In which order are the entries in Access List and Connect List processed?
By Signal Strength Range
In sequence order
In a random order
By interface name
MikroTik processes entries in the Access List and Connect List in the order they are listed — from top to bottom. This is referred to as “sequence order.” The first rule that matches the client’s MAC address and interface conditions will be applied, and no further rules are evaluated after a match.
Incorrect options:
A. Signal strength can be used as a condition, but is not the order of evaluation.
C. Random order is never used in rule-based systems.
D. Interface names are used as match conditions, not ordering criteria.
MTCNA Wireless Module – Access and Connect List Order:
“Rules are checked from the top of the list down. The first matching rule is applied, then processing stops.”
René Meneses Guide – Wireless Security and MAC Filtering:
“Sequence matters. If multiple rules could apply, only the first one is enforced.”
Terry Combs Notes – Wireless Filtering:
“Don’t misplace rules. Connect-list and access-list are evaluated in listed order.”
Answer: BQUESTION NO: 59 [Queues – QoS]
Simple Queue number 0 defines 2M for upload and download for target IP 10.10.0.33.
Simple Queue number 1 defines 4M for upload and download for the same target IP 10.10.0.33.
Client 10.10.0.33 will be able to obtain:
A. 6M upload/download
B. 0M upload/download
C. 4M upload/download
D. 2M upload/download
Answer: D
In MikroTik RouterOS, when multiple simple queues are configured for the same target (IP address), only the first matching queue in sequence is processed. This means that:
If queue 0 (2M) comes before queue 1 (4M), the 2M limit will be enforced.
The second queue is ignored, even if it provides a higher rate.
MikroTik does not sum the bandwidth of multiple queues. The first applicable queue (based on order) wins.
MTCNA Course Manual – Simple Queues:
“Simple Queues are matched top-down. Only the first matching queue is applied per packet.”
René Meneses MTCNA Guide – QoS Queue Behavior:
“Queue order matters. The first rule that matches is the one used. Lower queues override lower ones if placed first.”
Terry Combs Notes – Queue Troubleshooting:
“If two queues match the same IP, only the first is active. Don’t stack queues unless using a queue tree.”
Answer: DQUESTION NO: 60 [RouterOS Packages]
Which features are removed when the advanced-tools package is uninstalled?
A. neighbors
B. LCD support
C. ip-scan
D. ping
E. netwatch
F. bandwidth-test
Answer: C, E, F
The advanced-tools package in MikroTik RouterOS contains a set of diagnostic and monitoring tools. If this package is removed, the following features are lost:
ip-scan →✅Used for scanning IP ranges to discover hosts
netwatch →✅Monitors host availability and runs scripts on status changes
bandwidth-test →✅Used to measure throughput between MikroTik devices
Incorrect options:
A. neighbors → Part of the main system package (MAC discovery)
B. LCD support → Tied to specific hardware; not affected by advanced-tools
D. ping → Part of the base system package
MTCNA System Tools Section – Package Breakdown:
“The advanced-tools package includes netwatch, bandwidth-test, and ip-scan. These are not part of the base system.”
René Meneses Guide – Package Management:
“Removing advanced-tools disables several diagnostic commands like ip-scan and bandwidth-test.”
Terry Combs Notes – Tools Overview:
“Ping and neighbors are in core OS. Advanced-tools affects monitoring scripts and traffic tools.”
Destination NAT (chain dstnat, action dst-nat) can be used to:
Change destination port
Direct users from the Internet to a server within your local network
Change source port
Hide your local network from the Internet
Destination NAT (dst-nat) is used to redirect packets arriving at the router to a different internal destination. It is most commonly used to allow public access to internal services such as web servers or mail servers.
You can:
Change the destination IP address (redirect to an internal host)
Change the destination port (e.g., port 8080 to port 80)
But:
C. Changing the source port is a function of src-nat, not dst-nat →❌
D. Hiding the local network from the Internet is done via masquerade or src-nat →❌
MTCNA Course Manual – NAT Section:
“Use dst-nat to forward traffic to a private host. Port translation can also be applied (e.g., from 81 to 80).”
René Meneses Study Guide – NAT Configuration:
“dst-nat changes the destination IP/port of packets arriving on a specific interface. Common use case: access to LAN services from WAN.”
Terry Combs Notes – NAT Rule Summary:
“dst-nat = port forwarding. src-nat/masquerade = hide internal addresses.”
Answer: A, BQUESTION NO: 48 [RouterOS Introduction]
Which is the default port of IP-Winbox?
A. UDP 8291
B. TCP 80
C. TCP 8291
D. TCP 8192
Answer: C
Winbox is MikroTik’s GUI-based configuration tool. It communicates with RouterOS over TCP port 8291 by default. This port is used for both IP-based Winbox connections and MAC-based sessions (in combination with layer-2 discovery protocol).
Evaluation:
A. UDP 8291 →❌Wrong protocol
B. TCP 80 →❌Used for HTTP (WebFig)
C. TCP 8291 →✅Correct default Winbox port
D. TCP 8192 →❌Invalid / non-standard
MTCNA Course Manual – RouterOS Management Tools:
“Winbox uses TCP port 8291 by default. It is possible to change this port in the /ip service settings.”
René Meneses MTCNA Guide – Winbox Access:
“Default access via TCP 8291. Check firewall filters to ensure it’s not blocked.”
Terry Combs Notes – Remote Management:
“Winbox = TCP/8291. WebFig = TCP/80 or 443.”
Answer: CQUESTION NO: 49 [PPP]
It is possible to create an encrypted PPPoE tunnel in RouterOS:
A. true
B. false
Answer: B
PPPoE (Point-to-Point Protocol over Ethernet) does not include encryption by default. It can authenticate users using PAP or CHAP, but the data payload is transmitted in cleartext unless another secure tunneling protocol (e.g., IPSec) is layered on top.
MikroTik supports encryption in other tunneling protocols, such as:
SSTP (uses SSL)
L2TP with IPSec
OpenVPN (SSL-based)
IPsec itself (for IP layer encryption)
MTCNA Tunneling Chapter – PPP Protocol Features:
“PPPoE offers authentication, compression, but no native encryption. Use IPSec if encryption is needed.”
René Meneses Guide – Tunnel Comparison Table:
“PPPoE is not encrypted. SSTP and L2TP/IPSec are alternatives when encryption is a requirement.”
Terry Combs Notes – PPP Family Summary:
“PPPoE: Authentication = Yes, Encryption = No. Use with caution over untrusted networks.”
Answer: BQUESTION NO: 50 [Wireless]
Why is it useful to set a Radio Name on the radio interface?
A. To identify a station in a list of connected clients
B. To identify a station in Neighbor discovery
C. To identify a station in the Access List
Answer: A
The Radio Name is a human-readable identifier assigned to a wireless interface. It becomes visible in the Registration Table (i.e., the list of connected clients) on an access point. It helps network administrators distinguish between multiple connected devices.
Evaluation:
A.✅Correct — Radio Name is shown in the Registration Table (list of connected clients)
B.❌Neighbor discovery uses MAC and device identity, not radio name
C.❌Access List uses MAC addresses, not radio name, for matching
MTCNA Wireless Module – Interface Settings:
“Radio Name is shown in the registration table on the AP. It helps in client identification.”
René Meneses Guide – Wireless Monitoring:
“The AP uses the client’s Radio Name to label them in the list of associated stations.”
Terry Combs Notes – Best Practice:
“Set radio-name so you can easily tell which device is which in the registration list.”
Answer: A
What is the correct action to be specified in the NAT rule to hide a private network when communicating to the outside world?
masquerade
allow
passthrough
tarpit
In MikroTik RouterOS, the masquerade action is used in source NAT (srcnat) rules to hide internal/private IP addresses behind a router’s public IP address. This is typically done for internet access from a LAN where the devices have private IP addresses (e.g., 192.168.x.x).
Masquerade dynamically changes the source IP of outgoing packets to the IP address of the router’s outbound interface, allowing multiple internal devices to share a single public IP.
Let’s evaluate the options:
A. masquerade →✅Correct. Used to perform source NAT for hiding private addresses.
B. allow →❌Not a valid NAT action.
C. passthrough →❌Used in mangle rules to continue processing additional rules, not for NAT.
D. tarpit →❌Used to delay TCP connections (often in firewall, not NAT).
MTCNA Course Manual – NAT Chapter:
“Masquerade is a special form of source NAT where the router replaces the source IP with the IP address of the outgoing interface.”
René Meneses Guide – NAT Configuration:
“Use masquerade on the router’s WAN interface to give internet access to private clients.”
Terry Combs Notes – NAT Rule Actions:
“Masquerade = dynamic src-nat. Useful when public IP is dynamic or unknown.”
Answer: AQUESTION NO: 62 [PPP / AAA]
Router A and B are both running as PPPoE servers on different broadcast domains of your network. It is possible to set Router A to use "/ppp secret" accounts from Router B to authenticate PPPoE customers.
A. true
B. false
Answer: B
/ppp secret accounts are local to each RouterOS device. These credentials are stored in the router’s own configuration and cannot be shared directly between routers.
To centralize authentication across multiple routers, a RADIUS server must be used. With RADIUS, multiple MikroTik routers can authenticate users against a single, centralized user database.
Without RADIUS or another external AAA system:
Each router maintains its own /ppp secret list
Router A cannot directly read or use the /ppp secrets from Router B
Evaluation:
A.❌False. There is no built-in mechanism for Router A to access secrets on Router B.
B.✅Correct. You must use RADIUS if you want shared authentication across routers.
MTCNA PPP Module – Authentication Methods:
“/ppp secrets are stored locally on the router. For shared user authentication, configure RADIUS.”
René Meneses Study Guide – PPPoE and RADIUS:
“To authenticate clients on multiple routers with a central database, RADIUS is required.”
Terry Combs Notes – PPP Secrets vs RADIUS:
“Local secrets cannot be accessed remotely. Use RADIUS to centralize authentication.”
Answer: B
What is the term for the hardware coded address found on an interface?
FQDN Address
IP Address
Interface Address
MAC Address
The hardware-coded address that uniquely identifies a device's network interface card (NIC) on the local network is called a MAC address. It is “burned in” by the hardware manufacturer and remains constant unless manually overridden.
MAC stands for Media Access Control, and it operates at Layer 2 of the OSI model. It is used to identify devices on a local area network.
A. FQDN (Fully Qualified Domain Name) refers to a human-readable name used in DNS.
B. IP Address is a logical address used for routing at Layer 3.
C. Interface Address is a generic term and not a standard identifier.
D. MAC Address is correct and refers to the physical, hardware-encoded address on an interface.
Extract from MTCNA Course Manual – RouterBOARD Overview:
“A MAC address is a globally unique hardware identifier assigned to each Ethernet or wireless interface. It is used by Layer 2 to ensure local delivery.”
René Meneses Study Guide – MAC & OSI Layering:
“The MAC address is a 48-bit physical identifier, hardcoded by the device vendor and located in the NIC chip.”
Terry Combs MTCNA Notes – Layer 2 Concepts:
“MAC = Physical Address = Layer 2 Identifier. It’s what switches use to forward Ethernet frames.”
===========
Copyright © 2021-2025 CertsTopics. All Rights Reserved
