MikroTik MTCNA - MikroTikCertified Network Associate Exam
How long is level 1 (demo) license valid?
24 hours
Infinite time
1 month
1 year
The Answer Is:
BExplanation:
RouterOS Level 1 license is the demo license that comes with all RouterOS installations (particularly on x86 or CHR before activation). It is unrestricted in time, meaning it never expires, but functionality is extremely limited.
A. 24 hours → Incorrect. There is no such time-limited restriction.
B. Infinite time → Correct. Level 1 license is perpetual but has limited features.
C. 1 month → Incorrect. MikroTik does not impose monthly timeouts on license levels.
D. 1 year → Incorrect. No temporary time-bound license is assigned by default.
Extract from Official MTCNA Course Material – Licensing Section:
“Level 1 (demo) license is unlimited in time but has very limited functionality. It is designed for testing purposes only.â€
Extract from René Meneses MTCNA Study Guide – RouterOS Licensing:
“The Level 1 license is not time-limited, but it cannot be used in production due to its lack of key features.â€
Extract from MikroTik Wiki – Licensing Model:
“License level 1 is a free demo license that does not expire.â€
===========
MAC layer by OSI model is also known as
Layer 2
Layer 1
Layer 6
Layer 7
Layer 3
The Answer Is:
AExplanation:
TheMAC layer (Media Access Control)is asub-layerof theData Link Layer, which is known asLayer 2in theOSI (Open Systems Interconnection) model. This layer is responsible for the delivery of frames between devices on the same local network. The MAC sub-layer controls how a device on the network gains access to the medium and permission to transmit data.
Extract fromRené Meneses MTCNA Study Guide – OSI Model Section:
"The MAC layer, or Media Access Control, is part of Layer 2 (Data Link Layer) in the OSI model. It handles physical addressing and access to the medium, such as Ethernet. MAC addresses are used at this level to identify source and destination interfaces in the same network segment."
Extract fromTerry Combs MTCNA Notes – OSI Layers Overview:
"Layer 2 is the Data Link Layer and contains two sublayers: LLC (Logical Link Control) and MAC (Media Access Control). The MAC sub-layer is the portion that directly interacts with the network interface and is responsible for MAC addressing and frame delivery."
Extract fromMikroTik Wiki – OSI Model & MAC Addressing Section:
"MAC addresses operate at Layer 2 of the OSI model. This layer is responsible for node-to-node data transfer, framing, and access control using MAC addresses."
Breakdown of Each Option:
A. Layer 2✅✔Correct — The MAC layer is a sublayer ofLayer 2(Data Link Layer).
B. Layer 1âŒâœ˜Incorrect — This is thePhysical Layer, responsible for transmission of raw bits, not MAC addressing.
C. Layer 6âŒâœ˜Incorrect — This is thePresentation Layer, which handles data format translation, not networking functions.
D. Layer 7âŒâœ˜Incorrect — This is theApplication Layer, used by end-user software like browsers or email clients.
E. Layer 3âŒâœ˜Incorrect — This is theNetwork Layer, responsible for logical addressing and routing using IP addresses, not MAC.
Select valid subnet masks:
255.192.0.0
255.255.192.255
192.0.0.0
255.255.224.0
The Answer Is:
DExplanation:
Subnet masks are used in IP networking to define the boundary between the network portion and the host portion of an IP address. A valid subnet mask must consist of a contiguous block of 1s followed by a contiguous block of 0s in its binary representation.
Let’s analyze the given options:
A. 255.192.0.0– This isnot a standard or valid subnet maskbecause the 1s are not contiguous beyond the second octet. This is typically used in class A subnetting but is not commonly considered valid in CIDR or MTCNA context. While technically binary-valid, it’s not recommended or standard for practical subnetting.
B. 255.255.192.255–Invalid, because the last octet is255, which implies all bits are 1s, but in the third octet only partial bits are set (192is11000000). This breaks the required rule of contiguous 1s followed by contiguous 0s.
C. 192.0.0.0–Invalid, as it doesn’t represent a valid subnet mask.192in the first octet (11000000) followed by zeros is not a valid mask – it's actually a network address, not a subnet mask.
D. 255.255.224.0–Valid subnet mask. This represents/19in CIDR notation. In binary:11111111.11111111.11100000.00000000, which follows the correct rule of contiguous 1s followed by contiguous 0s.
Extract from MTCNA Study Guide by René Meneses:
Subnet masks must be a continuous string of 1s followed by a continuous string of 0s. Any deviation or split between the blocks renders the mask invalid.
Extract from MTCNA Official Course Manual:
Valid subnet masks include values such as 255.0.0.0 (/8), 255.255.0.0 (/16), 255.255.255.0 (/24), and also non-classful masks like 255.255.224.0 (/19) are allowed and used for more flexible subnetting.
Conclusion:Option D is the only one meeting the criteria for a valid subnet mask as taught in the MTCNA curriculum.
===========
For user in local PPP Secrets/PPP Profiles database, it is possible to:
Allow/deny use of more than one login by this user
Allow login by PPPoE and PPTP, but deny login by L2TP
Set max values for transferred data (Rx/Tx)
Allow only PPPoE login
Deny services (like telnet) only for this user or for one group of users
The Answer Is:
A, B, DExplanation:
The local PPP database in MikroTik allows control over authentication and access for PPP-based services such as PPTP, L2TP, PPPoE, and SSTP. Several configuration options can be specified per user or profile.
A.✔Correct – You can use the "only-one" setting in PPP profiles to allow/deny multiple logins for the same user.
B.✔Correct – Under the "service" parameter in /ppp secret, you can restrict allowed protocols (e.g., enable PPPoE, PPTP, and disable L2TP).
C.✘Incorrect – Data transfer limits (Rx/Tx) are not enforced directly in PPP profiles or secrets. This is usually handled via queues or hotspot limitations.
D.✔Correct – By setting the "service" to only "pppoe", all other PPP types will be denied.
E.✘Incorrect – Access to services like telnet is managed via firewall rules or user groups, not in PPP profiles.
Extract from Official MTCNA Course Material – PPP Profiles:
“PPP Profiles control session parameters. You can limit simultaneous logins, restrict service types (e.g., PPPoE), and set IP pools.â€
Extract from René Meneses MTCNA Study Guide – PPP Configuration:
“Use the ‘only-one’ flag to control concurrent logins. The ‘service’ field allows or restricts protocol types per user.â€
Extract from Terry Combs MTCNA Notes – PPP Features:
“To allow a user access only via PPPoE or PPTP, adjust the service types in /ppp secret.â€
===========
Which type of encryption could be used to establish a connection with a simple passkey without using a 802.1X authentication server?
WPA PSK/WPA2 PSK
WPA EAP/WPA2 EAP
The Answer Is:
AExplanation:
Wireless encryption modes differ in how they authenticate clients:
WPA/WPA2 PSK (Pre-Shared Key): Uses a passphrase shared by all clients. No external authentication server (like RADIUS or 802.1X) is required. Simple and suitable for home or small networks.
WPA/WPA2 EAP: Uses 802.1X (Enterprise mode) and requires a centralized authentication server.
Option analysis:
A.✔Correct – Pre-Shared Key does not require 802.1X server
B.✘Incorrect – Requires EAP-based authentication with 802.1X infrastructure
Extract from Official MTCNA Course Material – Wireless Security:
“WPA PSK/WPA2 PSK uses a pre-shared password. WPA/WPA2 EAP requires 802.1X authentication with a RADIUS server.â€
Extract from René Meneses MTCNA Study Guide – Wireless Encryption:
“To use a simple password for connecting wireless clients, select WPA2-PSK. It does not require server-based authentication.â€
Extract from Terry Combs Notes – Wireless Security Profiles:
“WPA2 PSK = password-based; WPA2 EAP = 802.1X based. Use PSK for fast, simple authentication.â€
/interface wireless access-list is used for:
Handles a list of Client's MAC Address to permit/deny connection to AP
Shows a list of Client's MAC Address that are already registered at AP
Contains the security profiles settings
Authenticate Hot-Spot users
The Answer Is:
AExplanation:
The /interface wireless access-list in MikroTik is used to define a set of rules that permit or deny wireless clients based on their MAC addresses and signal strength.
This list applies only to clients trying to connect to the router’s wireless interface when it is configured as an Access Point.
Let’s break down the options:
A.✅Correct – Used to allow or deny client MAC addresses and apply settings like rate limits, VLANs, etc.
B.âŒThat’s the role of the registration table.
C.âŒSecurity profiles are configured separately under /interface wireless security-profiles.
D.âŒHotspot authentication is handled via /ip hotspot, not wireless access lists.
MTCNA Wireless Module – MAC Access Control:
“Access-list matches incoming clients by MAC. You can allow, deny, and apply custom settings.â€
René Meneses Study Guide – Wireless Security:
“Access-list is used to explicitly permit or block clients based on their MAC address.â€
Terry Combs Notes – Wireless Filtering:
“Think of access-list like a whitelist/blacklist for Wi-Fi clients.â€
Answer: AQUESTION NO: 65 [Firewall]
One host on an internal network is accessing an external web page through a MikroTik router that is doing source NAT. Select the correct statement about the packets that flow from that web page to the host:
A. Packets go through the input chain
B. Packets go through the forward chain
C. Packets go through the output chain
D. Packets go through the input chain before the routing decision and after that through output chain
Answer: B
When a host on a LAN accesses a website on the internet via a MikroTik router that’s performing source NAT (e.g., masquerade), the traffic path is as follows:
From LAN host to internet → forward chain → NAT (src-nat)
From internet back to LAN host → forward chain again → connection-tracked → src-nat reversed
Since the router is only routing the packets and is not the originator or final destination, the packet passes through the forward chain.
Clarifying the options:
A.âŒinput chain is for packets destined to the router itself
B.✅Correct – packet is routed through the router (forwarded)
C.âŒoutput chain is for packets originating from the router
D.âŒThis description applies to packets sourced by the router itself
MTCNA Course Manual – Packet Flow Diagram:
“Forward chain handles packets that are being routed through the device (not destined to or from the router itself).â€
René Meneses Guide – Firewall Chains:
“For routed traffic, the forward chain is used. This includes NATed traffic between LAN and WAN.â€
Terry Combs Notes – Packet Flow:
“Understand the router’s role. If it’s just forwarding, only the forward chain applies.â€
Answer: BWould you like to continue with Questions 66–70, or generate a full summary (PDF-style) of all 65 completed qu
What is a stub network?
A network with more than one exit point.
A network with more than one exit and entry point.
A network with only one entry and no exit point.
A network that has only one entry and exit point.
The Answer Is:
DExplanation:
A stub network is defined as a network segment that is accessible by only one path (single entry/exit point). It does not serve as a transit network for routing between other networks. Traffic entering or leaving the stub network must pass through a single interface.
MTCNA Course Material – Routing Concepts:
“A stub network is one that is connected to the rest of the network by a single router interface. It has only one entry and one exit point.â€
René Meneses MTCNA Study Guide – Routing Terms:
“Stub networks do not forward packets for other networks. They are endpoints with one route in and out.â€
Other options:
A/B: Describe transit networks, not stub
C: Misleading—stub has both entry and exit, but only through one path
D:✔Correct definition
Final Answer: DQUESTION NO: 130 [PPP – Protocol Functions]
What PPP protocol provides dynamic addressing, authentication, and multilink?
A. NCP
B. HDLC
C. LCP
D. X.25
Answer: C
LCP (Link Control Protocol) is responsible for establishing, configuring, and testing the data-link connection in PPP. It handles features such as:
Authentication (PAP/CHAP)
Link quality testing
Multilink (combining multiple connections)
Negotiating link options
MTCNA Course Material – PPP Configuration:
“LCP handles link configuration, authentication, multilink, and error detection. NCP handles network layer protocol configuration.â€
René Meneses MTCNA Study Guide – PPP Stack:
“LCP is the control protocol used to manage and negotiate the PPP connection, including authentication and multilink.â€
Other options:
A: NCP negotiates Layer 3 protocol settings (e.g., IP, IPX)
B: HDLC is a simpler Layer 2 protocol, no support for dynamic addressing or multilink
D: X.25 is a packet-switched WAN protocol, not part of PPP
Final Answer: CQUESTION NO: 131 [Switching – Spanning Tree Protocol (STP)]
In a network with dozens of switches, how many root bridges would you have?
A. 1
B. 2
C. 5
D. 12
Answer: A
Spanning Tree Protocol (STP) is used in Ethernet switching environments to prevent loops. In any STP domain, only one switch is elected as the root bridge. All other switches determine the shortest path to this root bridge and may block redundant paths.
MTCNA Course Material – STP Basics:
“STP ensures a loop-free topology by electing a single root bridge. All path calculations are made from the root bridge’s perspective.â€
René Meneses MTCNA Study Guide – STP and Loop Prevention:
“Only one root bridge exists per STP domain. Switches use BPDU messages to elect it based on bridge ID priority.â€
No matter how many switches exist (2, 10, or 50), only one root bridge is present at any time.
Final Answer: AQUESTION NO: 132 [IP Addressing – Classful Networking]
Which class of IP address has the most host addresses available by default?
A. A
B. B
C. C
D. A and B
Answer: A
Classful IP addressing reserves different address ranges and host counts:
Class A: 1.0.0.0 – 126.255.255.255 (/8) → 2^24 – 2 = 16,777,214 hosts
Class B: 128.0.0.0 – 191.255.255.255 (/16) → 2^16 – 2 = 65,534 hosts
Class C: 192.0.0.0 – 223.255.255.255 (/24) → 2^8 – 2 = 254 hosts
MTCNA Course Material – IP Address Classes:
“Class A has the largest number of hosts per network, over 16 million. Class B allows around 65,000, and Class C allows 254.â€
René Meneses MTCNA Study Guide – Classful IP Summary:
“Class A provides the most host addresses by default due to its /8 subnet.â€
Only Class A has the highest host count.
Firewall NAT rules process only the first packet of each connection.
True
False
The Answer Is:
AExplanation:
MikroTik’s NAT (Network Address Translation) is part of the connection tracking mechanism. NAT rules are applied only to the first packet of a connection. Subsequent packets belonging to the same connection are automatically handled by the connection tracking module using the same translation mappings established by that first packet.
Option Analysis:
A.✔True – NAT is evaluated only on the first packet of a new connection.
B.✘False – Subsequent packets are not re-evaluated against NAT rules.
Extract from Official MTCNA Course Material – Firewall & NAT Section:
“NAT rules apply to the first packet in a connection. After that, RouterOS uses the tracked connection entry.â€
Extract from René Meneses MTCNA Study Guide – NAT & Firewall Concepts:
“Once the initial packet matches a NAT rule, connection tracking applies it to the whole session.â€
Extract from MikroTik Wiki – NAT Implementation:
“NAT is evaluated on the first packet. Other packets in the same connection follow the established NAT mapping.â€
===========
It is possible to create an encrypted PPPoE tunnel in RouterOS:
True
False
The Answer Is:
BExplanation:
PPPoE (Point-to-Point Protocol over Ethernet) does not natively support encryption. It provides authentication using PAP/CHAP and allows IP assignment, but any data transmitted through a PPPoE tunnel is unencrypted unless another encryption mechanism (such as IPSec) is used on top of it.
MikroTik RouterOS supports encrypted tunneling protocols such as SSTP, L2TP/IPSec, or OpenVPN, but not native encryption in PPPoE.
MTCNA Course Manual – PPP Protocols Overview:
“PPPoE supports user authentication and compression but not encryption by itself.â€
René Meneses Study Guide – Tunneling Protocols:
“PPPoE is not secure by design. If encryption is needed, use SSTP or L2TP/IPSec.â€
Terry Combs Notes – PPP Protocol Capabilities:
“PPPoE does not encrypt data. Only authentication is handled within PPP.â€
Answer: BQUESTION NO: 36 [Wireless]
Why is it useful to set a Radio Name on the radio interface?
A. To identify a station in the Access List
B. To identify a station in Neighbor discovery
C. To identify a station in a list of connected clients
Answer: C
Setting a Radio Name in RouterOS provides a unique identifier that is visible to other devices in the wireless environment. It is particularly helpful for identifying connected clients in the registration table on the Access Point.
This name does not affect Access List matching or general Layer 2 communication — it’s used for human readability and monitoring.
A. Access List uses MAC addresses for filtering →âŒ
B. Neighbor discovery identifies devices based on MAC, IP, and identity →âŒ
C. Correct → Radio Name shows up in the registration table and helps identify stations✅
MTCNA Wireless Module – Interface Settings:
“The Radio Name is shown in the registration table of access points, making it easier to identify connected clients.â€
René Meneses Guide – Wireless Management Tips:
“Use Radio Names to label devices in multi-client setups. It appears under registration when clients connect.â€
Terry Combs Notes – Wireless Interface Options:
“Radio Name is not used for access filtering — it’s for display and diagnostics.â€
Answer: CQUESTION NO: 37 [DHCP]
A DHCP server is configured on a LAN interface which is a port on a bridge. The DHCP server does not start. What could be the reason(s)?
A. The DHCP server cannot run on an interface which is also a bridge port
B. There might not be an IP address assigned to the LAN Interface
C. The IP address pool could be incorrectly defined
D. There may be multiple IP addresses set on the LAN interface
Answer: B, C
For a DHCP server to operate properly, the following conditions must be met:
The DHCP server must be attached to the correct interface (typically the bridge, not individual ports).
The bridge interface must have a valid IP address.
The IP address pool must be defined correctly (matching subnet, avoiding conflicts).
Let’s evaluate:
A.âŒIncorrect. DHCP can run on a bridge or an interface on a bridge. It is recommended to attach DHCP to the bridge, not individual ports.
B.✅Correct. If there is no IP address on the interface (bridge), DHCP won’t start.
C.✅Correct. If the address pool is misconfigured (e.g., outside the subnet or overlapping with the router’s IP), DHCP won’t function.
D.âŒNot a valid blocker. Multiple IPs can exist on the interface; DHCP still works if one is valid.
MTCNA DHCP Module – Configuration Troubleshooting:
“Make sure that the interface (bridge) where the DHCP server is assigned has a valid IP and a properly defined pool.â€
René Meneses Guide – DHCP Server Setup:
“DHCP will not function if no IP is assigned to the interface. Check the pool range and binding address.â€
Terry Combs Notes – DHCP Tips:
“Assign the DHCP server to the bridge, not individual ports. Missing IP or incorrect pool = DHCP won’t start.â€
Answer: B, CQUESTION NO: 38 [PPP]
There can be more than one PPPoE server in a single broadcast domain:
A. True
B. False
Answer: A
Yes, it is possible — and fully supported — to run multiple PPPoE servers in the same Layer 2 broadcast domain. Clients will receive Offer packets (PADO) from all PPPoE servers, and can choose which one to connect to based on configuration or server name (service name).
This is commonly used in ISP networks to provide redundancy or offer different service types.
MTCNA Course Manual – PPPoE Deployment:
“Multiple PPPoE servers may exist in the same Layer 2 domain. Clients choose based on response or service name.â€
René Meneses Study Guide – PPPoE Operations:
“PPPoE discovery protocol supports multi-server environments. Clients may be configured to select a preferred one.â€
Terry Combs Notes – PPPoE Server Design:
“Several PPPoE servers can coexist. Just avoid assigning overlapping IP pools.â€
PPPoE server only works within one Ethernet broadcast domain that it is connected to. If there is a router between server and end-user host, it will not be able to create PPPoE tunnel to that PPPoE server.
False
True
The Answer Is:
BExplanation:
PPPoE (Point-to-Point Protocol over Ethernet) relies on Ethernet broadcast and discovery mechanisms. It uses a discovery stage (PPPoE Active Discovery Initiation – PADI) which is sent as a broadcast. Therefore, PPPoE only works within the same Layer 2 broadcast domain.
If a router (Layer 3 device) exists between the client and PPPoE server, it breaks the Layer 2 broadcast domain, making it impossible for the client to reach the server.
A.✘False – Routers break the broadcast domain; PPPoE will fail.
B.✔True – PPPoE requires L2 adjacency.
Extract from Official MTCNA Course Material – PPPoE Concepts:
“PPPoE operates only over Ethernet broadcast domains. If routed, PADI packets will not reach the PPPoE server.â€
Extract from René Meneses MTCNA Study Guide – PPPoE:
“PPPoE discovery is broadcast-based and does not traverse routers.â€
Extract from MikroTik Wiki – PPPoE Limitations:
“PPPoE cannot function over routed networks. Server and client must be in the same broadcast domain.â€
===========
