MTCNA Exam Dumps : MikroTikCertified Network Associate Exam

Setting "forwarding=no" on a wireless interface prevents communication between connected clients on that interface and between that interface and other interfaces in the same bridge. This means:

Stations connected to wlan1 cannot talk to each other

Stations on wlan1 cannot talk to stations on wlan2 (even if bridged)

Stations on wlan2 can talk to each other normally

Evaluation:

A.✅Correct – forwarding=no does not affect wlan2

B.❌Incorrect – forwarding=no blocks this

C.✅Correct – clients on wlan1 cannot talk to each other either

D.❌Bridge filters can be used but this scenario is about forwarding settings

E.❌Blocked by forwarding=no

MTCNA Wireless Module – Wireless Forwarding Behavior:

“Forwarding=no disables client-to-client communication on the interface and across bridges.”

René Meneses Study Guide – Wireless Access Config:

“Use forwarding=no to isolate clients on the same AP. Affects bridging too.”

Terry Combs Notes – Wireless Isolation:

“Setting forwarding=no isolates all clients on that wireless card.”

Answer: A, CQUESTION NO: 81 [Wireless]

Consider a wireless access point with mode=ap-bridge. What is the maximum number of concurrent clients that can connect to it?

A. 2007

B. 2012

C. 2048

D. 1024

Answer: C

In MikroTik RouterOS, the theoretical maximum number of clients that can associate with an AP in ap-bridge mode is 2048. However, practical limits depend on hardware performance and network stability, and most real-world setups use far fewer clients.

Let’s review:

A. 2007 →❌Close, but not the actual hard limit

B. 2012 →❌Incorrect

C.✅2048 → Correct per MikroTik’s AP mode specification

D. 1024 →❌Lower than the actual maximum

MTCNA Wireless Module – AP Behavior:

“In ap-bridge mode, the maximum theoretical client limit is 2048. Actual stable operation may be lower.”

René Meneses Guide – Wireless Scaling:

“2048 is the upper limit for client associations on a MikroTik AP in bridge mode.”

Terry Combs Notes – Client Capacity:

“2048 clients = maximum. Performance may degrade before that in high-traffic environments.”

MikroTik RouterOS uses the /system scheduler to execute scripts or commands at defined times or intervals. It allows for automation of tasks such as backups, reboots, updates, and more.

Evaluation:

A. /system watchdog →❌Used for hardware monitoring and rebooting if the system freezes.

B. /system cron →❌Not available in MikroTik RouterOS (RouterOS doesn’t use cron syntax).

C. /system scheduler →✅Correct. Built-in RouterOS feature for scheduled command execution.

MTCNA Course Manual – System Scheduler Section:

“Use /system scheduler to run scripts or commands at regular intervals or specific times.”

René Meneses Guide – Automating Tasks:

“Scheduler is the only built-in time-based job handler in RouterOS.”

Terry Combs Notes – Script Automation:

“RouterOS uses scheduler, not cron. Schedule by time or interval.”

Answer: CQUESTION NO: 67 [Firewall / Tools]

Where can you monitor (see addresses and ports) real-time connections which are processed by the router?

A. Firewall Connection Tracking

B. Firewall Counters

C. Tool Torch

D. Queue Tree

Answer: A

Firewall Connection Tracking (also known as conntrack) is used to monitor real-time connections that pass through the router. It shows source and destination IPs, ports, protocols, connection states (established, new, related), and more.

Let’s evaluate the options:

A.✅Correct – Shows live connection table with IPs, ports, and statuses

B.❌Shows rule match counters only — no detailed connection info

C.❌Torch shows per-interface traffic; useful for bandwidth, but not a connection list

D.❌Queue Tree is used for traffic shaping, not for viewing connections

MTCNA Course Manual – Firewall Concepts:

“Connection tracking shows all active sessions through the router with IP and port details.”

René Meneses Guide – Firewall Tools:

“Use connection tracking to diagnose connection states and NAT behavior.”

Terry Combs Notes – Monitoring Tools:

“conntrack is your real-time connection monitor. Torch is per-interface, not per-flow.”

Answer: AQUESTION NO: 68 [Wireless]

How many wireless clients can connect, when wireless card is configured to mode=bridge?

A. 1

B. 100

C. 2007

D. 2

Answer: A

In MikroTik RouterOS, if a wireless card is configured to mode=bridge (also referred to as "station-bridge"), it can only be used to connect a single client device (MAC address) behind it. This is due to limitations in how 802.11 bridges MAC addresses.

So:

A.✅Correct – Only 1 MAC address can pass via wireless bridge mode (unless using WDS or 4-address mode)

B, C →❌Too many clients for bridge mode

D.❌Incorrect – Still only one client allowed per interface in bridge mode

MTCNA Wireless Module – Wireless Modes:

“Bridge mode allows one client only unless extended bridging protocols are used.”

René Meneses Guide – Wireless Bridging:

“mode=bridge = one MAC behind the station. Use WDS for multiple MACs.”

Terry Combs Notes – Wireless Modes:

“Station-bridge mode works like Ethernet, but only supports one MAC address unless using WDS.”

Answer: AQUESTION NO: 69 [Routing]

In the Route List, the identification DAb for a route stands for:

A. direct - active - bgp

B. direct - acknowledge - backup

C. dynamic - active - backup

D. dynamic - active - bgp

Answer: D

In MikroTik RouterOS, route flags provide quick insight into how the route was created and its status:

D = Dynamic → The route was added dynamically by a protocol (like BGP, OSPF, RIP)

A = Active → This route is currently being used

b = BGP → Indicates that the route was learned via the BGP routing protocol

Therefore, DAb means:

→ D = Dynamic

→ A = Active

→ b = BGP

MTCNA Routing Section – Route Flags Explanation:

“D = dynamically added, A = currently active, b = learned via BGP.”

René Meneses Guide – Understanding Route Lists:

“DAb → dynamic + active + BGP route. Route is learned and installed via BGP.”

Terry Combs Notes – Route Symbols:

“Check the route list: b = BGP, o = OSPF, r = RIP, s = static, c = connected.”

Destination NAT (dst-nat) is used to redirect packets arriving at the router to a different internal destination. It is most commonly used to allow public access to internal services such as web servers or mail servers.

You can:

Change the destination IP address (redirect to an internal host)

Change the destination port (e.g., port 8080 to port 80)

But:

C. Changing the source port is a function of src-nat, not dst-nat →❌

D. Hiding the local network from the Internet is done via masquerade or src-nat →❌

MTCNA Course Manual – NAT Section:

“Use dst-nat to forward traffic to a private host. Port translation can also be applied (e.g., from 81 to 80).”

René Meneses Study Guide – NAT Configuration:

“dst-nat changes the destination IP/port of packets arriving on a specific interface. Common use case: access to LAN services from WAN.”

Terry Combs Notes – NAT Rule Summary:

“dst-nat = port forwarding. src-nat/masquerade = hide internal addresses.”

Answer: A, BQUESTION NO: 48 [RouterOS Introduction]

Which is the default port of IP-Winbox?

A. UDP 8291

B. TCP 80

C. TCP 8291

D. TCP 8192

Answer: C

Winbox is MikroTik’s GUI-based configuration tool. It communicates with RouterOS over TCP port 8291 by default. This port is used for both IP-based Winbox connections and MAC-based sessions (in combination with layer-2 discovery protocol).

Evaluation:

A. UDP 8291 →❌Wrong protocol

B. TCP 80 →❌Used for HTTP (WebFig)

C. TCP 8291 →✅Correct default Winbox port

D. TCP 8192 →❌Invalid / non-standard

MTCNA Course Manual – RouterOS Management Tools:

“Winbox uses TCP port 8291 by default. It is possible to change this port in the /ip service settings.”

René Meneses MTCNA Guide – Winbox Access:

“Default access via TCP 8291. Check firewall filters to ensure it’s not blocked.”

Terry Combs Notes – Remote Management:

“Winbox = TCP/8291. WebFig = TCP/80 or 443.”

Answer: CQUESTION NO: 49 [PPP]

It is possible to create an encrypted PPPoE tunnel in RouterOS:

A. true

B. false

Answer: B

PPPoE (Point-to-Point Protocol over Ethernet) does not include encryption by default. It can authenticate users using PAP or CHAP, but the data payload is transmitted in cleartext unless another secure tunneling protocol (e.g., IPSec) is layered on top.

MikroTik supports encryption in other tunneling protocols, such as:

SSTP (uses SSL)

L2TP with IPSec

OpenVPN (SSL-based)

IPsec itself (for IP layer encryption)

MTCNA Tunneling Chapter – PPP Protocol Features:

“PPPoE offers authentication, compression, but no native encryption. Use IPSec if encryption is needed.”

René Meneses Guide – Tunnel Comparison Table:

“PPPoE is not encrypted. SSTP and L2TP/IPSec are alternatives when encryption is a requirement.”

Terry Combs Notes – PPP Family Summary:

“PPPoE: Authentication = Yes, Encryption = No. Use with caution over untrusted networks.”

Answer: BQUESTION NO: 50 [Wireless]

Why is it useful to set a Radio Name on the radio interface?

A. To identify a station in a list of connected clients

B. To identify a station in Neighbor discovery

C. To identify a station in the Access List

Answer: A

The Radio Name is a human-readable identifier assigned to a wireless interface. It becomes visible in the Registration Table (i.e., the list of connected clients) on an access point. It helps network administrators distinguish between multiple connected devices.

Evaluation:

A.✅Correct — Radio Name is shown in the Registration Table (list of connected clients)

B.❌Neighbor discovery uses MAC and device identity, not radio name

C.❌Access List uses MAC addresses, not radio name, for matching

MTCNA Wireless Module – Interface Settings:

“Radio Name is shown in the registration table on the AP. It helps in client identification.”

René Meneses Guide – Wireless Monitoring:

“The AP uses the client’s Radio Name to label them in the list of associated stations.”

Terry Combs Notes – Best Practice:

“Set radio-name so you can easily tell which device is which in the registration list.”

Answer: A