MikroTik MikroTikCertified Network Associate Exam MTCNA Exam Dumps: Updated Questions & Answers (September 2025)

The log action in MikroTik's firewall does not block or drop packets. Instead, it generates a log entry for packets that match the rule and passes the packet to the next rule in the chain. It is used for monitoring, debugging, or auditing network behavior.

MTCNA Official Course Material – Firewall Filters:

“The action 'log' creates a log entry when a packet matches the rule. It does not terminate or alter the packet's flow. The packet continues to be processed by subsequent rules.”

René Meneses MTCNA Study Guide – Firewall Logging:

“Log action is used to generate logs for matched packets. It does not block or modify traffic.”

MikroTik Wiki – Firewall Actions:

“log – This action writes matching packets to the log. Logging rules have no effect on the packet’s behavior.”

Hence, Option D is correct: It logs the packet, nothing more.

Final Answer: DQUESTION NO: 86 [Firewall]

Which of the following is true for connection tracking?

A. Connection tracking must be enabled for NAT'ed network

B. Enabling connection tracking reduces CPU usage in RouterOS

C. Disable connection tracking for mangle to work

D. Connection tracking must be enabled to be able to use all firewall features

Answer: D

Connection tracking (conntrack) is a feature that enables RouterOS to monitor and manage the state of all network connections passing through the router. It is essential for features like NAT, stateful firewalling, and proper use of mangle and filter rules.

MTCNA Course Material – Connection Tracking:

“Most firewall and NAT functionality depends on connection tracking being enabled. Without connection tracking, many features (like NAT) won’t function properly.”

René Meneses MTCNA Study Guide – Firewall Section:

“Connection tracking is required for NAT and most firewall filters. When disabled, connection-state-based filtering or NAT is not possible.”

Terry Combs MTCNA Notes – Conntrack Section:

“Conntrack must be enabled to use full firewall capabilities, including NAT and filtering by connection states like established and related.”

Option A is partially true but not complete.

Option B is incorrect – conntrack may increase CPU load due to session tracking.

Option C is incorrect – mangle rules often depend on connection marks which require conntrack.

Only Option D accurately captures the critical requirement of connection tracking.

Final Answer: DQUESTION NO: 87 [RouterOS Introduction]

Which of the following keystrokes enables safe mode in console?

A. Ctrl+x

B. Ctrl+c

C. Ctrl+d

D. Ctrl+s

Answer: D

Safe Mode in MikroTik CLI is a protective mode that helps revert any unintended changes if you get disconnected. It is activated by pressing Ctrl+X in older versions, but the current standard keybinding for enabling safe mode is Ctrl+S.

MTCNA Course Material – Safe Mode:

“To enable safe mode in the terminal, press Ctrl+S. A confirmation [Safe Mode] will appear in the prompt. If the terminal is closed or disconnected, the changes are rolled back.”

René Meneses MTCNA Study Guide – Terminal Commands:

“Safe Mode can be activated using Ctrl+S. This is useful during remote configuration. It reverts changes if the terminal is closed.”

MikroTik Wiki – Safe Mode Section:

“To enter safe mode, press Ctrl+S in CLI. This ensures configuration rollback if disconnected.”

Other options:

Ctrl+C terminates commands or CLI input

Ctrl+X may not activate safe mode in newer versions

Ctrl+D is used to log out in some Unix-like terminals

Correct answer: Ctrl+S

Final Answer: DQUESTION NO: 88 [Wireless]

Select minimal set of software packages in RouterOS required to configure a wireless AP:

A. Wireless

B. advanced-tools

C. dhcp

D. routing

E. system

Answer: A

To configure a wireless access point (AP) in RouterOS, the only required software package is wireless. All other functionalities like DHCP or routing are optional depending on the network setup. The system package is always present and not removable, so it's not listed as a required dependency in package selection.

MTCNA Course Material – Wireless Configuration Basics:

“Wireless functionality is provided by the wireless package. Without it, no wireless interfaces are present or configurable.”

René Meneses MTCNA Guide – Wireless Module:

“Only the wireless package is required to configure an AP. DHCP is used optionally for IP address assignment.”

MikroTik Wiki – Packages:

“The wireless package is responsible for enabling WLAN interfaces and features such as AP mode, client mode, and security.”

Other packages:

advanced-tools: includes tools like bandwidth-test and traffic generator

dhcp: only needed if the router is issuing IPs

routing: required for static/dynamic routing but not AP setup

Only Option A is required.

MikroTik RouterOS uses the /system scheduler to execute scripts or commands at defined times or intervals. It allows for automation of tasks such as backups, reboots, updates, and more.

Evaluation:

A. /system watchdog →❌Used for hardware monitoring and rebooting if the system freezes.

B. /system cron →❌Not available in MikroTik RouterOS (RouterOS doesn’t use cron syntax).

C. /system scheduler →✅Correct. Built-in RouterOS feature for scheduled command execution.

MTCNA Course Manual – System Scheduler Section:

“Use /system scheduler to run scripts or commands at regular intervals or specific times.”

René Meneses Guide – Automating Tasks:

“Scheduler is the only built-in time-based job handler in RouterOS.”

Terry Combs Notes – Script Automation:

“RouterOS uses scheduler, not cron. Schedule by time or interval.”

Answer: CQUESTION NO: 67 [Firewall / Tools]

Where can you monitor (see addresses and ports) real-time connections which are processed by the router?

A. Firewall Connection Tracking

B. Firewall Counters

C. Tool Torch

D. Queue Tree

Answer: A

Firewall Connection Tracking (also known as conntrack) is used to monitor real-time connections that pass through the router. It shows source and destination IPs, ports, protocols, connection states (established, new, related), and more.

Let’s evaluate the options:

A.✅Correct – Shows live connection table with IPs, ports, and statuses

B.❌Shows rule match counters only — no detailed connection info

C.❌Torch shows per-interface traffic; useful for bandwidth, but not a connection list

D.❌Queue Tree is used for traffic shaping, not for viewing connections

MTCNA Course Manual – Firewall Concepts:

“Connection tracking shows all active sessions through the router with IP and port details.”

René Meneses Guide – Firewall Tools:

“Use connection tracking to diagnose connection states and NAT behavior.”

Terry Combs Notes – Monitoring Tools:

“conntrack is your real-time connection monitor. Torch is per-interface, not per-flow.”

Answer: AQUESTION NO: 68 [Wireless]

How many wireless clients can connect, when wireless card is configured to mode=bridge?

A. 1

B. 100

C. 2007

D. 2

Answer: A

In MikroTik RouterOS, if a wireless card is configured to mode=bridge (also referred to as "station-bridge"), it can only be used to connect a single client device (MAC address) behind it. This is due to limitations in how 802.11 bridges MAC addresses.

So:

A.✅Correct – Only 1 MAC address can pass via wireless bridge mode (unless using WDS or 4-address mode)

B, C →❌Too many clients for bridge mode

D.❌Incorrect – Still only one client allowed per interface in bridge mode

MTCNA Wireless Module – Wireless Modes:

“Bridge mode allows one client only unless extended bridging protocols are used.”

René Meneses Guide – Wireless Bridging:

“mode=bridge = one MAC behind the station. Use WDS for multiple MACs.”

Terry Combs Notes – Wireless Modes:

“Station-bridge mode works like Ethernet, but only supports one MAC address unless using WDS.”

Answer: AQUESTION NO: 69 [Routing]

In the Route List, the identification DAb for a route stands for:

A. direct - active - bgp

B. direct - acknowledge - backup

C. dynamic - active - backup

D. dynamic - active - bgp

Answer: D

In MikroTik RouterOS, route flags provide quick insight into how the route was created and its status:

D = Dynamic → The route was added dynamically by a protocol (like BGP, OSPF, RIP)

A = Active → This route is currently being used

b = BGP → Indicates that the route was learned via the BGP routing protocol

Therefore, DAb means:

→ D = Dynamic

→ A = Active

→ b = BGP

MTCNA Routing Section – Route Flags Explanation:

“D = dynamically added, A = currently active, b = learned via BGP.”

René Meneses Guide – Understanding Route Lists:

“DAb → dynamic + active + BGP route. Route is learned and installed via BGP.”

Terry Combs Notes – Route Symbols:

“Check the route list: b = BGP, o = OSPF, r = RIP, s = static, c = connected.”

The OSI (Open Systems Interconnection) model is a conceptual framework that standardizes the functions of a communication system into seven distinct layers. It is used to understand and design computer networking systems.

The seven layers of the OSI model are:

Application

Presentation

Session

Transport

Network

Data Link

Physical

Each layer has its own specific purpose and interacts with adjacent layers to perform data transmission functions.

MTCNA Official Course Material – OSI Model Chapter:

“The OSI model consists of 7 layers. Understanding these layers is critical for troubleshooting and protocol analysis.”

René Meneses MTCNA Study Guide – OSI Model Section:

“There are exactly seven OSI layers. They range from the Physical Layer (Layer 1) to the Application Layer (Layer 7).”

Terry Combs Notes – OSI Summary Page:

“OSI = 7 Layers. The most important ones for network engineers are Layer 1 through Layer 4.”

Answer: DQUESTION NO: 13 [Routing]

How many usable IP addresses are there in a 20-bit subnet?

A. 4096

B. 4094

C. 2046

D. 2048

E. 2047

Answer: B

A /20 subnet means that 20 bits are used for the network portion, and 12 bits are left for host addresses. The total number of IP addresses available in such a subnet is:

2^12 = 4096 (total addresses)

Usable IP addresses = 4096 - 2 = 4094

→ (1 address is reserved for the network ID, and 1 for the broadcast address)

MTCNA Course Manual – Subnetting and IP Allocation:

“A subnet with n host bits gives 2^n total addresses. Always subtract 2 to account for network and broadcast addresses.”

René Meneses Study Guide – Subnet Calculations:

“/20 = 12 host bits → 4096 total IPs. Usable = 4094. Remember to subtract 2.”

Terry Combs MTCNA Notes – Addressing Math:

“20-bit subnet = 4094 usable IPs. Know how to compute 2^x and subtract 2.”

Answer: BQUESTION NO: 14 [Routing]

You have a router with configuration

Public IP: 202.168.125.45/24

Default gateway: 202.168.125.1

DNS server: 248.115.148.136, 248.115.148.137

Local IP: 192.168.2.1/24

Mark the correct configuration on client PC to access the Internet:

A. IP: 192.168.0.1/24, gateway: 192.168.2.1

B. IP: 192.168.2.253/24, gateway: 202.168.0.1

C. IP: 192.168.2.115/24, gateway: 192.168.2.1

D. IP: 192.168.2.2/24, gateway: 202.168.125.45

E. IP: 192.168.1.223/24, gateway: 248.115.148.136

Answer: C

To correctly configure a host in a private network behind a router:

The IP must match the local subnet (192.168.2.0/24)

The gateway must be the router’s local IP (192.168.2.1)

DNS settings can be default or custom, but IP and gateway must be valid

Let’s evaluate:

A. 192.168.0.1 → Wrong subnet (192.168.0.0/24 ≠ 192.168.2.0/24)❌

B. Gateway 202.168.0.1 → Invalid internal gateway❌

C. IP 192.168.2.115 with gateway 192.168.2.1 →✅Correct subnet and correct gateway

D. Gateway 202.168.125.45 → This is router’s public IP, not the correct gateway for LAN❌

E. IP 192.168.1.223 → Wrong subnet; also, gateway is DNS IP❌

MTCNA NAT Section – Network Configuration:

“Clients should be in the same subnet as the router’s local IP and must use that local IP as their gateway to reach outside networks.”

René Meneses Guide – Gateway and Addressing:

“The client’s IP should belong to the same subnet as the local router interface. Always verify gateway IP points to the internal address.”

Terry Combs Notes – Default Gateway Setup:

“The default gateway for local clients must be the internal router IP — not the public or DNS IP.”

Answer: CQUESTION NO: 15 [RouterBOARD Hardware]

Collisions are possible in full-duplex Ethernet networks:

A. true

B. false

Answer: B

In full-duplex Ethernet, devices can transmit and receive simultaneously on separate physical or logical channels. This eliminates the possibility of collisions because there is no need for devices to listen before transmitting — unlike half-duplex Ethernet, which uses CSMA/CD to manage potential collisions.

Full-duplex connections are the standard in modern switching environments and are always collision-free.

MTCNA Official Course Material – Ethernet & Duplex Modes:

“In full-duplex Ethernet, there are separate transmit and receive paths, and therefore, collisions cannot occur.”

René Meneses Study Guide – Ethernet Basics:

“Full-duplex = simultaneous send/receive = no collisions. Collisions are a legacy issue from half-duplex Ethernet.”

Terry Combs MTCNA Notes – CSMA/CD and Ethernet:

“Collision Detection (CD) is not used in full-duplex. Only half-duplex environments use CSMA/CD to manage access.”

Destination NAT (dst-nat) is used to redirect packets arriving at the router to a different internal destination. It is most commonly used to allow public access to internal services such as web servers or mail servers.

You can:

Change the destination IP address (redirect to an internal host)

Change the destination port (e.g., port 8080 to port 80)

But:

C. Changing the source port is a function of src-nat, not dst-nat →❌

D. Hiding the local network from the Internet is done via masquerade or src-nat →❌

MTCNA Course Manual – NAT Section:

“Use dst-nat to forward traffic to a private host. Port translation can also be applied (e.g., from 81 to 80).”

René Meneses Study Guide – NAT Configuration:

“dst-nat changes the destination IP/port of packets arriving on a specific interface. Common use case: access to LAN services from WAN.”

Terry Combs Notes – NAT Rule Summary:

“dst-nat = port forwarding. src-nat/masquerade = hide internal addresses.”

Answer: A, BQUESTION NO: 48 [RouterOS Introduction]

Which is the default port of IP-Winbox?

A. UDP 8291

B. TCP 80

C. TCP 8291

D. TCP 8192

Answer: C

Winbox is MikroTik’s GUI-based configuration tool. It communicates with RouterOS over TCP port 8291 by default. This port is used for both IP-based Winbox connections and MAC-based sessions (in combination with layer-2 discovery protocol).

Evaluation:

A. UDP 8291 →❌Wrong protocol

B. TCP 80 →❌Used for HTTP (WebFig)

C. TCP 8291 →✅Correct default Winbox port

D. TCP 8192 →❌Invalid / non-standard

MTCNA Course Manual – RouterOS Management Tools:

“Winbox uses TCP port 8291 by default. It is possible to change this port in the /ip service settings.”

René Meneses MTCNA Guide – Winbox Access:

“Default access via TCP 8291. Check firewall filters to ensure it’s not blocked.”

Terry Combs Notes – Remote Management:

“Winbox = TCP/8291. WebFig = TCP/80 or 443.”

Answer: CQUESTION NO: 49 [PPP]

It is possible to create an encrypted PPPoE tunnel in RouterOS:

A. true

B. false

Answer: B

PPPoE (Point-to-Point Protocol over Ethernet) does not include encryption by default. It can authenticate users using PAP or CHAP, but the data payload is transmitted in cleartext unless another secure tunneling protocol (e.g., IPSec) is layered on top.

MikroTik supports encryption in other tunneling protocols, such as:

SSTP (uses SSL)

L2TP with IPSec

OpenVPN (SSL-based)

IPsec itself (for IP layer encryption)

MTCNA Tunneling Chapter – PPP Protocol Features:

“PPPoE offers authentication, compression, but no native encryption. Use IPSec if encryption is needed.”

René Meneses Guide – Tunnel Comparison Table:

“PPPoE is not encrypted. SSTP and L2TP/IPSec are alternatives when encryption is a requirement.”

Terry Combs Notes – PPP Family Summary:

“PPPoE: Authentication = Yes, Encryption = No. Use with caution over untrusted networks.”

Answer: BQUESTION NO: 50 [Wireless]

Why is it useful to set a Radio Name on the radio interface?

A. To identify a station in a list of connected clients

B. To identify a station in Neighbor discovery

C. To identify a station in the Access List

Answer: A

The Radio Name is a human-readable identifier assigned to a wireless interface. It becomes visible in the Registration Table (i.e., the list of connected clients) on an access point. It helps network administrators distinguish between multiple connected devices.

Evaluation:

A.✅Correct — Radio Name is shown in the Registration Table (list of connected clients)

B.❌Neighbor discovery uses MAC and device identity, not radio name

C.❌Access List uses MAC addresses, not radio name, for matching

MTCNA Wireless Module – Interface Settings:

“Radio Name is shown in the registration table on the AP. It helps in client identification.”

René Meneses Guide – Wireless Monitoring:

“The AP uses the client’s Radio Name to label them in the list of associated stations.”

Terry Combs Notes – Best Practice:

“Set radio-name so you can easily tell which device is which in the registration list.”

Answer: A

MikroTik RouterOS supports running multiple dynamic routing protocols simultaneously, including RIP, OSPF, and BGP. They are independent processes and can be configured in parallel. This is commonly used in complex network environments or during routing migrations.

A.✔FALSE – You can run OSPF and RIP at the same time.

B.✘TRUE – Incorrect; both protocols are fully supported to coexist.

Extract from MTCNA Course Material – Dynamic Routing:

“RouterOS supports multiple dynamic routing protocols, including simultaneous use of RIP and OSPF.”

Extract from René Meneses Study Guide – Routing Protocols:

“You can configure both RIP and OSPF to run at the same time on a single router.”

Extract from MikroTik Wiki – Routing Overview:

“RouterOS allows multiple routing protocols to operate concurrently.”

===========

MikroTik RouterOS allows DHCP administrators to modify the DHCP address pool without creating an additional DHCP server. You can simply edit or extend the address pool range, and the DHCP server will start offering those new IPs.

Therefore, it is completely possible to:

Extend the existing address pool

Exclude statically assigned IPs

Continue using the same DHCP Server instance

You do NOT need to create a second DHCP server on the same interface.

MTCNA Course Manual – DHCP Configuration:

“It is possible to expand the address-pool dynamically without adding additional DHCP servers. Just add more IPs to the pool.”

René Meneses Study Guide – DHCP Pools Section:

“You can edit the address pool associated with the DHCP server anytime to include more addresses. No need to create another server.”

Terry Combs Notes – DHCP Tips:

“Keep one DHCP server per subnet. Extend pools via IP > Pool if more IPs are needed.”

Answer: AQUESTION NO: 25 [Wireless]

In which order are the entries in Access List and Connect List processed?

A. By Signal Strength Range

B. By interface name

C. In sequence order

D. In a random order

Answer: C

MikroTik processes the entries in the Access List and Connect List in a top-down fashion —meaning that the first matching entry is the one applied. This is known as sequence order (from top to bottom).

Each rule is checked in the order it appears in the list, and once a match is found, the rest of the list is ignored for that client.

Incorrect options:

A. Signal strength is only a condition, not a sorting method

B. Interface names are part of rule conditions

D. Not random — rules are processed sequentially

MTCNA Official Training Manual – Wireless Access & Connect List:

“Rules in access-list and connect-list are checked in the order they are listed. Once a match is found, further rules are ignored.”

René Meneses Guide – Wireless Access Rules:

“Access-list is evaluated top-down. Sequence matters.”

Terry Combs MTCNA Notes – Wireless Filtering:

“Be careful with order. The first matching rule is applied — no exceptions.”

Answer: CQUESTION NO: 26 [Wireless]

During a scan, in order to see all the available wireless frequencies that are supported by the card, the following option must be selected in the wireless card's "Frequency Mode":

A. superchannel

B. regulatory domain

C. manual txpower

Answer: A

In MikroTik RouterOS, enabling the "superchannel" frequency mode allows access to all frequencies supported by the wireless chip, including those that may be outside of country-specific regulatory limits. This mode is typically used in lab testing or in regions where regulations permit.

A. superchannel →✅Correct. Enables full frequency range

B. regulatory domain → Restricts visible frequencies to region’s law

C. manual txpower → Controls power output, not frequency scanning

MTCNA Course Material – Wireless Configuration Options:

“To unlock all available wireless frequencies for scanning or connection, enable the 'superchannel' frequency mode.”

René Meneses Study Guide – Wireless Advanced Config:

“Superchannel mode shows all channels supported by the hardware. Use with caution — may violate regulations.”

Terry Combs Notes – Wireless Modes:

“Want to see hidden or extended frequencies? Use superchannel mode. Not legal in every region.”

Answer: AQUESTION NO: 27 [NAT]

It is required to make a web server on a private LAN visible on the public internet. Only the web server port should be visible to the public. Which of the following configuration steps must be met? (Select all that apply)

A. Public IP address of the web server must be installed on the NAT Router

B. In IP firewall NAT, there should be a dst-nat between the public IP of the router and the private IP of the web server

C. Connection Tracking must be enabled on NAT router

D. A route between the NAT router and the web server must exist

E. LAN address of the web server should be routable on the internet

Answer: B, C, D

To expose a web server behind a MikroTik router to the public, the following steps must be met:

B. dst-nat rule must be created to forward incoming requests (e.g., TCP port 80) to the internal web server IP →✅Required

C. Connection Tracking must be enabled, otherwise NAT rules won’t function →✅Required

D. A route between the NAT router and the web server must exist (usually a directly connected subnet) →✅Required

Incorrect Options:

A. The public IP does not need to be installed on the web server — it remains private →❌

E. Private LAN IP (like 192.168.x.x) does not need to be routable on the internet →❌

MTCNA Course Manual – NAT and Port Forwarding Section:

“To expose internal services to the public internet, use dst-nat. Ensure connection tracking is active and the server is reachable through routing.”

René Meneses Guide – NAT Configuration:

“DST-NAT forwards specific ports to internal IPs. Connection tracking is a prerequisite. LAN IPs remain private.”

Terry Combs Notes – Web Server NAT Rules:

“No need to assign public IP to server. Just configure a proper NAT rule and ensure routing exists internally.”

════════════════════════════════════════════

The “Area” parameter is a user-defined tag in the wireless interface configuration that works with the Access List in MikroTik RouterOS. It allows grouping of clients or APs for filtering or configuration logic.

When an Access List rule includes an area name, it will only apply to devices matching that area.

Option breakdown:

A. Connect List → Incorrect. Area is not used here.

B. Access List →✔Correct. “Area” is matched directly in Access List rules.

C. None of these → Incorrect.

D. Security Profile → Incorrect. Security Profiles control authentication/encryption, not area filtering.

Extract from Official MTCNA Course Material – Wireless Access List:

"The Area field allows you to group wireless interfaces and filter clients based on Access List rules that include this tag."

Extract from Terry Combs Notes – Wireless Configuration:

“Area is a label that can be referenced in Access List rules to apply rules selectively.”

Extract from MikroTik Wiki – Wireless Access List Section:

"Area is used in Access List to assign rules based on interface groups or locations."

PPPoE (Point-to-Point Protocol over Ethernet) does not natively support encryption. It provides authentication using PAP/CHAP and allows IP assignment, but any data transmitted through a PPPoE tunnel is unencrypted unless another encryption mechanism (such as IPSec) is used on top of it.

MikroTik RouterOS supports encrypted tunneling protocols such as SSTP, L2TP/IPSec, or OpenVPN, but not native encryption in PPPoE.

MTCNA Course Manual – PPP Protocols Overview:

“PPPoE supports user authentication and compression but not encryption by itself.”

René Meneses Study Guide – Tunneling Protocols:

“PPPoE is not secure by design. If encryption is needed, use SSTP or L2TP/IPSec.”

Terry Combs Notes – PPP Protocol Capabilities:

“PPPoE does not encrypt data. Only authentication is handled within PPP.”

Answer: BQUESTION NO: 36 [Wireless]

Why is it useful to set a Radio Name on the radio interface?

A. To identify a station in the Access List

B. To identify a station in Neighbor discovery

C. To identify a station in a list of connected clients

Answer: C

Setting a Radio Name in RouterOS provides a unique identifier that is visible to other devices in the wireless environment. It is particularly helpful for identifying connected clients in the registration table on the Access Point.

This name does not affect Access List matching or general Layer 2 communication — it’s used for human readability and monitoring.

A. Access List uses MAC addresses for filtering →❌

B. Neighbor discovery identifies devices based on MAC, IP, and identity →❌

C. Correct → Radio Name shows up in the registration table and helps identify stations✅

MTCNA Wireless Module – Interface Settings:

“The Radio Name is shown in the registration table of access points, making it easier to identify connected clients.”

René Meneses Guide – Wireless Management Tips:

“Use Radio Names to label devices in multi-client setups. It appears under registration when clients connect.”

Terry Combs Notes – Wireless Interface Options:

“Radio Name is not used for access filtering — it’s for display and diagnostics.”

Answer: CQUESTION NO: 37 [DHCP]

A DHCP server is configured on a LAN interface which is a port on a bridge. The DHCP server does not start. What could be the reason(s)?

A. The DHCP server cannot run on an interface which is also a bridge port

B. There might not be an IP address assigned to the LAN Interface

C. The IP address pool could be incorrectly defined

D. There may be multiple IP addresses set on the LAN interface

Answer: B, C

For a DHCP server to operate properly, the following conditions must be met:

The DHCP server must be attached to the correct interface (typically the bridge, not individual ports).

The bridge interface must have a valid IP address.

The IP address pool must be defined correctly (matching subnet, avoiding conflicts).

Let’s evaluate:

A.❌Incorrect. DHCP can run on a bridge or an interface on a bridge. It is recommended to attach DHCP to the bridge, not individual ports.

B.✅Correct. If there is no IP address on the interface (bridge), DHCP won’t start.

C.✅Correct. If the address pool is misconfigured (e.g., outside the subnet or overlapping with the router’s IP), DHCP won’t function.

D.❌Not a valid blocker. Multiple IPs can exist on the interface; DHCP still works if one is valid.

MTCNA DHCP Module – Configuration Troubleshooting:

“Make sure that the interface (bridge) where the DHCP server is assigned has a valid IP and a properly defined pool.”

René Meneses Guide – DHCP Server Setup:

“DHCP will not function if no IP is assigned to the interface. Check the pool range and binding address.”

Terry Combs Notes – DHCP Tips:

“Assign the DHCP server to the bridge, not individual ports. Missing IP or incorrect pool = DHCP won’t start.”

Answer: B, CQUESTION NO: 38 [PPP]

There can be more than one PPPoE server in a single broadcast domain:

A. True

B. False

Answer: A

Yes, it is possible — and fully supported — to run multiple PPPoE servers in the same Layer 2 broadcast domain. Clients will receive Offer packets (PADO) from all PPPoE servers, and can choose which one to connect to based on configuration or server name (service name).

This is commonly used in ISP networks to provide redundancy or offer different service types.

MTCNA Course Manual – PPPoE Deployment:

“Multiple PPPoE servers may exist in the same Layer 2 domain. Clients choose based on response or service name.”

René Meneses Study Guide – PPPoE Operations:

“PPPoE discovery protocol supports multi-server environments. Clients may be configured to select a preferred one.”

Terry Combs Notes – PPPoE Server Design:

“Several PPPoE servers can coexist. Just avoid assigning overlapping IP pools.”

Netinstall is a MikroTik utility used to reinstall or repair RouterOS on RouterBOARD devices. It can be used to:

Reinstall RouterOS while preserving the existing license (✔B)

Install a different version of RouterOS – either older or newer (✔C)

Limitations:

A.✘Incorrect – Netinstall will erase the configuration; it cannot recover a lost admin password without wiping the device.

D.✘Incorrect – You can only install software meant for the specific hardware architecture of the RouterBOARD.

Extract from Official MTCNA Course Material – Netinstall Tool:

“Netinstall can be used to reinstall RouterOS and change its version. It does not erase the license key.”

Extract from René Meneses MTCNA Study Guide – Recovery Tools:

“Netinstall allows you to load any RouterOS version compatible with your device. It does not delete the license.”

Extract from MikroTik Wiki – Netinstall Overview:

“Netinstall reinstalls the OS, can change versions, and retains license. It cannot recover configuration or passwords.”

In MikroTik RouterOS, the masquerade action is used in source NAT (srcnat) rules to hide internal/private IP addresses behind a router’s public IP address. This is typically done for internet access from a LAN where the devices have private IP addresses (e.g., 192.168.x.x).

Masquerade dynamically changes the source IP of outgoing packets to the IP address of the router’s outbound interface, allowing multiple internal devices to share a single public IP.

Let’s evaluate the options:

A. masquerade →✅Correct. Used to perform source NAT for hiding private addresses.

B. allow →❌Not a valid NAT action.

C. passthrough →❌Used in mangle rules to continue processing additional rules, not for NAT.

D. tarpit →❌Used to delay TCP connections (often in firewall, not NAT).

MTCNA Course Manual – NAT Chapter:

“Masquerade is a special form of source NAT where the router replaces the source IP with the IP address of the outgoing interface.”

René Meneses Guide – NAT Configuration:

“Use masquerade on the router’s WAN interface to give internet access to private clients.”

Terry Combs Notes – NAT Rule Actions:

“Masquerade = dynamic src-nat. Useful when public IP is dynamic or unknown.”

Answer: AQUESTION NO: 62 [PPP / AAA]

Router A and B are both running as PPPoE servers on different broadcast domains of your network. It is possible to set Router A to use "/ppp secret" accounts from Router B to authenticate PPPoE customers.

A. true

B. false

Answer: B

/ppp secret accounts are local to each RouterOS device. These credentials are stored in the router’s own configuration and cannot be shared directly between routers.

To centralize authentication across multiple routers, a RADIUS server must be used. With RADIUS, multiple MikroTik routers can authenticate users against a single, centralized user database.

Without RADIUS or another external AAA system:

Each router maintains its own /ppp secret list

Router A cannot directly read or use the /ppp secrets from Router B

Evaluation:

A.❌False. There is no built-in mechanism for Router A to access secrets on Router B.

B.✅Correct. You must use RADIUS if you want shared authentication across routers.

MTCNA PPP Module – Authentication Methods:

“/ppp secrets are stored locally on the router. For shared user authentication, configure RADIUS.”

René Meneses Study Guide – PPPoE and RADIUS:

“To authenticate clients on multiple routers with a central database, RADIUS is required.”

Terry Combs Notes – PPP Secrets vs RADIUS:

“Local secrets cannot be accessed remotely. Use RADIUS to centralize authentication.”

Answer: B