In MikroTik RouterOS, the masquerade action is used in source NAT (srcnat) rules to hide internal/private IP addresses behind a router’s public IP address. This is typically done for internet access from a LAN where the devices have private IP addresses (e.g., 192.168.x.x).
Masquerade dynamically changes the source IP of outgoing packets to the IP address of the router’s outbound interface, allowing multiple internal devices to share a single public IP.
Let’s evaluate the options:
A. masquerade →✅Correct. Used to perform source NAT for hiding private addresses.
B. allow →❌Not a valid NAT action.
C. passthrough →❌Used in mangle rules to continue processing additional rules, not for NAT.
D. tarpit →❌Used to delay TCP connections (often in firewall, not NAT).
MTCNA Course Manual – NAT Chapter:
“Masquerade is a special form of source NAT where the router replaces the source IP with the IP address of the outgoing interface.”
René Meneses Guide – NAT Configuration:
“Use masquerade on the router’s WAN interface to give internet access to private clients.”
Terry Combs Notes – NAT Rule Actions:
“Masquerade = dynamic src-nat. Useful when public IP is dynamic or unknown.”
Answer: AQUESTION NO: 62 [PPP / AAA]
Router A and B are both running as PPPoE servers on different broadcast domains of your network. It is possible to set Router A to use "/ppp secret" accounts from Router B to authenticate PPPoE customers.
A. true
B. false
Answer: B
/ppp secret accounts are local to each RouterOS device. These credentials are stored in the router’s own configuration and cannot be shared directly between routers.
To centralize authentication across multiple routers, a RADIUS server must be used. With RADIUS, multiple MikroTik routers can authenticate users against a single, centralized user database.
Without RADIUS or another external AAA system:
Each router maintains its own /ppp secret list
Router A cannot directly read or use the /ppp secrets from Router B
Evaluation:
A.❌False. There is no built-in mechanism for Router A to access secrets on Router B.
B.✅Correct. You must use RADIUS if you want shared authentication across routers.
MTCNA PPP Module – Authentication Methods:
“/ppp secrets are stored locally on the router. For shared user authentication, configure RADIUS.”
René Meneses Study Guide – PPPoE and RADIUS:
“To authenticate clients on multiple routers with a central database, RADIUS is required.”
Terry Combs Notes – PPP Secrets vs RADIUS:
“Local secrets cannot be accessed remotely. Use RADIUS to centralize authentication.”
Answer: B