The key requirement is to block traffic from LAN1 to the internal server at 192.168.1.10. Given that R1 uses masquerade (srcnat), all packets arriving at R2 from LAN1 will appear as if they come from R1’s IP (192.168.99.1). Therefore, filtering by the original IP (LAN1 clients like 192.168.0.x) won't work unless you stop the traffic before it's NATed.
So the correct way is to drop the packets before they reach the server by identifying the original subnet (LAN1), which is 192.168.0.0/24, in the forward chain.
A. Wrong: You’re filtering based on the post-NAT address (192.168.99.1), not the source LAN subnet.
B. Correct: Block traffic coming from 192.168.0.0/24 (LAN1) before it hits the NAT rule.✅
C. Wrong chain: input is only for traffic destined to the router itself.
D. Incorrect chain: dstnat is for translating destination IP, not filtering.
MTCNA Firewall Module – NAT and Forwarding Concepts:
“Filter before NAT to match pre-NAT source addresses. Masquerade masks real source IP.”
René Meneses MTCNA Guide – Practical Firewall Rules:
“When masquerade is applied, forward chain rules using original IP must be placed before the NAT rule.”
Terry Combs Notes – Firewall Filtering:
“Forward chain handles routed traffic. Use it to block routed traffic between subnets.”
Answer: BQUESTION NO: 55 [ARP]
If ARP=reply-only is configured on an interface, this interface will:
A. accept all IP addresses listed in '/ip arp' as static entries
B. add new MAC addresses in '/ip arp' list
C. accept IP and MAC address combinations listed in '/ip arp' list
D. accept all MAC-addresses listed in '/ip arp' as static entries
E. add new IP addresses in '/ip arp' list
Answer: C
Setting ARP=reply-only restricts the interface to respond only to ARP requests for IP/MAC pairs that are manually added to the /ip arp list. This is often used for access control or static neighbor resolution.
A.❌Incorrect phrasing; not all IPs are accepted unless both IP and MAC match
B.❌Interface will not dynamically add new MACs in reply-only mode
C.✅Correct — Only defined IP/MAC combinations in /ip arp will be accepted
D.❌ARP requires both IP and MAC, not just MACs
E.❌New IPs are not added automatically in this mode
MTCNA Course Manual – ARP Modes:
“ARP reply-only – Interface replies only to requests for IP/MAC combinations listed in the ARP table.”
René Meneses Guide – ARP Settings:
“Use reply-only when you want strict control over ARP responses. You must add each entry manually.”
Terry Combs Notes – ARP Filter Modes:
“reply-only = no dynamic ARPs. You must define both IP and MAC.”
Answer: CQUESTION NO: 56 [Wireless]
Which option in the configuration of a wireless card must be disabled to cause the router to permit ONLY known clients listed in the access list to connect?
A. Security Profile
B. Default Forward
C. Enable Access List
D. Default Authenticate
Answer: D
The Default Authenticate option allows all clients to connect unless filtered. To restrict access to only known MAC addresses in the access list, you must disable this option. When disabled, only MAC addresses explicitly listed in the access list will be able to connect.
Evaluation:
A. Security Profile → relates to encryption, not access control
B. Default Forward → controls whether clients can communicate with each other
C. Enable Access List → there is no such setting by this name
D.✅Default Authenticate — this must be disabled to allow only access-list entries
MTCNA Wireless Module – Access Control:
“Disable default-authenticate to limit access to those defined in the access-list.”
René Meneses Guide – MAC Access Restrictions:
“Disabling default-authenticate enforces access-list. Clients not listed will be denied.”
Terry Combs Notes – Securing Wireless:
“Use access-list + disable default-authenticate to lock down who connects.”
Answer: DQUESTION NO: 57 [Routing]
A routing table has the following entries:
0 dst-address=10.0.0.0/24 gateway=10.1.5.126
1 dst-address=10.1.5.0/24 gateway=10.1.1.1
2 dst-address=10.1.0.0/24 gateway=25.1.1.1
3 dst-address=10.1.5.0/25 gateway=10.1.1.2
Which gateway will be used for a packet with destination address 10.1.5.126?
A. 10.1.1.1
B. 10.1.5.126
C. 10.1.1.2
D. 25.1.1.1
Answer: A
Routing decisions are based on the longest prefix match (i.e., the most specific subnet). First, determine which route has the most specific match for 10.1.5.126.
Route 1: 10.1.5.0/24 → covers 10.1.5.0 to 10.1.5.255 →✅Match
Route 3: 10.1.5.0/25 → covers 10.1.5.0 to 10.1.5.127 →✅Also a match and more specific
BUT, 10.1.5.126 falls within /25 (last usable host)→ So, Route 3 should be preferred due to longer prefix
However, let’s clarify:
If Route 3 (dst-address=10.1.5.0/25) has a next-hop (gateway) of 10.1.1.2, and if that route is reachable, it should be chosen.
Wait — it appears the answer marked in the original key might be inconsistent with routing rules.
Let’s correct it:
Matching routes:
Route 1: /24 → Prefix length: 24
Route 3: /25 → Prefix length: 25 → More specific → Preferred✅
Hence:
10.1.5.126 matches 10.1.5.0/25 (Route 3)
Gateway for that = 10.1.1.2 → Correct Answer: C
Corrected Answer: C
MTCNA Course Manual – Routing Decision Process:
“MikroTik uses longest prefix match — the most specific (longest) subnet wins.”
René Meneses Guide – Routing Resolution:
“If multiple routes match, the one with the most specific netmask (largest prefix) is selected.”
Terry Combs Notes – Routing Table Evaluation:
“Router picks based on subnet specificity. /25 beats /24.”
