How many usable IP addresses are there in a 20-bit subnet?
2047
4096
2048
2046
4094
A /20 subnet means 32 - 20 = 12 bits are available for host addresses.
Total IPs: 2¹² = 4096
Usable IPs = 4096 - 2 = 4094 (excluding network and broadcast addresses)
Therefore, 4094 usable IP addresses exist in a /20 subnet.
Option breakdown:
A. 2047 → Incorrect, would apply to a /21 subnet (2048 total - 1)
B. 4096 → Incorrect, total IPs, not usable
C. 2048 → Incorrect
D. 2046 → Incorrect
E. 4094 →✔Correct
Extract from MTCNA Course Material – IP Addressing/Subnetting Section:
"Number of usable hosts = 2^host-bits - 2 (network and broadcast). For /20, 2^12 - 2 = 4094."
Extract from Terry Combs Notes – IP Subnet Calculations:
“A /20 gives 4096 IPs total, 4094 usable.”
===========
What is the default TTL (time to live) on a router that an IP packet can experience before it will be discarded?
60
30
1
64
TTL (Time to Live) is a field in the IP header that limits the number of hops a packet can travel. Each router that processes the packet decrements the TTL by 1. When TTL reaches 0, the packet is dropped.
Default TTL values vary by operating system, but in RouterOS and many Linux-based systems, the default TTL is 64.
A. 60 → Incorrect, used in some systems but not the MikroTik default
B. 30 → Incorrect
C. 1 → Incorrect; would allow only one hop
D. 64 →✔Correct
Extract from Official MTCNA Course Material – TTL Field Explanation:
"The default TTL in RouterOS and most Unix-like systems is 64. Each router decrements this by 1 until the packet is discarded."
Extract from René Meneses Study Guide – IP Protocol Details:
“TTL is initialized to 64 by default in MikroTik RouterOS.”
Extract from MikroTik Wiki – IP Protocol Section:
"RouterOS sets default TTL of 64 unless manually configured otherwise."
===========
If 'check-gateway' is enabled for an ECMP route and one of the gateways is unreachable, then:
ECMP is going to send packets to all gateways even if one is unreachable
The unreachable gateway is not going be used in Round Robin algorithm
The ECMP route becomes inactive
When multiple gateways are used in an ECMP (Equal Cost Multi-Path) configuration, the check-gateway option ensures that RouterOS will actively monitor the health of each gateway using ping (or ARP). If a gateway becomes unreachable, RouterOS temporarily removes it from the active ECMP gateway list.
A.✘Incorrect – Unreachable gateways are excluded from packet forwarding.
B.✔Correct – Only reachable gateways are used in the ECMP round robin logic.
C.✘Incorrect – The entire ECMP route remains active; only the failed gateway is excluded.
Extract from MTCNA Course Material – ECMP Routing:
“With check-gateway enabled, RouterOS will exclude unreachable gateways from ECMP rotation.”
Extract from MikroTik Wiki – Check-Gateway Option:
“When a gateway is unreachable, it is skipped in ECMP logic until it becomes reachable again.”
Extract from René Meneses Study Guide – ECMP and Gateway Monitoring:
“Check-gateway helps prevent blackholing by skipping dead gateways. The route remains active.”
==================================
To use masquerade, you need to specify:
action=accept, out-interface, chain=src-nat
action=masquerade, out-interface, chain=src-nat
action=masquerade, in-interface, chain=src-nat
action=masquerade, out-interface, chain=dst-nat
Masquerading is a form of source NAT (src-nat) where the router dynamically replaces the source address of outgoing packets with the IP address of the router’s outgoing interface. This is commonly used when internal LAN clients access the internet through a single public IP.
Key points for masquerade configuration:
Use chain=src-nat (because it modifies the source address)
Use action=masquerade
Specify the out-interface (i.e., the WAN interface)
MTCNA Course Material – NAT Section:
“To configure masquerading, use chain=src-nat and action=masquerade. Specify out-interface to define the traffic direction.”
René Meneses MTCNA Study Guide – NAT Examples:
“Masquerade automatically uses the IP address of the specified out-interface. Required parameters: chain=src-nat, action=masquerade, out-interface.”
MikroTik Wiki – Source NAT / Masquerade:
“Masquerade is a special form of src-nat. You must use it in chain=src-nat and define the out-interface for which NAT will be applied.”
Option A: Incorrect action=accept (used in filter rules, not NAT)
Option C: in-interface is not applicable here
Option D: chain=dst-nat is used for destination NAT, not source NAT
Only Option B is fully correct.
Final Answer: BQUESTION NO: 94 [Tools]
In which situations can Netinstall NOT be used to install a RouterBOARD?
A. The router does not have an operating system
B. The router is connected only to a wireless network
C. You do not know the password of the router
D. The router is connected only to a secondary Ethernet port
Answer: B
Netinstall works over a wired Ethernet connection and uses PXE or Etherboot to install RouterOS over the network. It cannot function over wireless, as wireless interfaces do not support PXE booting or Netinstall protocols.
MTCNA Course Material – Netinstall Overview:
“Netinstall requires a direct Ethernet connection between the PC and the router. Wireless interfaces are not supported for Netinstall procedures.”
René Meneses MTCNA Guide – Netinstall:
“Netinstall only works over Ethernet. You cannot Netinstall a device connected only through Wi-Fi.”
MikroTik Wiki – Netinstall Prerequisites:
“Router must be connected via Ethernet. Wireless and USB interfaces are not supported.”
Other options:
A: This is a typical use case (installing RouterOS when OS is missing)
C: Netinstall bypasses password (not needed)
D: Netinstall can work via any Ethernet port, provided it's accessible
Final Answer: BQUESTION NO: 95 [Monitoring and Logging]
MikroTik RouterOS is sending logs to an external syslog server. Which protocol and port is used by RouterOS for sending logs (by default)?
A. UDP 514
B. UDP 21
C. UDP 113
D. TCP 110
Answer: A
RouterOS uses the industry-standard syslog protocol for remote logging. By default, syslog uses UDP port 514.
MTCNA Course Material – Logging Section:
“For sending logs to a remote syslog server, RouterOS uses the syslog protocol on UDP port 514 by default.”
René Meneses MTCNA Guide – Monitoring & Logging:
“External logging is done using UDP port 514, which is the standard syslog protocol port.”
MikroTik Wiki – Logging Configuration:
“To send logs to a remote server, configure an action of type remote with a remote address and use UDP port 514 unless otherwise changed.”
Other ports:
UDP 21 = FTP (not logging)
UDP 113 = Ident protocol
TCP 110 = POP3
Only UDP 514 is correct.
Final Answer: AQUESTION NO: 96 [RouterBOARD Hardware]
Can you manually add drivers to RouterOS in case your PCI Ethernet card is not recognized, and you suspect it is a driver issue?
A. Yes
B. No
Answer: B
RouterOS is a closed, embedded Linux-based system. It does not support adding custom drivers or compiling modules manually. You must use supported hardware that is natively compatible with RouterOS.
MTCNA Course Material – RouterBOARD Compatibility:
“RouterOS supports a fixed set of drivers. You cannot install third-party drivers or modules.”
René Meneses MTCNA Guide – Hardware Limitations:
“Custom drivers cannot be added to RouterOS. Use only supported network interface cards as listed by MikroTik.”
MikroTik Wiki – Hardware Support:
“RouterOS does not allow manual driver installation. All drivers are precompiled and built into the system image.”
Therefore, if your PCI Ethernet card is not recognized, you must replace it with a compatible model — you cannot add a driver manually.
On the advanced menu of the wireless setup there is a parameter called “Area”, it works directly with:
Connect List
Access List
None of these
Security Profile
The “Area” parameter is a user-defined tag in the wireless interface configuration that works with the Access List in MikroTik RouterOS. It allows grouping of clients or APs for filtering or configuration logic.
When an Access List rule includes an area name, it will only apply to devices matching that area.
Option breakdown:
A. Connect List → Incorrect. Area is not used here.
B. Access List →✔Correct. “Area” is matched directly in Access List rules.
C. None of these → Incorrect.
D. Security Profile → Incorrect. Security Profiles control authentication/encryption, not area filtering.
Extract from Official MTCNA Course Material – Wireless Access List:
"The Area field allows you to group wireless interfaces and filter clients based on Access List rules that include this tag."
Extract from Terry Combs Notes – Wireless Configuration:
“Area is a label that can be referenced in Access List rules to apply rules selectively.”
Extract from MikroTik Wiki – Wireless Access List Section:
"Area is used in Access List to assign rules based on interface groups or locations."
What can be used as ’target-address’ in the simple queue?
client’s MAC address
server’s address
address list name
client’s address
In MikroTik’s Simple Queues, the target-address field is used to define the IP address of the device (host) to which the queue will apply. This must be an IP address — not a MAC address or an address list name.
Let’s evaluate:
A.❌MAC address is not supported as target-address in simple queues
B.❌"server’s address" is vague; if it means an IP, then it could work, but the best answer is "client’s address"
C.❌Address lists can be used in firewall and mangle rules, but not directly in simple queues
D.✅Correct – An individual IP address (like 192.168.1.100) can be assigned as the target-address
MTCNA Course Manual – Simple Queue Structure:
“Use the target-address field to apply a queue to a specific host by IP.”
René Meneses Guide – Queue Setup:
“Only IP addresses can be used as targets in simple queues. Address lists are not accepted.”
Terry Combs Notes – Bandwidth Limiting:
“Target-address = device IP. MACs and lists are not allowed here.”
Answer: DQUESTION NO: 75 [RouterOS Introduction]
What kind of users are listed in the "/user" menu?
A. router users
B. wireless users
C. Hot-Spot users
D. PPTP users
Answer: A
The /user menu in MikroTik RouterOS lists users who are allowed to log in to the router itself — via Winbox, SSH, WebFig, console, or API. These are administrative users of the RouterOS system.
Let’s evaluate:
A.✅Correct – These are RouterOS users (admin, techs, operators)
B.❌Wireless users are authenticated via security-profiles and access-lists
C.❌Hotspot users are managed under /ip hotspot user
D.❌PPTP users are managed under /ppp secrets
MTCNA User Management Section:
“/user is used to configure login accounts for RouterOS access.”
René Meneses Guide – User Types:
“Only RouterOS admin users are listed under /user. VPN and hotspot users are managed elsewhere.”
Terry Combs Notes – User Menu Summary:
“/user = login to router (Winbox/SSH). Not for PPP or hotspot authentication.”
Answer: AQUESTION NO: 76 [RouterBOARD Hardware]
Which is a default baud-rate of currently manufactured RouterBOARDs?
A. 9600
B. 115200
C. 38400
D. 11520
Answer: B
The default serial console baud rate for most modern MikroTik RouterBOARD devices is 115200 bps. This is important when accessing the router via serial console (e.g., through RS-232 or USB-to-serial adapters).
Let’s evaluate:
A. 9600 →❌Too slow; used in legacy systems
B.✅115200 → Correct default for MikroTik boards
C. 38400 →❌Incorrect
D. 11520 →❌Typo; not a standard rate
MTCNA Hardware Module – Serial Access:
“Default baud-rate is 115200. Use this setting when connecting via serial cable.”
René Meneses Study Guide – RouterBOARD Console Access:
“Use 115200 baud to access RouterBOARD via serial port.”
Terry Combs Notes – Serial Console Tips:
“Almost all modern RouterBOARDs use 115200 as default serial speed.”
Answer: BQUESTION NO: 77 [Routing]
When viewing the routes in Winbox, some routes will show "DAC" in the first column. These flags mean:
A. Dynamic, Available, Created
B. Dynamic, Active, Connected
C. Direct, Available, Connected
D. Dynamic, Active, Console
Answer: B
Route flags in MikroTik indicate how a route was created and its status:
D = Dynamic → Added automatically (e.g., by IP address assignment)
A = Active → Route is currently being used
C = Connected → Directly connected subnet or IP address
So:
DAC = Dynamic + Active + Connected→ Usually created when you assign an IP address to an interface.
Let’s review:
A.❌"Available" and "Created" are not valid flags
B.✅Correct – matches MikroTik routing flag definitions
C.❌“Direct” and “Available” are not valid route flags in MikroTik
D.❌"Console" is not a route flag
MTCNA Routing Section – Route Flag Definitions:
“D – Dynamic, A – Active, C – Connected. These appear when the router creates a route based on interface IP.”
René Meneses Guide – Route Table Interpretation:
“DAC is the most common flag combination. Dynamic and connected routes are automatically active.”
Terry Combs Notes – Route Status Flags:
“D = Dynamic, A = Active, C = Connected. Common on local interfaces.”
════════════════════════════════════════════
What wireless card can we use to achieve 100 Mbps actual wireless throughput?
802.11 b/g
802.11 a/b/g
802.11 a
802.11 a/n
802.11 a/b/g/n
To achieve actual throughput of 100 Mbps, you must use 802.11n, which supports higher data rates through technologies such as MIMO (Multiple Input, Multiple Output) and channel bonding. 802.11n provides theoretical speeds up to 150 Mbps per stream and actual throughput above 100 Mbps under good conditions.
802.11a/b/g maxes out around 20–25 Mbps real throughput
802.11n (especially in 5 GHz band via 802.11a/n) is required to exceed 100 Mbps actual throughput
MTCNA Course Material – Wireless Standards and Data Rates:
“802.11n with proper channel width and MIMO can achieve over 100 Mbps of real throughput.”
René Meneses MTCNA Study Guide – Wireless Performance:
“Only 802.11n can reach 100+ Mbps in practical use. Legacy modes (a/b/g) fall short due to modulation limits.”
Breakdown:
A/B/C: Do not support 100 Mbps throughput
D:✔802.11a/n supports 100+ Mbps
E: While also valid, D is more precise for the specific requirement (focused on a/n only)
Final Answer: DQUESTION NO: 156 [Firewall – Mangle Chains]
It is possible to add user-defined chains in ip firewall mangle.
A. True
B. False
Answer: A
RouterOS allows users to define custom chains in the mangle table, giving more flexibility for organizing and managing rules. This is particularly useful in complex routing and QoS configurations.
MikroTik Wiki – Firewall Mangle:
“Custom chains can be created using the add chain=your_chain_name command. Then you can jump to them from built-in chains.”
MTCNA Course Material – Mangle & Packet Flow:
“User-defined chains help separate logic and simplify processing. You can jump into them from prerouting, forward, or postrouting.”
Final Answer: AQUESTION NO: 157 [Firewall – NAT and Redirect Actions]
Action=redirect allows you to make:
A. Transparent DNS Cache
B. Forward DNS to another device IP address
C. Enable Local Service
D. Transparent HTTP Proxy
Answer: D
In RouterOS, action=redirect is used in NAT rules to redirect traffic destined for specific ports to local services. This is often used for:
Transparent web proxy (redirect port 80 to a local proxy service)
Transparent DNS interception (if RouterOS is the DNS server)
In most practical MikroTik use cases, redirect is associated with Transparent HTTP Proxy.
MTCNA Course Material – NAT Configuration:
“action=redirect rewrites the destination address to the router’s own IP. It is commonly used to create transparent web proxies.”
MikroTik Wiki – NAT Redirect:
“Redirect is used for redirecting traffic to local services like web proxy or DNS cache on the router.”
Breakdown:
A: Possible, but limited use; DNS cache works better with dst-nat
B: Incorrect — to forward to another IP, use dst-nat
C: Misleading — enabling local services doesn't require redirect
D:✔Correct—redirect enables transparent proxy setup
Final Answer: DQUESTION NO: 158 [Routing – Automatically Created Routes]
What letters appear next to a route, which is automatically created by RouterOS when user adds a valid address to an active interface?
A. I
B. D
C. A
D. S
E. C
Answer: E
In RouterOS, when an IP address is assigned to an interface, a connected route is automatically created. These routes are marked with the letter “C” in the routing table, denoting “Connected.”
MikroTik Wiki – Routing Table Flags:
“C – directly connected routes (assigned via /ip address), added automatically when interface is active.”
MTCNA Course Material – Static vs Dynamic Routes:
“Connected (C) routes are added automatically when IP is assigned to an interface.”
Flag meanings:
C:✔Connected
S: Static
D: Dynamic
A: Active (not a route type)
I: Invalid or intermediate (not shown for connected)
Action=redirect is applied in:
chain=srcnat
chain=forward
chain=dstnat
The redirect action is only valid in the dstnat chain. It is used to redirect traffic to a service running on the router itself (e.g., redirecting HTTP to a local proxy server).
A.✘srcnat – Not compatible with redirect
B.✘forward – Redirect doesn’t apply in this chain
C.✔dstnat – This is the correct and only supported chain for action=redirect
Extract from Official MTCNA Course Material – NAT Actions:
“The redirect action is used within the dstnat chain to forward packets to the router’s local services.”
Extract from MikroTik Wiki – NAT Rule Actions:
“Redirect is used in dstnat chain and changes destination address to a local router IP and port.”
===========
You want to transfer existing '/ip firewall filter' configuration from one router to a new system.
Choose the best possible way to do:
Export only '/ip firewall filter'
Create backup only of '/ip firewall filter' rules
Create backup, edit backup file and restore on target router
Export global configuration and remove everything apart from '/ip firewall filter'
The best way to transfer only the firewall filter rules is to use the export command for just that section:
Command:
/ip firewall filter export
This produces a readable script containing only the firewall filter rules. This method is safer than editing binary backups and more efficient than exporting the global configuration and deleting unrelated parts.
Evaluation:
A.✅Correct – clean and script-based approach
B.❌You cannot selectively back up just firewall rules using the backup function (it’s system-wide)
C.❌Editing a backup file is not recommended and often not possible (it’s binary)
D.❌Too cumbersome and error-prone
MTCNA Course Manual – Configuration Transfer:
“Use export to get script output of specific sections. Backups are for full system restore.”
René Meneses Guide – Migrating Configurations:
“Export is recommended for transferring specific configurations like firewall rules.”
Terry Combs Notes – Export vs Backup:
“Backups = full system. Use export for clean, readable configuration transfer.”
Answer: AQUESTION NO: 79 [DHCP]
How many DHCP servers can be configured per interface on RouterOS?
A. Five
B. One
C. Two
D. Unlimited
Answer: B
RouterOS allows only one DHCP server instance per interface. If you attempt to assign more than one DHCP server to the same interface, RouterOS will throw an error.
If you need to serve multiple subnets or ranges, this must be done on different interfaces or by configuring DHCP relay or advanced routing.
MTCNA DHCP Module – Server Configuration:
“One DHCP server per interface is allowed. Assigning multiple servers to a single interface is not supported.”
René Meneses Study Guide – DHCP Design:
“Plan carefully: one server per interface. Use DHCP relay if multiple scopes are needed.”
Terry Combs Notes – DHCP Server Behavior:
“Trying to configure two servers on the same port results in failure.”
How many layers does the Open Systems Interconnection model have?
6
9
5
7
12
The OSI (Open Systems Interconnection) model is a conceptual framework that standardizes the functions of a communication system into seven distinct layers. It is used to understand and design computer networking systems.
The seven layers of the OSI model are:
Application
Presentation
Session
Transport
Network
Data Link
Physical
Each layer has its own specific purpose and interacts with adjacent layers to perform data transmission functions.
MTCNA Official Course Material – OSI Model Chapter:
“The OSI model consists of 7 layers. Understanding these layers is critical for troubleshooting and protocol analysis.”
René Meneses MTCNA Study Guide – OSI Model Section:
“There are exactly seven OSI layers. They range from the Physical Layer (Layer 1) to the Application Layer (Layer 7).”
Terry Combs Notes – OSI Summary Page:
“OSI = 7 Layers. The most important ones for network engineers are Layer 1 through Layer 4.”
Answer: DQUESTION NO: 13 [Routing]
How many usable IP addresses are there in a 20-bit subnet?
A. 4096
B. 4094
C. 2046
D. 2048
E. 2047
Answer: B
A /20 subnet means that 20 bits are used for the network portion, and 12 bits are left for host addresses. The total number of IP addresses available in such a subnet is:
2^12 = 4096 (total addresses)
Usable IP addresses = 4096 - 2 = 4094
→ (1 address is reserved for the network ID, and 1 for the broadcast address)
MTCNA Course Manual – Subnetting and IP Allocation:
“A subnet with n host bits gives 2^n total addresses. Always subtract 2 to account for network and broadcast addresses.”
René Meneses Study Guide – Subnet Calculations:
“/20 = 12 host bits → 4096 total IPs. Usable = 4094. Remember to subtract 2.”
Terry Combs MTCNA Notes – Addressing Math:
“20-bit subnet = 4094 usable IPs. Know how to compute 2^x and subtract 2.”
Answer: BQUESTION NO: 14 [Routing]
You have a router with configuration
Public IP: 202.168.125.45/24
Default gateway: 202.168.125.1
DNS server: 248.115.148.136, 248.115.148.137
Local IP: 192.168.2.1/24
Mark the correct configuration on client PC to access the Internet:
A. IP: 192.168.0.1/24, gateway: 192.168.2.1
B. IP: 192.168.2.253/24, gateway: 202.168.0.1
C. IP: 192.168.2.115/24, gateway: 192.168.2.1
D. IP: 192.168.2.2/24, gateway: 202.168.125.45
E. IP: 192.168.1.223/24, gateway: 248.115.148.136
Answer: C
To correctly configure a host in a private network behind a router:
The IP must match the local subnet (192.168.2.0/24)
The gateway must be the router’s local IP (192.168.2.1)
DNS settings can be default or custom, but IP and gateway must be valid
Let’s evaluate:
A. 192.168.0.1 → Wrong subnet (192.168.0.0/24 ≠ 192.168.2.0/24)❌
B. Gateway 202.168.0.1 → Invalid internal gateway❌
C. IP 192.168.2.115 with gateway 192.168.2.1 →✅Correct subnet and correct gateway
D. Gateway 202.168.125.45 → This is router’s public IP, not the correct gateway for LAN❌
E. IP 192.168.1.223 → Wrong subnet; also, gateway is DNS IP❌
MTCNA NAT Section – Network Configuration:
“Clients should be in the same subnet as the router’s local IP and must use that local IP as their gateway to reach outside networks.”
René Meneses Guide – Gateway and Addressing:
“The client’s IP should belong to the same subnet as the local router interface. Always verify gateway IP points to the internal address.”
Terry Combs Notes – Default Gateway Setup:
“The default gateway for local clients must be the internal router IP — not the public or DNS IP.”
Answer: CQUESTION NO: 15 [RouterBOARD Hardware]
Collisions are possible in full-duplex Ethernet networks:
A. true
B. false
Answer: B
In full-duplex Ethernet, devices can transmit and receive simultaneously on separate physical or logical channels. This eliminates the possibility of collisions because there is no need for devices to listen before transmitting — unlike half-duplex Ethernet, which uses CSMA/CD to manage potential collisions.
Full-duplex connections are the standard in modern switching environments and are always collision-free.
MTCNA Official Course Material – Ethernet & Duplex Modes:
“In full-duplex Ethernet, there are separate transmit and receive paths, and therefore, collisions cannot occur.”
René Meneses Study Guide – Ethernet Basics:
“Full-duplex = simultaneous send/receive = no collisions. Collisions are a legacy issue from half-duplex Ethernet.”
Terry Combs MTCNA Notes – CSMA/CD and Ethernet:
“Collision Detection (CD) is not used in full-duplex. Only half-duplex environments use CSMA/CD to manage access.”
