MikroTik MTCNA - MikroTikCertified Network Associate Exam
What is marked by connection-state=established matcher?
Packet belongs to an existing connection, for example a reply packet or a packet which belongs to already replied connection
Packet is related to, but not part of an existing connection
Packet does not correspond to any known connection
Packet begins a new TCP connection
The Answer Is:
AExplanation:
The connection-state=established matcher in MikroTik’s firewall refers to packets that are part of an already active connection. These packets are neither new nor related — they are directly associated with a known connection that has been previously accepted or initiated.
MikroTik uses Connection Tracking (enabled by default) to determine the state of each packet:
new: Packet begins a new connection (e.g., TCP SYN)
established: Packet belongs to a previously established connection (reply or subsequent packets)
related: Packet is not part of the connection, but is related (e.g., FTP data channel)
invalid: Packet that does not match any known or valid connection
Therefore:
A.✅Correct. “Established†means part of an ongoing, known connection.
B.âŒThis describes “relatedâ€
C.âŒThis describes “invalidâ€
D.âŒThis describes “newâ€
MTCNA Course Manual – Firewall and Connection Tracking:
“Established – Packet that belongs to an existing connection. This includes replies and ongoing streams.â€
René Meneses Study Guide – Firewall Fundamentals:
“Use connection-state=established to allow traffic that is part of previously accepted sessions.â€
Terry Combs Notes – Connection States:
“Established = trusted, ongoing session. Essential for return traffic.â€
Answer: AQUESTION NO: 32 [PPP]
PPP Secrets are used for:
A. PPPoE clients
B. L2TP clients
C. IPSec clients
D. PPP clients
E. PPTP clients
F. Router users
Answer: A, B, D, E
PPP Secrets is a user authentication mechanism used in MikroTik RouterOS for various PPP-based services. These include:
PPP (Point-to-Point Protocol)
PPPoE (PPP over Ethernet)
PPTP (Point-to-Point Tunneling Protocol)
L2TP (Layer 2 Tunneling Protocol)
Each client authenticates with a username/password combination defined under PPP → Secrets. PPP Secrets is not used for:
IPSec clients →âŒThey use peer configurations and policies
Router users (Winbox/WebFig) →âŒUse system → users, not PPP secrets
MTCNA PPP Chapter – Secrets Authentication:
“PPP Secrets are used for all PPP services: PPP, PPPoE, L2TP, and PPTP. It defines usernames, passwords, profiles, and IP bindings.â€
René Meneses Guide – Tunnels and PPP:
“Any PPP-based tunnel uses PPP secrets for login validation. This includes local dial-in and remote VPN tunnels.â€
Terry Combs Notes – PPP Authentication Table:
“PPP Secrets = for PPP, PPPoE, PPTP, and L2TP. Not for IPSec or Winbox.â€
Answer: A, B, D, EQUESTION NO: 33 [Licensing]
How long is level 1 (free) license valid?
A. 1 month
B. 24 hours
C. 1 year
D. Infinite time
Answer: D
Level 1 license in MikroTik RouterOS is a free license type. It is included with every installation but has very limited functionality. Despite the limitations, it is valid for an unlimited duration.
Features available in level 1:
Basic configuration
One active user session
Ideal for lab/testing with CHR
Incorrect options:
A. 1 month →âŒNot time-based
B. 24 hours →âŒNo expiration limit
C. 1 year →âŒInvalid
D.✅Correct → Valid forever, but feature-limited
MTCNA Course Material – Licensing Section:
“Level 1 license is free and does not expire. It provides minimal feature access.â€
René Meneses Study Guide – License Levels:
“Level 1 is permanent but restrictive. Great for evaluation or learning.â€
Terry Combs Notes – RouterOS Licensing Table:
“Level 1 license = lifetime access to basic RouterOS functionality.â€
Answer: DQUESTION NO: 34 [NAT]
What is the correct action for a NAT rule on a router that should intercept SMTP traffic and send it over to a specified mail server?
A. tarpit
B. dst-nat
C. passthrough
D. redirect
Answer: B
To forward traffic from one destination to another (such as from the public IP to an internal mail server), the dst-nat action is used in MikroTik NAT rules.
dst-nat: Modifies the destination IP address and/or port of the packet. Used to forward traffic to an internal resource.
tarpit: Captures and holds TCP connections (used for spam traps or slowing down bots) →âŒ
passthrough: Used in mangle rules; allows the packet to be evaluated by the next rule →âŒ
redirect: Redirects traffic to the router itself (e.g., proxy or DNS services) →âŒ
So, for external SMTP traffic (e.g., TCP port 25), we use a dst-nat rule that forwards the traffic to the internal mail server.
MTCNA NAT Section – Destination NAT:
“To forward SMTP traffic from a public address to a private server, use dst-nat with appropriate port and IP.â€
René Meneses Guide – Practical NAT Examples:
“Use dst-nat for port forwarding. Redirect is for internal services like DNS or web proxy.â€
Terry Combs Notes – NAT Action Summary:
“dst-nat = most common for external-to-internal mapping (e.g., mail servers, web servers).â€
Mark all packages required for PPPoE server on MikroTik RouterOS
ppp
user-manager
radius
synchronous
system
The Answer Is:
A, EExplanation:
The PPPoE server functionality in RouterOS relies primarily on the PPP package, which includes support for protocols like PPP, PPPoE, PPTP, L2TP, SSTP, etc. The system package is also always required, as it contains the core OS components.
Option breakdown:
A.✔ppp – Required. Contains all PPP and PPPoE server/client implementations.
B.✘user-manager – Optional. Used for advanced AAA (authentication/accounting), not required for basic PPPoE.
C.✘radius – Optional. Used for external authentication, not essential unless RADIUS integration is needed.
D.✘synchronous – Used for legacy synchronous interfaces (e.g., serial or modem), not for PPPoE.
E.✔system – Required for all RouterOS functions.
Extract from Official MTCNA Course Material – RouterOS Packages:
“To enable PPPoE server functionality, you need the ppp and system packages. Radius and User Manager are optional.â€
Extract from René Meneses MTCNA Study Guide – PPPoE Deployment:
“Only the ppp and system packages are strictly required. Additional features like radius are for centralized authentication.â€
Extract from MikroTik Wiki – RouterOS Package Descriptions:
“ppp: required for PPP, PPTP, L2TP, PPPoE; system: required core package. user-manager and radius are optional.â€
===========
From which of the following locations can you obtain Winbox?
Router’s webpage
Files menu in your router
Via the console cable
mikrotik.com
The Answer Is:
DExplanation:
Winbox is a small, native Windows utility provided by MikroTik for graphical administration of RouterOS devices. It is typically downloaded from MikroTik's official website.
A. Router’s webpage → Incorrect. While the router’s WebFig interface may allow configuration, it does not offer a Winbox download.
B. Files menu → Incorrect. The Files menu is for storing backups or firmware packages, not distributing Winbox.
C. Console cable → Incorrect. Console access is CLI only; no GUI utilities can be transferred through it.
D. mikrotik.com → Correct. The only official and secure location to download Winbox is the MikroTik website.
Extract from Official MTCNA Course Material – RouterOS Introduction:
“Winbox can be downloaded from the official MikroTik website. It provides a GUI frontend for managing RouterOS.â€
Extract from René Meneses MTCNA Study Guide – RouterOS Access Methods:
“You can download Winbox from mikrotik.com under the Software Tools section.â€
Extract from Terry Combs MTCNA Notes – Access Methods:
“Winbox is a Windows application that must be downloaded from MikroTik’s website. It is not available directly from the router.â€
===========
