tools package in MikroTik RouterOS contains a set of diagnostic and monitoring tools. If this package is removed, the following features are lost:

ip-scan →✅Used for scanning IP ranges to discover hosts

netwatch →✅Monitors host availability and runs scripts on status changes

bandwidth-test →✅Used to measure throughput between MikroTik devices

Incorrect options:

A. neighbors → Part of the main system package (MAC discovery)

B. LCD support → Tied to specific hardware; not affected by advanced-tools

D. ping → Part of the base system package

MTCNA System Tools Section – Package Breakdown:

“The advanced-tools package includes netwatch, bandwidth-test, and ip-scan. These are not part of the base system.”

René Meneses Guide – Package Management:

“Removing advanced-tools disables several diagnostic commands like ip-scan and bandwidth-test.”

Terry Combs Notes – Tools Overview:

“Ping and neighbors are in core OS. Advanced-tools affects monitoring scripts and traffic tools.”

/27 subnet = 255.255.255.224 → block size of 32

To determine the subnet range:

Start by finding block base:15.242.55.62 falls in the 15.242.55.32/27 subnetRange: 15.242.55.32 – 15.242.55.63Network Address = 15.242.55.32Broadcast Address = 15.242.55.63Usable Host Range = 15.242.55.33 to 15.242.55.62

Evaluation:

A. 15.242.55.33 – 15.242.55.62 →✅Valid host range

B. 15.242.55.32 – 15.242.55.63 →❌Includes network and broadcast addresses

C. 15.242.55.31 – 15.242.55.62 →❌15.242.55.31 is outside this subnet

D. 15.242.55.33 – 15.242.55.63 →❌Includes broadcast address

MTCNA Course Slides – Subnetting:

“In a /27 subnet (block size 32), the first address is the network, last is broadcast. Only the IPs in between are valid host addresses.”

René Meneses Guide – Subnetting Examples:

“A /27 includes 32 addresses. For subnet 192.168.1.32/27, usable IPs are 192.168.1.33–62.”

Terry Combs Notes – Addressing Exercises:

“Subtract 2 from total IPs in subnet for host count. Don't use .0 (network) or .255 (broadcast) equivalents.”

Answer: A 

Wireless encryption modes differ in how they authenticate clients:

WPA/WPA2 PSK (Pre-Shared Key): Uses a passphrase shared by all clients. No external authentication server (like RADIUS or 802.1X) is required. Simple and suitable for home or small networks.

WPA/WPA2 EAP: Uses 802.1X (Enterprise mode) and requires a centralized authentication server.

Option analysis:

A.✔Correct – Pre-Shared Key does not require 802.1X server

B.✘Incorrect – Requires EAP-based authentication with 802.1X infrastructure

Extract from Official MTCNA Course Material – Wireless Security:

“WPA PSK/WPA2 PSK uses a pre-shared password. WPA/WPA2 EAP requires 802.1X authentication with a RADIUS server.”

Extract from René Meneses MTCNA Study Guide – Wireless Encryption:

“To use a simple password for connecting wireless clients, select WPA2-PSK. It does not require server-based authentication.”

Extract from Terry Combs Notes – Wireless Security Profiles:

“WPA2 PSK = password-based; WPA2 EAP = 802.1X based. Use PSK for fast, simple authentication.”

The OSI (Open Systems Interconnection) model was developed by the ISO (International Standards Organization) to provide a universal standard for network communications. Its primary goal is to enable interoperability between different systems and vendors by establishing a common networking framework.

MTCNA Course Material – OSI Model Purpose:

“The OSI model helps standardize networking so that different systems and networks can communicate.”

René Meneses MTCNA Study Guide – OSI Principles:

“The model was designed to guide product developers and facilitate communication between heterogeneous network systems.”

Other options:

A: The OSI was not intended to be “larger” than DoD model

B: Helpful benefit, but not the main reason for creation

D: Incorrect and vendor-specific (not factual)

Final Answer: CQUESTION NO: 126 [Networking Fundamentals – VLAN Concepts]

What does a VLAN do?

A. Acts as the fastest port to all servers.

B. Provides multiple collision domains on one switch port.

C. Breaks up broadcast domains in a layer 2 switch internetwork.

D. Provides multiple broadcast domains within a single collision domain.

Answer: C

VLANs (Virtual Local Area Networks) segment a Layer 2 switch network into separate broadcast domains. Without VLANs, all devices on a switch share a single broadcast domain. VLANs allow traffic isolation by logically grouping ports, improving security and performance.

MTCNA Course Material – VLAN Fundamentals:

“VLANs allow you to logically segment a switch network. Each VLAN creates a separate broadcast domain.”

René Meneses MTCNA Study Guide – VLAN Behavior:

“Switches normally operate in a single broadcast domain. VLANs break this up without requiring physical segmentation.”

Breakdown:

A: Not related to VLAN function

B: Switch ports are already separate collision domains

D: Reverse of what VLANs actually do

Final Answer: CQUESTION NO: 127 [VLAN Management – VTP and Cisco Switching]

Which one of the following is true regarding VLANs?

A. Two VLANs are configured by default on all Cisco switches.

B. VLANs only work if you have a complete Cisco switched internetwork. No off-brand switches are allowed.

C. You should not have more than 10 switches in the same VTP domain.

D. VTP is used to send VLAN information to switches in a configured VTP domain.

Answer: D

VTP (VLAN Trunking Protocol) is a Cisco proprietary protocol used to manage and propagate VLAN information throughout a switch fabric. It helps maintain consistency across switches by distributing VLAN configurations from a VTP server to client switches in the same domain.

Cisco Switching Guide – VTP Concepts:

“VTP advertises VLAN definitions on a LAN to ensure consistency. It reduces misconfigurations by centralizing VLAN management.”

René Meneses MTCNA Study Guide – VLAN and VTP Notes:

“VTP sends VLAN updates across switches in the same VTP domain. Switches must be compatible and share the domain name.”

Breakdown:

A: Only VLAN 1 exists by default

B: VLANs are not Cisco-exclusive

C: There is no limit of 10 switches in a VTP domain

D:✔Correct

Final Answer: DQUESTION NO: 128 [RouterOS]

If your router is facilitating a CSU/DSU, which of the following commands do you need to use to provide the router with a 64000bps serial link?

A. RouterA(config)#bandwidth 64

B. RouterA(config-if)#bandwidth 64000

C. RouterA(config-if)#clock rate 64

D. RouterA(config-if)#clock rate 64000

Answer: D

In Cisco IOS, the clock rate command is used on the DCE (Data Communications Equipment) end of a serial link to provide timing to the connected DTE (Data Terminal Equipment) device. To configure a 64 kbps link, the correct syntax is:

RouterA(config-if)#clock rate 64000

Cisco IOS Configuration Guide – Serial Interfaces:

“When the router acts as DCE, use the command clock rate [bps] under the serial interface to set the speed. For 64kbps, use 64000.”

René Meneses MTCNA Guide – WAN Configuration (Cisco Compatibility):

“Use clock rate 64000 for CSU/DSU simulation. Bandwidth command is for routing metrics only.”

Option analysis:

A: bandwidth 64 → Sets routing metric, not actual interface speed

B: bandwidth 64000 → Same; metric only

C: clock rate 64 → Incorrect value

D:✔Correct and syntactically valid

Final Answer: D────────────────────────────────────────────────────────────

In a MikroTik Hotspot environment, you can bypass authentication for specific users using the IP Bindings feature. This feature lets you mark a host as bypassed (authorized without login), blocked, or regular.

A. Users → Incorrect. This contains login credentials for regular authenticated users.

B. IP bindings → Correct. This allows specific devices (by IP or MAC) to bypass login requirements.

C. Walled-garden → Incorrect. This allows unauthenticated access to specific domains or URLs, not devices.

D. Walled-garden IP → Incorrect. Similar to option C, it controls destination IP access, not client exemption.

Extract from Official MTCNA Course Material – Hotspot:

“To allow a specific host to bypass authentication, use IP Bindings with the ‘bypassed’ type.”

Extract from René Meneses MTCNA Study Guide – Hotspot Section:

“The IP Bindings tab in the Hotspot menu is used to set specific IPs or MACs as bypassed. This exempts them from login.”

Extract from Terry Combs MTCNA Notes – Hotspot Bypass:

“Use IP Bindings for fixed clients (e.g., printers or servers) that should not be challenged by the Hotspot portal.”

===========

The connection-state=established matcher in MikroTik’s firewall refers to packets that are part of an already active connection. These packets are neither new nor related — they are directly associated with a known connection that has been previously accepted or initiated.

MikroTik uses Connection Tracking (enabled by default) to determine the state of each packet:

new: Packet begins a new connection (e.g., TCP SYN)

established: Packet belongs to a previously established connection (reply or subsequent packets)

related: Packet is not part of the connection, but is related (e.g., FTP data channel)

invalid: Packet that does not match any known or valid connection

Therefore:

A.✅Correct. “Established” means part of an ongoing, known connection.

B.❌This describes “related”

C.❌This describes “invalid”

D.❌This describes “new”

MTCNA Course Manual – Firewall and Connection Tracking:

“Established – Packet that belongs to an existing connection. This includes replies and ongoing streams.”

René Meneses Study Guide – Firewall Fundamentals:

“Use connection-state=established to allow traffic that is part of previously accepted sessions.”

Terry Combs Notes – Connection States:

“Established = trusted, ongoing session. Essential for return traffic.”

Answer: AQUESTION NO: 32 [PPP]

PPP Secrets are used for:

A. PPPoE clients

B. L2TP clients

C. IPSec clients

D. PPP clients

E. PPTP clients

F. Router users

Answer: A, B, D, E

PPP Secrets is a user authentication mechanism used in MikroTik RouterOS for various PPP-based services. These include:

PPP (Point-to-Point Protocol)

PPPoE (PPP over Ethernet)

PPTP (Point-to-Point Tunneling Protocol)

L2TP (Layer 2 Tunneling Protocol)

Each client authenticates with a username/password combination defined under PPP → Secrets. PPP Secrets is not used for:

IPSec clients →❌They use peer configurations and policies

Router users (Winbox/WebFig) →❌Use system → users, not PPP secrets

MTCNA PPP Chapter – Secrets Authentication:

“PPP Secrets are used for all PPP services: PPP, PPPoE, L2TP, and PPTP. It defines usernames, passwords, profiles, and IP bindings.”

René Meneses Guide – Tunnels and PPP:

“Any PPP-based tunnel uses PPP secrets for login validation. This includes local dial-in and remote VPN tunnels.”

Terry Combs Notes – PPP Authentication Table:

“PPP Secrets = for PPP, PPPoE, PPTP, and L2TP. Not for IPSec or Winbox.”

Answer: A, B, D, EQUESTION NO: 33 [Licensing]

How long is level 1 (free) license valid?

A. 1 month

B. 24 hours

C. 1 year

D. Infinite time

Answer: D

Level 1 license in MikroTik RouterOS is a free license type. It is included with every installation but has very limited functionality. Despite the limitations, it is valid for an unlimited duration.

Features available in level 1:

Basic configuration

One active user session

Ideal for lab/testing with CHR

Incorrect options:

A. 1 month →❌Not time-based

B. 24 hours →❌No expiration limit

C. 1 year →❌Invalid

D.✅Correct → Valid forever, but feature-limited

MTCNA Course Material – Licensing Section:

“Level 1 license is free and does not expire. It provides minimal feature access.”

René Meneses Study Guide – License Levels:

“Level 1 is permanent but restrictive. Great for evaluation or learning.”

Terry Combs Notes – RouterOS Licensing Table:

“Level 1 license = lifetime access to basic RouterOS functionality.”

Answer: DQUESTION NO: 34 [NAT]

What is the correct action for a NAT rule on a router that should intercept SMTP traffic and send it over to a specified mail server?

A. tarpit

B. dst-nat

C. passthrough

D. redirect

Answer: B

To forward traffic from one destination to another (such as from the public IP to an internal mail server), the dst-nat action is used in MikroTik NAT rules.

dst-nat: Modifies the destination IP address and/or port of the packet. Used to forward traffic to an internal resource.

tarpit: Captures and holds TCP connections (used for spam traps or slowing down bots) →❌

passthrough: Used in mangle rules; allows the packet to be evaluated by the next rule →❌

redirect: Redirects traffic to the router itself (e.g., proxy or DNS services) →❌

So, for external SMTP traffic (e.g., TCP port 25), we use a dst-nat rule that forwards the traffic to the internal mail server.

MTCNA NAT Section – Destination NAT:

“To forward SMTP traffic from a public address to a private server, use dst-nat with appropriate port and IP.”

René Meneses Guide – Practical NAT Examples:

“Use dst-nat for port forwarding. Redirect is for internal services like DNS or web proxy.”

Terry Combs Notes – NAT Action Summary:

“dst-nat = most common for external-to-internal mapping (e.g., mail servers, web servers).”

Setting "forwarding=no" on a wireless interface prevents communication between connected clients on that interface and between that interface and other interfaces in the same bridge. This means:

Stations connected to wlan1 cannot talk to each other

Stations on wlan1 cannot talk to stations on wlan2 (even if bridged)

Stations on wlan2 can talk to each other normally

Evaluation:

A.✅Correct – forwarding=no does not affect wlan2

B.❌Incorrect – forwarding=no blocks this

C.✅Correct – clients on wlan1 cannot talk to each other either

D.❌Bridge filters can be used but this scenario is about forwarding settings

E.❌Blocked by forwarding=no

MTCNA Wireless Module – Wireless Forwarding Behavior:

“Forwarding=no disables client-to-client communication on the interface and across bridges.”

René Meneses Study Guide – Wireless Access Config:

“Use forwarding=no to isolate clients on the same AP. Affects bridging too.”

Terry Combs Notes – Wireless Isolation:

“Setting forwarding=no isolates all clients on that wireless card.”

Answer: A, CQUESTION NO: 81 [Wireless]

Consider a wireless access point with mode=ap-bridge. What is the maximum number of concurrent clients that can connect to it?

A. 2007

B. 2012

C. 2048

D. 1024

Answer: C

In MikroTik RouterOS, the theoretical maximum number of clients that can associate with an AP in ap-bridge mode is 2048. However, practical limits depend on hardware performance and network stability, and most real-world setups use far fewer clients.

Let’s review:

A. 2007 →❌Close, but not the actual hard limit

B. 2012 →❌Incorrect

C.✅2048 → Correct per MikroTik’s AP mode specification

D. 1024 →❌Lower than the actual maximum

MTCNA Wireless Module – AP Behavior:

“In ap-bridge mode, the maximum theoretical client limit is 2048. Actual stable operation may be lower.”

René Meneses Guide – Wireless Scaling:

“2048 is the upper limit for client associations on a MikroTik AP in bridge mode.”

Terry Combs Notes – Client Capacity:

“2048 clients = maximum. Performance may degrade before that in high-traffic environments.”

The setting default-forwarding=no prevents wireless clients from communicating with each other over the same access point interface. This enables client isolation — each device can only reach the gateway (router), not other wireless clients.

A.✔Correct – This enables client isolation by blocking inter-client communication.

B.✘Incorrect – This limits how many clients can connect, not their ability to talk to each other.

C.✘Incorrect – Prevents new clients from associating, unrelated to inter-client traffic.

D.✘Incorrect – Only default-forwarding affects client-to-client visibility.

Extract from MTCNA Course Material – Wireless Security and Isolation:

“default-forwarding=no prevents wireless clients from communicating with each other on the same AP interface.”

Extract from René Meneses Study Guide – Wireless Interface Settings:

“To isolate wireless clients, use default-forwarding=no. This ensures clients can’t ping or access one another.”

Extract from MikroTik Wiki – Wireless Interface Options:

“default-forwarding=no stops traffic between clients. Only traffic to the AP is allowed.”

TTL (Time to Live) is a field in the IP header that limits the number of hops a packet can travel. Each router that processes the packet decrements the TTL by 1. When TTL reaches 0, the packet is dropped.

Default TTL values vary by operating system, but in RouterOS and many Linux-based systems, the default TTL is 64.

A. 60 → Incorrect, used in some systems but not the MikroTik default

B. 30 → Incorrect

C. 1 → Incorrect; would allow only one hop

D. 64 →✔Correct

Extract from Official MTCNA Course Material – TTL Field Explanation:

"The default TTL in RouterOS and most Unix-like systems is 64. Each router decrements this by 1 until the packet is discarded."

Extract from René Meneses Study Guide – IP Protocol Details:

“TTL is initialized to 64 by default in MikroTik RouterOS.”

Extract from MikroTik Wiki – IP Protocol Section:

"RouterOS sets default TTL of 64 unless manually configured otherwise."

===========

To configure a MikroTik wireless interface as a basic access point (AP), the minimum required parameters are:

Mode → Must be set to ap-bridge or bridge

SSID → Defines the wireless network name to broadcast

Band → Determines which frequency ranges are used (e.g., 2.4GHz b/g/n or 5GHz a/n/ac)

Frequency → Specifies the actual channel used for broadcasting

Options reviewed:

A. radio name →✘Optional. A cosmetic label used to identify the radio in Winbox.

B. scan-list →✘Optional. Used to define which frequencies the interface should scan.

C.✔Required

D.✔Required

E.✔Required

F. DFS mode →✘Optional and auto-configured based on regulatory domain.

G. WDS →✘Only needed for bridging or extending networks.

Extract from Official MTCNA Course Material – Wireless Configuration:

“The minimal settings to enable an Access Point include: mode, SSID, band, and frequency. Without these, the interface won’t broadcast.”

Extract from René Meneses Study Guide – Wireless Basics:

“To turn on an AP: Set the mode to ap-bridge, define SSID, band, and frequency. Other settings are optional or advanced.”

Extract from Terry Combs Notes – Wireless Setup:

“Essential: mode, frequency, SSID, band. Others like WDS and DFS are situational.”

===========

By default, RouterOS logs are stored in RAM and are lost upon reboot. They are visible usingthe /log print command or in the Winbox log window. To store logs persistently (on disk or file), you must manually configure a logging action that writes to file or remote syslog server.

A.✘True – Incorrect. Logs are not stored persistently unless explicitly configured.

B.✔False – Correct. Logs are stored in memory (RAM) by default.

Extract from Official MTCNA Course Material – Logging System:

“By default, log entries are stored in memory. They are not saved after reboot unless file logging is configured.”

Extract from René Meneses MTCNA Study Guide – Log Settings:

“Logging to disk is optional and must be configured manually. Default action is to keep logs in RAM.”

Extract from MikroTik Wiki – System Logging:

“RouterOS keeps logs in memory. Use log actions to save logs to disk or send to remote syslog.”

===========

PPPoE (Point-to-Point Protocol over Ethernet) uses a discovery stage before establishing the actual PPP session. The correct sequence is:

Initialization → Client sends a PADI (PPPoE Active Discovery Initiation)

Offer → Server responds with PADO (PPPoE Active Discovery Offer)

Request → Client sends PADR (PPPoE Active Discovery Request)

Session Confirmation → Server sends PADS (PPPoE Active Discovery Session-confirmation)

A.✘Wrong sequence

B.✔Correct – Matches the technical flow: PADI → PADO → PADR → PADS

C.✘Incorrect order

D.✘Incorrect order

Extract from MTCNA Course Material – PPPoE Process:

“The PPPoE discovery stage includes PADI, PADO, PADR, and PADS messages. This translates to Initialization, Offer, Request, Session confirmation.”

Extract from MikroTik Wiki – PPPoE Protocol:

“The discovery stage is used to establish a PPPoE session and includes four steps: PADI, PADO, PADR, and PADS.”

===========

Yes, MikroTik RouterOS allows administrators to limit the maximum number of clients that can connect to a wireless access point. This can be done through the wireless interface settings using the max-station-count parameter.

The max-station-count option defines the maximum number of client devices (stations) that may be connected simultaneously. You are not restricted to access-lists; this setting works globally per interface.

A.❌Incorrect. It is definitely possible.

B.❌Limiting via access-list is one method (e.g., per MAC), but the more general and scalable method is via max-station-count.

C.✅Correct. MikroTik provides both general limits and fine control (like access-lists or registration-table rules).

MTCNA Official Wireless Module – Access Point Configuration:

“Set the maximum number of stations using max-station-count. This is a hardware-level control on the interface.”

René Meneses Study Guide – Wireless Configuration:

“Limiting clients can be done through access-lists or via interface properties such as max-station-count.”

Terry Combs Notes – Wireless Station Limits:

“Use max-station-count under wireless settings. This applies a hard limit on how many clients can connect.”

Answer: CQUESTION NO: 29 [QoS – Simple Queues]

The highest queue priority is:

A. 1

B. 256

C. 16

D. 8

Answer: A

MikroTik RouterOS supports prioritizing traffic in queues using a numerical priority system. The queue priority values range from 1 to 8, where:

1 = Highest priority (most preferred)

8 = Lowest priority (least preferred)

This means that traffic marked with priority 1 is processed before traffic with lower priorities. Priorities are used within simple queues, queue trees, and in some packet marking strategies.

Evaluation:

A. 1 →✅Correct. This is the highest priority.

B. 256 →❌Invalid priority value in MikroTik queues.

C. 16 →❌Priority range is only 1 to 8.

D. 8 →❌Lowest priority.

MTCNA Course Slides – QoS and Queuing:

“Queue priority values range from 1 to 8. Lower values indicate higher priority.”

René Meneses Study Guide – Traffic Management Section:

“MikroTik queues use priority values from 1 (highest) to 8 (lowest).”

Terry Combs Notes – QoS and Prioritization:

“Set queue priority to 1 for critical traffic like VoIP or routing protocols.”

Answer: AQUESTION NO: 30 [QoS – Simple Queues]

How many different priorities can be selected for queues in MikroTik RouterOS?

A. 16

B. 1

C. 8

D. 0

Answer: C

MikroTik RouterOS allows you to assign one of 8 different priority levels to each queue. These range from 1 (highest) to 8 (lowest). This allows for traffic shaping and prioritization in simple queues and queue trees.

These priority levels are used when multiple queues are competing for bandwidth or processing time. They influence which traffic gets handled first when congestion occurs.

A. 16 →❌Invalid. Only 8 supported.

B. 1 →❌Not correct. Only says one value; MikroTik supports multiple.

C. 8 →✅Correct. There are 8 valid priority values.

D. 0 →❌Priority 0 is not valid in MikroTik queues.

MTCNA Course Manual – Queues and Priorities:

“MikroTik queues support 8 priority levels (1–8). These affect which traffic is processed first.”

René Meneses Study Guide – QoS Mechanics:

“You can select between 8 priorities. These are configured per queue to define traffic importance.”

Terry Combs Notes – Simple Queues:

“Only 8 priority values exist. They follow a numerical scale from 1 to 8, not 0 or beyond.”

The best way to transfer only the firewall filter rules is to use the export command for just that section:

Command:

/ip firewall filter export

This produces a readable script containing only the firewall filter rules. This method is safer than editing binary backups and more efficient than exporting the global configuration and deleting unrelated parts.

Evaluation:

A.✅Correct – clean and script-based approach

B.❌You cannot selectively back up just firewall rules using the backup function (it’s system-wide)

C.❌Editing a backup file is not recommended and often not possible (it’s binary)

D.❌Too cumbersome and error-prone

MTCNA Course Manual – Configuration Transfer:

“Use export to get script output of specific sections. Backups are for full system restore.”

René Meneses Guide – Migrating Configurations:

“Export is recommended for transferring specific configurations like firewall rules.”

Terry Combs Notes – Export vs Backup:

“Backups = full system. Use export for clean, readable configuration transfer.”

Answer: AQUESTION NO: 79 [DHCP]

How many DHCP servers can be configured per interface on RouterOS?

A. Five

B. One

C. Two

D. Unlimited

Answer: B

RouterOS allows only one DHCP server instance per interface. If you attempt to assign more than one DHCP server to the same interface, RouterOS will throw an error.

If you need to serve multiple subnets or ranges, this must be done on different interfaces or by configuring DHCP relay or advanced routing.

MTCNA DHCP Module – Server Configuration:

“One DHCP server per interface is allowed. Assigning multiple servers to a single interface is not supported.”

René Meneses Study Guide – DHCP Design:

“Plan carefully: one server per interface. Use DHCP relay if multiple scopes are needed.”

Terry Combs Notes – DHCP Server Behavior:

“Trying to configure two servers on the same port results in failure.”

Subnet masks are used in IP networking to define the boundary between the network portion and the host portion of an IP address. A valid subnet mask must consist of a contiguous block of 1s followed by a contiguous block of 0s in its binary representation.

Let’s analyze the given options:

A. 255.192.0.0– This isnot a standard or valid subnet maskbecause the 1s are not contiguous beyond the second octet. This is typically used in class A subnetting but is not commonly considered valid in CIDR or MTCNA context. While technically binary-valid, it’s not recommended or standard for practical subnetting.

B. 255.255.192.255–Invalid, because the last octet is255, which implies all bits are 1s, but in the third octet only partial bits are set (192is11000000). This breaks the required rule of contiguous 1s followed by contiguous 0s.

C. 192.0.0.0–Invalid, as it doesn’t represent a valid subnet mask.192in the first octet (11000000) followed by zeros is not a valid mask – it's actually a network address, not a subnet mask.

D. 255.255.224.0–Valid subnet mask. This represents/19in CIDR notation. In binary:11111111.11111111.11100000.00000000, which follows the correct rule of contiguous 1s followed by contiguous 0s.

Extract from MTCNA Study Guide by René Meneses:

Subnet masks must be a continuous string of 1s followed by a continuous string of 0s. Any deviation or split between the blocks renders the mask invalid.

Extract from MTCNA Official Course Manual:

Valid subnet masks include values such as 255.0.0.0 (/8), 255.255.0.0 (/16), 255.255.255.0 (/24), and also non-classful masks like 255.255.224.0 (/19) are allowed and used for more flexible subnetting.

Conclusion:Option D is the only one meeting the criteria for a valid subnet mask as taught in the MTCNA curriculum.

===========