Destination NAT (dst-nat) is used to redirect packets arriving at the router to a different internal destination. It is most commonly used to allow public access to internal services such as web servers or mail servers.
You can:
Change the destination IP address (redirect to an internal host)
Change the destination port (e.g., port 8080 to port 80)
But:
C. Changing the source port is a function of src-nat, not dst-nat →❌
D. Hiding the local network from the Internet is done via masquerade or src-nat →❌
MTCNA Course Manual – NAT Section:
“Use dst-nat to forward traffic to a private host. Port translation can also be applied (e.g., from 81 to 80).”
René Meneses Study Guide – NAT Configuration:
“dst-nat changes the destination IP/port of packets arriving on a specific interface. Common use case: access to LAN services from WAN.”
Terry Combs Notes – NAT Rule Summary:
“dst-nat = port forwarding. src-nat/masquerade = hide internal addresses.”
Answer: A, BQUESTION NO: 48 [RouterOS Introduction]
Which is the default port of IP-Winbox?
A. UDP 8291
B. TCP 80
C. TCP 8291
D. TCP 8192
Answer: C
Winbox is MikroTik’s GUI-based configuration tool. It communicates with RouterOS over TCP port 8291 by default. This port is used for both IP-based Winbox connections and MAC-based sessions (in combination with layer-2 discovery protocol).
Evaluation:
A. UDP 8291 →❌Wrong protocol
B. TCP 80 →❌Used for HTTP (WebFig)
C. TCP 8291 →✅Correct default Winbox port
D. TCP 8192 →❌Invalid / non-standard
MTCNA Course Manual – RouterOS Management Tools:
“Winbox uses TCP port 8291 by default. It is possible to change this port in the /ip service settings.”
René Meneses MTCNA Guide – Winbox Access:
“Default access via TCP 8291. Check firewall filters to ensure it’s not blocked.”
Terry Combs Notes – Remote Management:
“Winbox = TCP/8291. WebFig = TCP/80 or 443.”
Answer: CQUESTION NO: 49 [PPP]
It is possible to create an encrypted PPPoE tunnel in RouterOS:
A. true
B. false
Answer: B
PPPoE (Point-to-Point Protocol over Ethernet) does not include encryption by default. It can authenticate users using PAP or CHAP, but the data payload is transmitted in cleartext unless another secure tunneling protocol (e.g., IPSec) is layered on top.
MikroTik supports encryption in other tunneling protocols, such as:
MTCNA Tunneling Chapter – PPP Protocol Features:
“PPPoE offers authentication, compression, but no native encryption. Use IPSec if encryption is needed.”
René Meneses Guide – Tunnel Comparison Table:
“PPPoE is not encrypted. SSTP and L2TP/IPSec are alternatives when encryption is a requirement.”
Terry Combs Notes – PPP Family Summary:
“PPPoE: Authentication = Yes, Encryption = No. Use with caution over untrusted networks.”
Answer: BQUESTION NO: 50 [Wireless]
Why is it useful to set a Radio Name on the radio interface?
A. To identify a station in a list of connected clients
B. To identify a station in Neighbor discovery
C. To identify a station in the Access List
Answer: A
The Radio Name is a human-readable identifier assigned to a wireless interface. It becomes visible in the Registration Table (i.e., the list of connected clients) on an access point. It helps network administrators distinguish between multiple connected devices.
Evaluation:
A.✅Correct — Radio Name is shown in the Registration Table (list of connected clients)
B.❌Neighbor discovery uses MAC and device identity, not radio name
C.❌Access List uses MAC addresses, not radio name, for matching
MTCNA Wireless Module – Interface Settings:
“Radio Name is shown in the registration table on the AP. It helps in client identification.”
René Meneses Guide – Wireless Monitoring:
“The AP uses the client’s Radio Name to label them in the list of associated stations.”
Terry Combs Notes – Best Practice:
“Set radio-name so you can easily tell which device is which in the registration list.”
Answer: A
