MikroTik MTCNA - MikroTikCertified Network Associate Exam

The key requirement is to block traffic from LAN1 to the internal server at 192.168.1.10. Given that R1 uses masquerade (srcnat), all packets arriving at R2 from LAN1 will appear as if they come from R1’s IP (192.168.99.1). Therefore, filtering by the original IP (LAN1 clients like 192.168.0.x) won't work unless you stop the traffic before it's NATed.

So the correct way is to drop the packets before they reach the server by identifying the original subnet (LAN1), which is 192.168.0.0/24, in the forward chain.

A. Wrong: You’re filtering based on the post-NAT address (192.168.99.1), not the source LAN subnet.

B. Correct: Block traffic coming from 192.168.0.0/24 (LAN1) before it hits the NAT rule.✅

C. Wrong chain: input is only for traffic destined to the router itself.

D. Incorrect chain: dstnat is for translating destination IP, not filtering.

MTCNA Firewall Module – NAT and Forwarding Concepts:

“Filter before NAT to match pre-NAT source addresses. Masquerade masks real source IP.”

René Meneses MTCNA Guide – Practical Firewall Rules:

“When masquerade is applied, forward chain rules using original IP must be placed before the NAT rule.”

Terry Combs Notes – Firewall Filtering:

“Forward chain handles routed traffic. Use it to block routed traffic between subnets.”

Answer: BQUESTION NO: 55 [ARP]

If ARP=reply-only is configured on an interface, this interface will:

A. accept all IP addresses listed in '/ip arp' as static entries

B. add new MAC addresses in '/ip arp' list

C. accept IP and MAC address combinations listed in '/ip arp' list

D. accept all MAC-addresses listed in '/ip arp' as static entries

E. add new IP addresses in '/ip arp' list

Answer: C

Setting ARP=reply-only restricts the interface to respond only to ARP requests for IP/MAC pairs that are manually added to the /ip arp list. This is often used for access control or static neighbor resolution.

A.❌Incorrect phrasing; not all IPs are accepted unless both IP and MAC match

B.❌Interface will not dynamically add new MACs in reply-only mode

C.✅Correct — Only defined IP/MAC combinations in /ip arp will be accepted

D.❌ARP requires both IP and MAC, not just MACs

E.❌New IPs are not added automatically in this mode

MTCNA Course Manual – ARP Modes:

“ARP reply-only – Interface replies only to requests for IP/MAC combinations listed in the ARP table.”

René Meneses Guide – ARP Settings:

“Use reply-only when you want strict control over ARP responses. You must add each entry manually.”

Terry Combs Notes – ARP Filter Modes:

“reply-only = no dynamic ARPs. You must define both IP and MAC.”

Answer: CQUESTION NO: 56 [Wireless]

Which option in the configuration of a wireless card must be disabled to cause the router to permit ONLY known clients listed in the access list to connect?

A. Security Profile

B. Default Forward

C. Enable Access List

D. Default Authenticate

Answer: D

The Default Authenticate option allows all clients to connect unless filtered. To restrict access to only known MAC addresses in the access list, you must disable this option. When disabled, only MAC addresses explicitly listed in the access list will be able to connect.

Evaluation:

A. Security Profile → relates to encryption, not access control

B. Default Forward → controls whether clients can communicate with each other

C. Enable Access List → there is no such setting by this name

D.✅Default Authenticate — this must be disabled to allow only access-list entries

MTCNA Wireless Module – Access Control:

“Disable default-authenticate to limit access to those defined in the access-list.”

René Meneses Guide – MAC Access Restrictions:

“Disabling default-authenticate enforces access-list. Clients not listed will be denied.”

Terry Combs Notes – Securing Wireless:

“Use access-list + disable default-authenticate to lock down who connects.”

Answer: DQUESTION NO: 57 [Routing]

A routing table has the following entries:

0 dst-address=10.0.0.0/24 gateway=10.1.5.126

1 dst-address=10.1.5.0/24 gateway=10.1.1.1

2 dst-address=10.1.0.0/24 gateway=25.1.1.1

3 dst-address=10.1.5.0/25 gateway=10.1.1.2

Which gateway will be used for a packet with destination address 10.1.5.126?

A. 10.1.1.1

B. 10.1.5.126

C. 10.1.1.2

D. 25.1.1.1

Answer: A

Routing decisions are based on the longest prefix match (i.e., the most specific subnet). First, determine which route has the most specific match for 10.1.5.126.

Route 1: 10.1.5.0/24 → covers 10.1.5.0 to 10.1.5.255 →✅Match

Route 3: 10.1.5.0/25 → covers 10.1.5.0 to 10.1.5.127 →✅Also a match and more specific

BUT, 10.1.5.126 falls within /25 (last usable host)→ So, Route 3 should be preferred due to longer prefix

However, let’s clarify:

If Route 3 (dst-address=10.1.5.0/25) has a next-hop (gateway) of 10.1.1.2, and if that route is reachable, it should be chosen.

Wait — it appears the answer marked in the original key might be inconsistent with routing rules.

Let’s correct it:

Matching routes:

Route 1: /24 → Prefix length: 24

Route 3: /25 → Prefix length: 25 → More specific → Preferred✅

Hence:

10.1.5.126 matches 10.1.5.0/25 (Route 3)

Gateway for that = 10.1.1.2 → Correct Answer: C

Corrected Answer: C

MTCNA Course Manual – Routing Decision Process:

“MikroTik uses longest prefix match — the most specific (longest) subnet wins.”

René Meneses Guide – Routing Resolution:

“If multiple routes match, the one with the most specific netmask (largest prefix) is selected.”

Terry Combs Notes – Routing Table Evaluation:

“Router picks based on subnet specificity. /25 beats /24.”

Nstreme is a proprietary point-to-point wireless protocol developed by MikroTik to improve performance on long-distance wireless links. It enhances frame aggregation, reduces latency, and replaces standard 802.11 MAC timing behavior with a custom approach. Because of its specific mechanism, it imposes certain compatibility restrictions:

A. WDS between two station-wds devices is not compatible with Nstreme. This setup doesn't conform to proper AP-client architecture required by Nstreme, which operates in a master/slave role — typically ap-bridge and station.

B. Encryption (e.g., using WEP or WPA) is supported in Nstreme; however, MikroTik recommends encryption at higher layers like IPsec when performance is critical.

C. WDS between ap-bridge and station-wds is compatible with Nstreme. This is the standard pairing used when bridging two networks via wireless.

D. Bridging a station with an ap-bridge device using standard station mode (not station-wds or station-bridge) is not compatible for full Layer 2 bridging. Only station-wds or station-bridge supports bridging with ap-bridge mode.

Extract from Official MTCNA Course Material – Wireless Section:

"Nstreme is supported only between a device in ap-bridge mode and a device in station or station-wds mode. Both ends must support Nstreme. WDS is supported with station-wds and ap-bridge combinations. Encryption is supported, although optional."

Extract from Terry Combs MTCNA Notes – Nstreme Notes:

"Only ap-bridge <-> station-wds (or station-bridge in RouterOS v6+) is valid for bridging over Nstreme. Encryption like WPA2 is supported but optional."

Extract from René Meneses Study Guide – Wireless Features:

“Nstreme does not support station-station WDS. Proper implementation requires ap-bridge on one side and station-wds or station-bridge on the other. Basic encryption (WEP/WPA) is allowed.”

===========

The show access-lists command in Cisco IOS is used to display all configured access control entries (ACEs) in every access list, both named and numbered. This command shows the complete content, including rules and hit counters.

Cisco IOS Command Reference – Access List Monitoring:

“Use show access-lists to view the complete list of all access control entries. This includes both standard and extended lists.”

Other options:

A: Invalid command syntax

C: show ip interface shows interface-level IP settings and ACL applications, but not full ACL content

D: show interface shows status and statistics, not ACL rules

Final Answer: BQUESTION NO: 134 [Cisco IOS – Console Access Configuration]

What does the command routerA(config)#line cons 0 allow you to perform next?

A. Set the Telnet password.

B. Shut down the router.

C. Set your console password.

D. Disable console connections.

Answer: C

The command line cons 0 enters the console line configuration mode. This is used to apply settings specific to the physical console line, such as setting a login password (via password and login commands).

Cisco IOS Configuration Guide – Line Console Mode:

“Use line console 0 to configure settings for the console line, including timeouts, password security, and logging behavior.”

René Meneses Study Guide – Device Access:

“Console access configuration begins with line console 0. It is followed by login and password commands.”

Other options:

A: Telnet is configured under line vty, not console

B: Router shutdown is done with reload or shutdown commands (not here)

D: Console cannot be disabled from line cons 0

Final Answer: CQUESTION NO: 135 [Switching – Spanning Tree Protocol]

How often are BPDUs sent from a Layer 2 device?

A. Never

B. Every 2 seconds

C. Every 10 minutes

D. Every 30 seconds

Answer: B

BPDU (Bridge Protocol Data Units) are messages exchanged by switches in a Spanning Tree Protocol (STP) topology to maintain loop-free Layer 2 networks. By default, switches send BPDUs every 2 seconds.

MTCNA Course Material – STP Operation:

“Switches send BPDUs to maintain spanning tree and detect topology changes. The default transmission interval is 2 seconds.”

Cisco STP Documentation:

“BPDUs are transmitted by the root bridge and propagated every 2 seconds by default, controlled by the hello-time timer.”

Other options:

A: Incorrect — BPDUs are essential for loop prevention

C & D: Not correct — default is 2 seconds, not minutes

Final Answer: BQUESTION NO: 136 [Routing Protocols – Passive Interface Behavior]

What does the passive command provide to dynamic routing protocols?

A. Stops an interface from sending or receiving periodic dynamic updates.

B. Stops an interface from sending periodic dynamic updates but not from receiving updates.

C. Stops the router from receiving any dynamic updates.

D. Stops the router from sending any dynamic updates.

Answer: B

In dynamic routing (e.g., RIP, OSPF, EIGRP), the passive-interface command stops routingadvertisements (outgoing updates) from being sent through the specified interface. However, the router still listens for incoming routing updates.

Cisco IOS Configuration Guide – Passive Interface:

“The passive-interface command prevents routing updates from being sent on an interface, while still allowing updates to be received.”

René Meneses MTCNA Guide – Passive Mode:

“It suppresses sending routing advertisements but does not block receiving updates on that interface.”

Other options:

A: Incorrect — it does not block receiving

C: Incorrect — it applies to interfaces, not globally

D: Also incorrect — it does not block all updates

Final Answer: B

────────────────────────────────────────────────────────────

The OSI (Open Systems Interconnection) model is a conceptual framework that standardizes the functions of a communication system into seven distinct layers. It is used to understand and design computer networking systems.

The seven layers of the OSI model are:

Application

Presentation

Session

Transport

Network

Data Link

Physical

Each layer has its own specific purpose and interacts with adjacent layers to perform data transmission functions.

MTCNA Official Course Material – OSI Model Chapter:

“The OSI model consists of 7 layers. Understanding these layers is critical for troubleshooting and protocol analysis.”

René Meneses MTCNA Study Guide – OSI Model Section:

“There are exactly seven OSI layers. They range from the Physical Layer (Layer 1) to the Application Layer (Layer 7).”

Terry Combs Notes – OSI Summary Page:

“OSI = 7 Layers. The most important ones for network engineers are Layer 1 through Layer 4.”

Answer: DQUESTION NO: 13 [Routing]

How many usable IP addresses are there in a 20-bit subnet?

A. 4096

B. 4094

C. 2046

D. 2048

E. 2047

Answer: B

A /20 subnet means that 20 bits are used for the network portion, and 12 bits are left for host addresses. The total number of IP addresses available in such a subnet is:

2^12 = 4096 (total addresses)

Usable IP addresses = 4096 - 2 = 4094

→ (1 address is reserved for the network ID, and 1 for the broadcast address)

MTCNA Course Manual – Subnetting and IP Allocation:

“A subnet with n host bits gives 2^n total addresses. Always subtract 2 to account for network and broadcast addresses.”

René Meneses Study Guide – Subnet Calculations:

“/20 = 12 host bits → 4096 total IPs. Usable = 4094. Remember to subtract 2.”

Terry Combs MTCNA Notes – Addressing Math:

“20-bit subnet = 4094 usable IPs. Know how to compute 2^x and subtract 2.”

Answer: BQUESTION NO: 14 [Routing]

You have a router with configuration

Public IP: 202.168.125.45/24

Default gateway: 202.168.125.1

DNS server: 248.115.148.136, 248.115.148.137

Local IP: 192.168.2.1/24

Mark the correct configuration on client PC to access the Internet:

A. IP: 192.168.0.1/24, gateway: 192.168.2.1

B. IP: 192.168.2.253/24, gateway: 202.168.0.1

C. IP: 192.168.2.115/24, gateway: 192.168.2.1

D. IP: 192.168.2.2/24, gateway: 202.168.125.45

E. IP: 192.168.1.223/24, gateway: 248.115.148.136

Answer: C

To correctly configure a host in a private network behind a router:

The IP must match the local subnet (192.168.2.0/24)

The gateway must be the router’s local IP (192.168.2.1)

DNS settings can be default or custom, but IP and gateway must be valid

Let’s evaluate:

A. 192.168.0.1 → Wrong subnet (192.168.0.0/24 ≠ 192.168.2.0/24)❌

B. Gateway 202.168.0.1 → Invalid internal gateway❌

C. IP 192.168.2.115 with gateway 192.168.2.1 →✅Correct subnet and correct gateway

D. Gateway 202.168.125.45 → This is router’s public IP, not the correct gateway for LAN❌

E. IP 192.168.1.223 → Wrong subnet; also, gateway is DNS IP❌

MTCNA NAT Section – Network Configuration:

“Clients should be in the same subnet as the router’s local IP and must use that local IP as their gateway to reach outside networks.”

René Meneses Guide – Gateway and Addressing:

“The client’s IP should belong to the same subnet as the local router interface. Always verify gateway IP points to the internal address.”

Terry Combs Notes – Default Gateway Setup:

“The default gateway for local clients must be the internal router IP — not the public or DNS IP.”

Answer: CQUESTION NO: 15 [RouterBOARD Hardware]

Collisions are possible in full-duplex Ethernet networks:

A. true

B. false

Answer: B

In full-duplex Ethernet, devices can transmit and receive simultaneously on separate physical or logical channels. This eliminates the possibility of collisions because there is no need for devices to listen before transmitting — unlike half-duplex Ethernet, which uses CSMA/CD to manage potential collisions.

Full-duplex connections are the standard in modern switching environments and are always collision-free.

MTCNA Official Course Material – Ethernet & Duplex Modes:

“In full-duplex Ethernet, there are separate transmit and receive paths, and therefore, collisions cannot occur.”

René Meneses Study Guide – Ethernet Basics:

“Full-duplex = simultaneous send/receive = no collisions. Collisions are a legacy issue from half-duplex Ethernet.”

Terry Combs MTCNA Notes – CSMA/CD and Ethernet:

“Collision Detection (CD) is not used in full-duplex. Only half-duplex environments use CSMA/CD to manage access.”

The best way to transfer only the firewall filter rules is to use the export command for just that section:

Command:

/ip firewall filter export

This produces a readable script containing only the firewall filter rules. This method is safer than editing binary backups and more efficient than exporting the global configuration and deleting unrelated parts.

Evaluation:

A.✅Correct – clean and script-based approach

B.❌You cannot selectively back up just firewall rules using the backup function (it’s system-wide)

C.❌Editing a backup file is not recommended and often not possible (it’s binary)

D.❌Too cumbersome and error-prone

MTCNA Course Manual – Configuration Transfer:

“Use export to get script output of specific sections. Backups are for full system restore.”

René Meneses Guide – Migrating Configurations:

“Export is recommended for transferring specific configurations like firewall rules.”

Terry Combs Notes – Export vs Backup:

“Backups = full system. Use export for clean, readable configuration transfer.”

Answer: AQUESTION NO: 79 [DHCP]

How many DHCP servers can be configured per interface on RouterOS?

A. Five

B. One

C. Two

D. Unlimited

Answer: B

RouterOS allows only one DHCP server instance per interface. If you attempt to assign more than one DHCP server to the same interface, RouterOS will throw an error.

If you need to serve multiple subnets or ranges, this must be done on different interfaces or by configuring DHCP relay or advanced routing.

MTCNA DHCP Module – Server Configuration:

“One DHCP server per interface is allowed. Assigning multiple servers to a single interface is not supported.”

René Meneses Study Guide – DHCP Design:

“Plan carefully: one server per interface. Use DHCP relay if multiple scopes are needed.”

Terry Combs Notes – DHCP Server Behavior:

“Trying to configure two servers on the same port results in failure.”

Setting "forwarding=no" on a wireless interface prevents communication between connected clients on that interface and between that interface and other interfaces in the same bridge. This means:

Stations connected to wlan1 cannot talk to each other

Stations on wlan1 cannot talk to stations on wlan2 (even if bridged)

Stations on wlan2 can talk to each other normally

Evaluation:

A.✅Correct – forwarding=no does not affect wlan2

B.❌Incorrect – forwarding=no blocks this

C.✅Correct – clients on wlan1 cannot talk to each other either

D.❌Bridge filters can be used but this scenario is about forwarding settings

E.❌Blocked by forwarding=no

MTCNA Wireless Module – Wireless Forwarding Behavior:

“Forwarding=no disables client-to-client communication on the interface and across bridges.”

René Meneses Study Guide – Wireless Access Config:

“Use forwarding=no to isolate clients on the same AP. Affects bridging too.”

Terry Combs Notes – Wireless Isolation:

“Setting forwarding=no isolates all clients on that wireless card.”

Answer: A, CQUESTION NO: 81 [Wireless]

Consider a wireless access point with mode=ap-bridge. What is the maximum number of concurrent clients that can connect to it?

A. 2007

B. 2012

C. 2048

D. 1024

Answer: C

In MikroTik RouterOS, the theoretical maximum number of clients that can associate with an AP in ap-bridge mode is 2048. However, practical limits depend on hardware performance and network stability, and most real-world setups use far fewer clients.

Let’s review:

A. 2007 →❌Close, but not the actual hard limit

B. 2012 →❌Incorrect

C.✅2048 → Correct per MikroTik’s AP mode specification

D. 1024 →❌Lower than the actual maximum

MTCNA Wireless Module – AP Behavior:

“In ap-bridge mode, the maximum theoretical client limit is 2048. Actual stable operation may be lower.”

René Meneses Guide – Wireless Scaling:

“2048 is the upper limit for client associations on a MikroTik AP in bridge mode.”

Terry Combs Notes – Client Capacity:

“2048 clients = maximum. Performance may degrade before that in high-traffic environments.”

RouterBOARD devices (such as RB1000) typically do not have a battery-backed hardware clock (RTC). This means the system time resets after each reboot. To keep time accurate, you must configure the router to synchronize with an external NTP (Network Time Protocol) server.

A.✘Inefficient and non-scalable solution.

B.✘The /system ntp server is used to act as an NTP server for others — not for receiving time.

C.✔Correct – You must enable /system ntp client and point to a reachable NTP server to get the correct time on boot.

D.✘Irrelevant – RouterBOARDs do not have CMOS batteries for timekeeping like traditional PCs.

Extract from MTCNA Course Material – Time Synchronization:

“To maintain correct system time, configure NTP client to sync with a public or internal time server after reboot.”

Extract from René Meneses Study Guide – Clock and Scheduler:

“RouterBOARD devices don’t have battery-backed RTC. Use the NTP client to update time after reboot.”

Extract from MikroTik Wiki – NTP Setup:

“Use /system ntp client to sync time. /system clock alone will reset on reboot without NTP.”

===========

When ARP is set to reply-only on a MikroTik interface, the router will not respond to any ARP requests unless a matching static entry exists in the /ip arp list. It will also not learn new dynamic entries — only pre-defined static IP-MAC pairs will be accepted and responded to.

Option breakdown:

A.✘Incorrect – The router doesn't operate solely based on MAC, but on IP-MAC pairings.

B.✔Correct – Only combinations that match entries in /ip arp are accepted.

C.✘Incorrect – reply-only mode disables dynamic ARP learning.

D.✘Incorrect – Again, no new IPs are dynamically added.

E.✘Incorrect – Static ARP is enforced by IP-MAC pairs, not just IP.

Extract from MTCNA Course Material – ARP Modes:

“Reply-only mode will respond to ARP requests only if a matching static ARP entry exists. No dynamic learning occurs.”

Extract from René Meneses Study Guide – ARP Explanation:

“Use ARP=reply-only to force strict IP-MAC pairing. It prevents spoofing but requires all valid pairs to be preconfigured.”

Extract from MikroTik Wiki – ARP Settings:

“reply-only: Only respond to ARP requests if the requester matches a static /ip arp entry. New dynamic entries are not created.”

===========

To upgrade or install a new Cisco IOS image on a router, you typically copy the IOS image file from a TFTP server into the router’s flash memory. The correct syntax is:

copy tftp flash

This command tells the router to copy the IOS image from a TFTP server into flash storage, where it can be booted.

Cisco IOS Documentation – Image Upgrade Process:

“Use the command copy tftp flash to transfer an IOS image from a TFTP server to the router’s flash memory.”

Other options:

A: copy tftp run – invalid; you cannot copy into the running-config that way

B: copy tftp start – used to copy configuration, not IOS image

C: config net – an older and deprecated command, not for IOS upgrades

Final Answer: DQUESTION NO: 122 [RouterOS Introduction – ICMP and Diagnostics]

Which protocol does Ping use?

A. TCP

B. ARP

C. ICMP

D. BootP

Answer: C

Ping is a diagnostic utility used to test reachability between devices. It sends ICMP Echo Request packets and waits for ICMP Echo Replies. ICMP (Internet Control Message Protocol) is used for these types of control messages and is encapsulated within IP.

MTCNA Course Material – Diagnostic Tools:

“Ping uses ICMP Echo Requests to verify if a destination is reachable. It does not use TCP or UDP.”

René Meneses MTCNA Study Guide – Ping and ICMP:

“Ping uses ICMP, not TCP or ARP. ICMP packets are used to check basic connectivity.”

MikroTik Wiki – Ping Tool Description:

“Ping works by sending ICMP packets. It cannot use TCP.”

Other options:

TCP: Used by protocols like HTTP, FTP

ARP: Resolves IP to MAC, not used for ping

BootP: DHCP-related protocol, not diagnostic

Final Answer: CQUESTION NO: 123 [Cisco – Frame Relay Troubleshooting]

What command will display the line, protocol, DLCI, and LMI information of an interface?

A. sh pvc

B. show interface

C. show frame-relay pvc

D. show run

Answer: C

In Cisco IOS, to display detailed Frame Relay virtual circuit information, including the line status, protocol status, DLCI (Data Link Connection Identifier), and LMI (Local Management Interface) details, the correct command is:

show frame-relay pvc

Cisco IOS Command Reference – Frame Relay:

“The show frame-relay pvc command displays information about PVC status, including DLCI numbers and LMI statistics.”

Breakdown:

A: sh pvc – shorthand and ambiguous, may not be recognized

B: show interface – general interface stats but lacks detailed LMI/DLCI info

C: show frame-relay pvc –✔correct, provides detailed DLCI/LMI info

D: show run – shows current configuration, not real-time PVC status

Final Answer: CQUESTION NO: 124 [Networking Fundamentals – Ethernet and Switching]

How many collision domains are created when you segment a network with a 12-port switch?

A. 1

B. 2

C. 5

D. 12

Answer: D

Each port on a switch creates its own collision domain. Unlike hubs (which extend a single collision domain), switches segment each interface, allowing full-duplex communication and eliminating collisions.

MTCNA Course Material – Ethernet Switching Concepts:

“Each switch port is a separate collision domain. A 24-port switch creates 24 separate collision domains.”

René Meneses MTCNA Study Guide – Collision and Broadcast Domains:

“Switches break up collision domains per port, unlike hubs.”

Therefore, a 12-port switch creates 12 individual collision domains.

MikroTik allows you to control which clients can connect to your access point through:

WPA/WPA2 security – prevents unauthorized devices from authenticating.

Access List – filters by MAC address and signal strength.

Option breakdown:

A.✔access-list – Used to accept/reject client MACs and customize access settings.

B.✔wpa – WPA/WPA2 passphrase restricts who can join the network.

C.✘WDS – Wireless Distribution System, used for bridging, not access control.

D.✘registration-table – A monitoring tool showing currently connected clients; it doesn’t restrict connections.

Extract from Official MTCNA Course Material – Wireless Access Control:

“Use WPA/WPA2 for secure authentication. Access List lets you accept or reject clients based on MAC or signal level.”

Extract from René Meneses MTCNA Study Guide – Wireless Security & Filtering:

“You can limit client access using WPA security and Access List. Registration Table only shows connected users.”

Extract from Terry Combs Notes – Wireless Configuration:

“Access control = WPA + Access List. WDS is for bridging, and registration-table is read-only.”