MTCNA Exam Dumps - MikroTikCertified Network Associate Exam

MikroTik uses connection tracking to assign states to packets that pass through the router’s firewall. When a packet initiates a connection that is not previously tracked, it is marked as new.

Connection states:

new: First packet of a new connection

established: Part of an existing tracked connection

related: New connection related to an existing one (e.g., FTP data channel)

invalid: Unrecognized or malformed connection

unknown: Used in very specific or rare circumstances (not common in IP-based networks)

Therefore:

A.✘Incorrect – All packets entering the firewall are tracked

B.✔Correct – This is a new connection

C.✘Incorrect – "unknown" is not used for typical traffic

D.✘Incorrect – Not invalid unless malformed or contextless

E.✘Incorrect – This is not an existing connection

Extract from Official MTCNA Course Material – Firewall Connection States:

“A packet that begins a new connection is marked as ‘new’. Connection tracking then continues monitoring that session.”

Extract from René Meneses MTCNA Study Guide – Connection Tracking:

“New connections receive the 'new' state. Firewall rules often start by permitting or blocking 'new' and 'established' states.”

Extract from MikroTik Wiki – Firewall and Connection States:

“State=new is assigned when no existing connection entry matches the incoming packet.”

===========

The OSI (Open Systems Interconnection) model is a conceptual framework that standardizes the functions of a communication system into seven distinct layers. It is used to understand and design computer networking systems.

The seven layers of the OSI model are:

Application

Presentation

Session

Transport

Network

Data Link

Physical

Each layer has its own specific purpose and interacts with adjacent layers to perform data transmission functions.

MTCNA Official Course Material – OSI Model Chapter:

“The OSI model consists of 7 layers. Understanding these layers is critical for troubleshooting and protocol analysis.”

René Meneses MTCNA Study Guide – OSI Model Section:

“There are exactly seven OSI layers. They range from the Physical Layer (Layer 1) to the Application Layer (Layer 7).”

Terry Combs Notes – OSI Summary Page:

“OSI = 7 Layers. The most important ones for network engineers are Layer 1 through Layer 4.”

Answer: DQUESTION NO: 13 [Routing]

How many usable IP addresses are there in a 20-bit subnet?

A. 4096

B. 4094

C. 2046

D. 2048

E. 2047

Answer: B

A /20 subnet means that 20 bits are used for the network portion, and 12 bits are left for host addresses. The total number of IP addresses available in such a subnet is:

2^12 = 4096 (total addresses)

Usable IP addresses = 4096 - 2 = 4094

→ (1 address is reserved for the network ID, and 1 for the broadcast address)

MTCNA Course Manual – Subnetting and IP Allocation:

“A subnet with n host bits gives 2^n total addresses. Always subtract 2 to account for network and broadcast addresses.”

René Meneses Study Guide – Subnet Calculations:

“/20 = 12 host bits → 4096 total IPs. Usable = 4094. Remember to subtract 2.”

Terry Combs MTCNA Notes – Addressing Math:

“20-bit subnet = 4094 usable IPs. Know how to compute 2^x and subtract 2.”

Answer: BQUESTION NO: 14 [Routing]

You have a router with configuration

Public IP: 202.168.125.45/24

Default gateway: 202.168.125.1

DNS server: 248.115.148.136, 248.115.148.137

Local IP: 192.168.2.1/24

Mark the correct configuration on client PC to access the Internet:

A. IP: 192.168.0.1/24, gateway: 192.168.2.1

B. IP: 192.168.2.253/24, gateway: 202.168.0.1

C. IP: 192.168.2.115/24, gateway: 192.168.2.1

D. IP: 192.168.2.2/24, gateway: 202.168.125.45

E. IP: 192.168.1.223/24, gateway: 248.115.148.136

Answer: C

To correctly configure a host in a private network behind a router:

The IP must match the local subnet (192.168.2.0/24)

The gateway must be the router’s local IP (192.168.2.1)

DNS settings can be default or custom, but IP and gateway must be valid

Let’s evaluate:

A. 192.168.0.1 → Wrong subnet (192.168.0.0/24 ≠ 192.168.2.0/24)❌

B. Gateway 202.168.0.1 → Invalid internal gateway❌

C. IP 192.168.2.115 with gateway 192.168.2.1 →✅Correct subnet and correct gateway

D. Gateway 202.168.125.45 → This is router’s public IP, not the correct gateway for LAN❌

E. IP 192.168.1.223 → Wrong subnet; also, gateway is DNS IP❌

MTCNA NAT Section – Network Configuration:

“Clients should be in the same subnet as the router’s local IP and must use that local IP as their gateway to reach outside networks.”

René Meneses Guide – Gateway and Addressing:

“The client’s IP should belong to the same subnet as the local router interface. Always verify gateway IP points to the internal address.”

Terry Combs Notes – Default Gateway Setup:

“The default gateway for local clients must be the internal router IP — not the public or DNS IP.”

Answer: CQUESTION NO: 15 [RouterBOARD Hardware]

Collisions are possible in full-duplex Ethernet networks:

A. true

B. false

Answer: B

In full-duplex Ethernet, devices can transmit and receive simultaneously on separate physical or logical channels. This eliminates the possibility of collisions because there is no need for devices to listen before transmitting — unlike half-duplex Ethernet, which uses CSMA/CD to manage potential collisions.

Full-duplex connections are the standard in modern switching environments and are always collision-free.

MTCNA Official Course Material – Ethernet & Duplex Modes:

“In full-duplex Ethernet, there are separate transmit and receive paths, and therefore, collisions cannot occur.”

René Meneses Study Guide – Ethernet Basics:

“Full-duplex = simultaneous send/receive = no collisions. Collisions are a legacy issue from half-duplex Ethernet.”

Terry Combs MTCNA Notes – CSMA/CD and Ethernet:

“Collision Detection (CD) is not used in full-duplex. Only half-duplex environments use CSMA/CD to manage access.”

The redirect action is a specialized type of destination NAT (dst-nat) used to force traffic to a local port on the router (typically for transparent proxies or redirection to hotspot portals). This action is only valid in DST-NAT rules and does not apply to firewall filters, routing rules, or source NAT.

Option breakdown:

A.✘Firewall Filter – These rules allow, drop, or reject traffic, not perform redirection.

B.✔DST-NAT – Redirect is a valid dst-nat action and is processed in the prerouting chain.

C.✘Route – Routing rules do not include NAT actions.

D.✘SRC-NAT – Used for source address translation, not redirection.

Extract from Official MTCNA Course Material – NAT Table & Actions:

“Redirect is an action under dst-nat. It rewrites destination address to the router itself, used for web proxy or hotspot.”

Extract from René Meneses MTCNA Study Guide – NAT Types:

“Use action=redirect in dst-nat rules to direct traffic to local services like proxy or DNS.”

Extract from MikroTik Wiki – NAT Rule Actions:

“redirect: redirects packet to local router port. Can only be used in dst-nat chain.”

===========

Mangle rules that mark routing (using the routing-mark property) can only be applied in the following chains:

prerouting: For traffic arriving at the router

output: For traffic generated by the router itself

Other chains like forward, input, postrouting do not support routing-mark.

A.✔Correct – prerouting and output are used for routing-mark

B.✘forward does not support routing-mark

C.✘forward is invalid for routing-mark

D.✘input does not support routing decisions

E.✘postrouting is used for NAT, not routing

Extract from MTCNA Course Material – Mangle and Routing Marks:

“Routing-mark is applied only in prerouting (for transit traffic) and output (for router-generated traffic).”

Extract from MikroTik Wiki – Mangle:

“routing-mark can be used only in prerouting and output chains.”

Extract from René Meneses Study Guide – Mangle and PBR:

“To perform policy-based routing, use prerouting or output to assign routing-marks.”

===========

Bridging loops occur when there are multiple active paths between switches or bridge interfaces, causing broadcast storms or MAC table instability. MikroTik RouterOS supports both STP (Spanning Tree Protocol) and RSTP (Rapid Spanning Tree Protocol) to detect and block redundant paths.

A.✔RSTP – Faster and preferred protocol to prevent loops.

B.✔STP – The original protocol, slower convergence but still effective.

C.✘Connection tracking – Not related to Layer 2 loop prevention.

D.✘UDP filter – Filters specific traffic types, doesn’t handle loops.

E.✘ICMP filter – Not relevant to Layer 2 loop protection.

Extract from Official MTCNA Course Material – Bridging and STP:

“STP or RSTP must be enabled to prevent bridging loops. RSTP is the recommended version due to faster convergence.”

Extract from René Meneses MTCNA Study Guide – Bridging:

“Always enable STP or RSTP when using bridges with multiple paths to prevent Layer 2 loops.”

Extract from MikroTik Wiki – STP / RSTP:

“STP and RSTP are loop prevention mechanisms for bridges. They dynamically block redundant links.”

===========

To configure a MikroTik wireless interface as a basic access point (AP), the minimum required parameters are:

Mode → Must be set to ap-bridge or bridge

SSID → Defines the wireless network name to broadcast

Band → Determines which frequency ranges are used (e.g., 2.4GHz b/g/n or 5GHz a/n/ac)

Frequency → Specifies the actual channel used for broadcasting

Options reviewed:

A. radio name →✘Optional. A cosmetic label used to identify the radio in Winbox.

B. scan-list →✘Optional. Used to define which frequencies the interface should scan.

C.✔Required

D.✔Required

E.✔Required

F. DFS mode →✘Optional and auto-configured based on regulatory domain.

G. WDS →✘Only needed for bridging or extending networks.

Extract from Official MTCNA Course Material – Wireless Configuration:

“The minimal settings to enable an Access Point include: mode, SSID, band, and frequency. Without these, the interface won’t broadcast.”

Extract from René Meneses Study Guide – Wireless Basics:

“To turn on an AP: Set the mode to ap-bridge, define SSID, band, and frequency. Other settings are optional or advanced.”

Extract from Terry Combs Notes – Wireless Setup:

“Essential: mode, frequency, SSID, band. Others like WDS and DFS are situational.”

===========

In MikroTik’s Simple Queues, the target-address field is used to define the IP address of the device (host) to which the queue will apply. This must be an IP address — not a MAC address or an address list name.

Let’s evaluate:

A.❌MAC address is not supported as target-address in simple queues

B.❌"server’s address" is vague; if it means an IP, then it could work, but the best answer is "client’s address"

C.❌Address lists can be used in firewall and mangle rules, but not directly in simple queues

D.✅Correct – An individual IP address (like 192.168.1.100) can be assigned as the target-address

MTCNA Course Manual – Simple Queue Structure:

“Use the target-address field to apply a queue to a specific host by IP.”

René Meneses Guide – Queue Setup:

“Only IP addresses can be used as targets in simple queues. Address lists are not accepted.”

Terry Combs Notes – Bandwidth Limiting:

“Target-address = device IP. MACs and lists are not allowed here.”

Answer: DQUESTION NO: 75 [RouterOS Introduction]

What kind of users are listed in the "/user" menu?

A. router users

B. wireless users

C. Hot-Spot users

D. PPTP users

Answer: A

The /user menu in MikroTik RouterOS lists users who are allowed to log in to the router itself — via Winbox, SSH, WebFig, console, or API. These are administrative users of the RouterOS system.

Let’s evaluate:

A.✅Correct – These are RouterOS users (admin, techs, operators)

B.❌Wireless users are authenticated via security-profiles and access-lists

C.❌Hotspot users are managed under /ip hotspot user

D.❌PPTP users are managed under /ppp secrets

MTCNA User Management Section:

“/user is used to configure login accounts for RouterOS access.”

René Meneses Guide – User Types:

“Only RouterOS admin users are listed under /user. VPN and hotspot users are managed elsewhere.”

Terry Combs Notes – User Menu Summary:

“/user = login to router (Winbox/SSH). Not for PPP or hotspot authentication.”

Answer: AQUESTION NO: 76 [RouterBOARD Hardware]

Which is a default baud-rate of currently manufactured RouterBOARDs?

A. 9600

B. 115200

C. 38400

D. 11520

Answer: B

The default serial console baud rate for most modern MikroTik RouterBOARD devices is 115200 bps. This is important when accessing the router via serial console (e.g., through RS-232 or USB-to-serial adapters).

Let’s evaluate:

A. 9600 →❌Too slow; used in legacy systems

B.✅115200 → Correct default for MikroTik boards

C. 38400 →❌Incorrect

D. 11520 →❌Typo; not a standard rate

MTCNA Hardware Module – Serial Access:

“Default baud-rate is 115200. Use this setting when connecting via serial cable.”

René Meneses Study Guide – RouterBOARD Console Access:

“Use 115200 baud to access RouterBOARD via serial port.”

Terry Combs Notes – Serial Console Tips:

“Almost all modern RouterBOARDs use 115200 as default serial speed.”

Answer: BQUESTION NO: 77 [Routing]

When viewing the routes in Winbox, some routes will show "DAC" in the first column. These flags mean:

A. Dynamic, Available, Created

B. Dynamic, Active, Connected

C. Direct, Available, Connected

D. Dynamic, Active, Console

Answer: B

Route flags in MikroTik indicate how a route was created and its status:

D = Dynamic → Added automatically (e.g., by IP address assignment)

A = Active → Route is currently being used

C = Connected → Directly connected subnet or IP address

So:

DAC = Dynamic + Active + Connected→ Usually created when you assign an IP address to an interface.

Let’s review:

A.❌"Available" and "Created" are not valid flags

B.✅Correct – matches MikroTik routing flag definitions

C.❌“Direct” and “Available” are not valid route flags in MikroTik

D.❌"Console" is not a route flag

MTCNA Routing Section – Route Flag Definitions:

“D – Dynamic, A – Active, C – Connected. These appear when the router creates a route based on interface IP.”

René Meneses Guide – Route Table Interpretation:

“DAC is the most common flag combination. Dynamic and connected routes are automatically active.”

Terry Combs Notes – Route Status Flags:

“D = Dynamic, A = Active, C = Connected. Common on local interfaces.”

════════════════════════════════════════════

In IPv6, the Address Resolution Protocol (ARP) is not used. Instead, IPv6 uses the Neighbor Discovery Protocol (NDP), which is part of the ICMPv6 suite. NDP handles address resolution, router discovery, and reachability.

MTCNA Course Material – IPv6 Address Resolution:

“IPv6 replaces ARP with Neighbor Discovery Protocol. NDP uses ICMPv6 to perform tasks like address resolution and router discovery.”

René Meneses MTCNA Study Guide – IPv6 Fundamentals:

“There is no ARP in IPv6. It uses NDP messages for neighbor solicitation and advertisement.”

Thus, ARP is not used in IPv6.

Final Answer: AQUESTION NO: 152 [Monitoring and Management – SNMP Protocol]

Which of the following protocols / ports are used for SNMP (Simple Network Management Protocol)?

A. TCP 162

B. UDP 162

C. UDP 161

D. TCP 25

E. TCP 123

F. TCP 161

Answer: B, C

SNMP uses the following ports:

UDP 161: Used for SNMP agent queries (GET, SET, etc.)

UDP 162: Used by SNMP managers to receive trap notifications

MTCNA Course Material – SNMP and Monitoring:

“SNMP uses UDP 161 for polling devices and UDP 162 for traps.”

MikroTik Wiki – SNMP:

“SNMP communication uses UDP ports 161 (queries) and 162 (traps). TCP is not used for SNMP by default.”

Option breakdown:

A: TCP 162 → incorrect (SNMP traps use UDP)

B:✔UDP 162

C:✔UDP 161

D: TCP 25 = SMTP

E: TCP 123 = NTP (incorrect protocol and transport)

F: TCP 161 = incorrect transport

Final Answer: B, CQUESTION NO: 153 [ARP – MikroTik Specific Behavior]

If arp=reply-only is configured on an interface, what will this interface do?

A. Accept all IP/MAC combinations listed in /ip arp as static entries

B. Accept all IP addresses listed in /ip arp as static entries

C. Add new MAC addresses in /ip arp list

D. Accept all MAC addresses listed in /ip arp as static entries

E. Add new IP addresses in /ip arp list

Answer: A

Setting arp=reply-only on an interface disables the normal dynamic ARP process. The router will only respond to ARP requests for IP/MAC pairs that are explicitly listed in /ip arp with type=static. No dynamic entries will be added.

MikroTik Wiki – ARP Modes:

“reply-only – the interface will only reply to ARP requests if there is a static entry. It will not add any new entries.”

MTCNA Course Material – ARP Configuration:

“When reply-only is set, the interface will not send ARP requests and will only respond to those IP/MAC combinations configured as static entries.”

Option breakdown:

A:✔Correct—replies only to statically configured IP/MAC pairs

B: Incorrect — ARP entries must have both IP and MAC

C/E: No new dynamic entries are added in reply-only mode

D: MAC addresses alone are not matched — ARP matches IP/MAC pairs

Final Answer: AQUESTION NO: 154 [RouterOS Tools – Configuration Export]

Mark all correct statements about /export (rsc file).

A. Exports logs from /log print

B. Exports full configuration of the router

C. Exports only part of the configuration (for example /ip firewall)

D. Exports scripts from /system script

E. Exported files could not be edited

Answer: B, C, D

The /export command in RouterOS allows exporting configuration as a script (.rsc file). It can:

Export the full configuration

Export a specific section (e.g., /ip firewall)

Include scripts under /system script if specified

It does not export logs and the exported .rsc file is plain text and can be edited.

MTCNA Course Material – Configuration Management:

“/export outputs configuration to a text file. You can export the full config or a specific menu, and it includes scripts if present.”

MikroTik Wiki – Export Command:

“You can use /export to generate editable .rsc files. Use /export file=name or /ip firewall export.”

Option breakdown:

A:❌Logs are not exported

B:✔Full config export is default

C:✔You can target specific sections (e.g., /ip dhcp-server)

D:✔Scripts are included if present

E:❌Exported files are editable text files

Final Answer: B, C, D