Free Practice Questions for MikroTik MTCNA Exam

The TCP/IP or DoD model includes the following layers:

Application

Host-to-Host

Internet

Network Access

The Internet layer in the DoD model is responsible for logical addressing and routing — matching the function of the OSI model's Layer 3 (Network Layer), which handles IP addressing and packet forwarding.

MTCNA Course Material – TCP/IP vs OSI Model:

“The Internet layer of the TCP/IP model maps directly to the OSI’s Network Layer and is responsible for logical addressing and routing.”

René Meneses MTCNA Study Guide – Layer Mapping Table:

“TCP/IP Internet Layer = OSI Network Layer. Handles IP routing, addressing.”

Other mappings:

Application = OSI Layers 5–7

Host-to-Host = OSI Layer 4 (Transport)

Network Access = OSI Layers 1–2

Final Answer: CQUESTION NO: 114 [RouterOS Introduction – ARP]

Which of the following allows a router to respond to an ARP request that is intended for a remote host?

A. Gateway DP

B. Reverse ARP (RARP)

C. Proxy ARP

D. Inverse ARP (IARP)

Answer: C

Proxy ARP allows a router to answer ARP requests on behalf of another device. It is often used in networks where hosts don't have proper default gateways but still need to communicate with devices in different subnets.

MTCNA Course Material – ARP Types:

“Proxy ARP allows a router to respond to an ARP request for an IP address that is not on the local subnet, effectively acting as a proxy.”

René Meneses MTCNA Guide – ARP Configuration:

“Proxy ARP is useful for bridging two IP networks or for clients that do not have default gateways defined.”

MikroTik Wiki – ARP Modes:

“When Proxy ARP is enabled, the router replies to ARP requests for hosts that are not on the same subnet.”

Other options:

A: Gateway DP is not a standard term or protocol.

B: RARP maps MAC to IP — outdated and not used in this context.

D: Inverse ARP is used in Frame Relay, not Ethernet/IP networks.

Final Answer: CQUESTION NO: 115 [DHCP]

You want to implement a mechanism that automates the IP configuration, including IP address, subnet mask, default gateway, and DNS information. Which protocol will you use to accomplish this?

A. SMTP

B. SNMP

C. DHCP

D. ARP

Answer: C

DHCP (Dynamic Host Configuration Protocol) is specifically designed to assign IP configuration details automatically to clients on a network, including:

IP address

Subnet mask

Default gateway

DNS servers

MTCNA Course Material – DHCP Server Function:

“DHCP is a service that dynamically assigns IP settings to clients, removing the need for manual configuration.”

René Meneses MTCNA Study Guide – DHCP Operation:

“DHCP provides automatic configuration of network parameters including IP, mask, DNS, and gateway.”

Other options:

A: SMTP is for email

B: SNMP is for monitoring

D: ARP resolves IP-to-MAC addresses

Final Answer: CQUESTION NO: 116 [DHCP]

Which of the following describe the DHCP Discover message?

It uses FF:FF:FF:FF:FF:FF as a layer 2 broadcast.

It uses UDP as the Transport layer protocol.

It uses TCP as the Transport layer protocol.

It does not use a layer 2 destination address.

A. 1 only

B. 1 and 2

C. 3 and 4

D. 4 only

Answer: B

When a client sends a DHCP Discover message:

It does not yet have an IP address, so it sends a Layer 2 broadcast (FF:FF:FF:FF:FF:FF).

DHCP uses UDP, not TCP.

Specifically, it uses UDP port 67 (server) and 68 (client).

Layer 2 destination is broadcast — it certainly does use a Layer 2 address.

MTCNA Course Material – DHCP Process:

“The client broadcasts a DHCP Discover message to FF:FF:FF:FF:FF:FF using UDP ports 67 and 68.”

René Meneses MTCNA Study Guide – DHCP Message Types:

“DHCP uses UDP. Discovery messages are Layer 2 broadcasts to locate a DHCP server.”

MikroTik Wiki – DHCP Protocol Behavior:

“The Discover message uses UDP and broadcast MAC addressing.”

Statements:

1: True (Layer 2 broadcast)

2: True (Uses UDP)

3: False (TCP not used)

4: False (Layer 2 destination address is broadcast)

────────────────────────────────────────────────────────────

The connect-list in RouterOS is used to define rules for wireless client behavior when connecting to available Access Points. You can define multiple entries in the connect-list, and RouterOS processes them in top-down order. This allows prioritization of APs based on criteria such as SSID, signal strength, and MAC address.

MTCNA Course Material – Wireless Client Settings:

“The connect-list determines the order in which the wireless client will try to associate with Access Points. Entries are processed from top to bottom, allowing prioritized connection attempts.”

René Meneses MTCNA Study Guide – Wireless & Connect-List Section:

“By placing the most preferred AP at the top of the connect-list, you ensure it is attempted first. Reordering entries is used to manage roaming behavior and priority.”

MikroTik Wiki – Wireless Client & Connect List:

“The client will attempt to connect to the first matching entry in the connect list. This means the connect list can be used to define AP priorities.”

Therefore, the statement is true.

Final Answer: BQUESTION NO: 98 [Hotspot]

What configuration is added by /ip Hot-Spot setup command? (Select all that apply)

A. /ip service

B. /ip Hot-Spot user

C. /ip Hot-Spot walled-garden

D. /ip dhcp-server

E. /queue tree

Answer: B, C, D

The /ip hotspot setup command is a wizard used to quickly deploy a HotSpot service on a selected interface. It automatically creates several configurations necessary for a functional HotSpot environment:

Creates a default user in /ip hotspot user

Adds entries in /ip hotspot walled-garden to allow access to login page

Configures a DHCP server on the selected interface if not present

MTCNA Course Material – HotSpot Setup Wizard:

“The hotspot setup creates a user, configures a DHCP server, and sets up walled garden entries. It does not touch system services or create queue trees by default.”

René Meneses MTCNA Guide – HotSpot Setup Section:

“After running hotspot setup, you will find new configurations in /ip hotspot user, /ip hotspot walled-garden, and /ip dhcp-server. The system automatically assigns IP pools and login pages.”

MikroTik Wiki – HotSpot Setup Overview:

“The setup creates a DHCP server, login page, user entry, and basic NAT and walled garden rules.”

Option A: /ip service is unrelated

Option E: /queue tree is not configured by the setup wizard

Final Answer: B, C, DQUESTION NO: 99 [PPP]

What kind of users are listed in the Secrets window of the PPP menu?

A. Hot-Spot users

B. wireless users

C. l2tp users

D. pptp users

E. pppoe users

F. winbox users

Answer: C, D, E

The /ppp secret menu is used in RouterOS to manage usernames and passwords for Point-to-Point Protocol (PPP) based services, including:

PPPoE (Point-to-Point Protocol over Ethernet)

PPTP (Point-to-Point Tunneling Protocol)

L2TP (Layer 2 Tunneling Protocol)

It does not include HotSpot users, wireless clients, or Winbox users.

MTCNA Course Material – PPP User Authentication:

“The PPP secret database stores credentials for services like PPPoE, PPTP, and L2TP.”

René Meneses MTCNA Study Guide – PPP Configuration Section:

“Users for PPP-based protocols are configured under PPP → Secrets. This includes PPPoE, PPTP, and L2TP.”

MikroTik Wiki – PPP Secrets Window:

“Secrets are used to authenticate users for all PPP interfaces. HotSpot users are managed separately under /ip hotspot user.”

Option A: HotSpot users → /ip hotspot user

Option B: Wireless users connect via WPA/802.11 — not listed in PPP

Option F: Winbox users refer to /user under system user management

Final Answer: C, D, EQUESTION NO: 100 [RouterOS Introduction]

Select valid MAC-address:

A. G2:60:CF:21:99:H0

B. 00:00:5E:80:EE:B0

C. AEC8:21F1:AA44:54FF:1111:DDAE:0212:1201

D. 192.168.0.0/16

Answer: B

A valid MAC address must meet the following criteria:

Be 6 bytes (48 bits) in length

Consist of only hexadecimal digits (0–9, A–F)

Written in six groups separated by colons or hyphens (e.g., 00:1A:2B:3C:4D:5E)

MTCNA Course Material – RouterOS MAC Address Basics:

“MAC addresses are 48-bit identifiers written as six pairs of hexadecimal digits. Invalid characters or incorrect length disqualifies an address.”

René Meneses MTCNA Guide – MAC Addressing Section:

“Each MAC is made up of 12 hexadecimal characters (6 octets). If a character like ‘G’ appears, or if it’s longer than 6 bytes, it is invalid.”

MikroTik Wiki – MAC Addressing Rules:

“Valid MAC format: XX:XX:XX:XX:XX:XX using only 0-9 and A-F. 192.168.0.0/16 is an IP subnet, not a MAC.”

Option A: Invalid — “G” and “H” are not hexadecimal characters

Option B: Valid — proper format and hex content

Option C: Invalid — Too long (appears to be IPv6 or malformed)

Option D: Invalid — this is an IP network (CIDR notation), not a MAC

Only Option B is correct.

MikroTik RouterOS allows DHCP administrators to modify the DHCP address pool without creating an additional DHCP server. You can simply edit or extend the address pool range, and the DHCP server will start offering those new IPs.

Therefore, it is completely possible to:

Extend the existing address pool

Exclude statically assigned IPs

Continue using the same DHCP Server instance

You do NOT need to create a second DHCP server on the same interface.

MTCNA Course Manual – DHCP Configuration:

“It is possible to expand the address-pool dynamically without adding additional DHCP servers. Just add more IPs to the pool.”

René Meneses Study Guide – DHCP Pools Section:

“You can edit the address pool associated with the DHCP server anytime to include more addresses. No need to create another server.”

Terry Combs Notes – DHCP Tips:

“Keep one DHCP server per subnet. Extend pools via IP > Pool if more IPs are needed.”

Answer: AQUESTION NO: 25 [Wireless]

In which order are the entries in Access List and Connect List processed?

A. By Signal Strength Range

B. By interface name

C. In sequence order

D. In a random order

Answer: C

MikroTik processes the entries in the Access List and Connect List in a top-down fashion —meaning that the first matching entry is the one applied. This is known as sequence order (from top to bottom).

Each rule is checked in the order it appears in the list, and once a match is found, the rest of the list is ignored for that client.

Incorrect options:

A. Signal strength is only a condition, not a sorting method

B. Interface names are part of rule conditions

D. Not random — rules are processed sequentially

MTCNA Official Training Manual – Wireless Access & Connect List:

“Rules in access-list and connect-list are checked in the order they are listed. Once a match is found, further rules are ignored.”

René Meneses Guide – Wireless Access Rules:

“Access-list is evaluated top-down. Sequence matters.”

Terry Combs MTCNA Notes – Wireless Filtering:

“Be careful with order. The first matching rule is applied — no exceptions.”

Answer: CQUESTION NO: 26 [Wireless]

During a scan, in order to see all the available wireless frequencies that are supported by the card, the following option must be selected in the wireless card's "Frequency Mode":

A. superchannel

B. regulatory domain

C. manual txpower

Answer: A

In MikroTik RouterOS, enabling the "superchannel" frequency mode allows access to all frequencies supported by the wireless chip, including those that may be outside of country-specific regulatory limits. This mode is typically used in lab testing or in regions where regulations permit.

A. superchannel →✅Correct. Enables full frequency range

B. regulatory domain → Restricts visible frequencies to region’s law

C. manual txpower → Controls power output, not frequency scanning

MTCNA Course Material – Wireless Configuration Options:

“To unlock all available wireless frequencies for scanning or connection, enable the 'superchannel' frequency mode.”

René Meneses Study Guide – Wireless Advanced Config:

“Superchannel mode shows all channels supported by the hardware. Use with caution — may violate regulations.”

Terry Combs Notes – Wireless Modes:

“Want to see hidden or extended frequencies? Use superchannel mode. Not legal in every region.”

Answer: AQUESTION NO: 27 [NAT]

It is required to make a web server on a private LAN visible on the public internet. Only the web server port should be visible to the public. Which of the following configuration steps must be met? (Select all that apply)

A. Public IP address of the web server must be installed on the NAT Router

B. In IP firewall NAT, there should be a dst-nat between the public IP of the router and the private IP of the web server

C. Connection Tracking must be enabled on NAT router

D. A route between the NAT router and the web server must exist

E. LAN address of the web server should be routable on the internet

Answer: B, C, D

To expose a web server behind a MikroTik router to the public, the following steps must be met:

B. dst-nat rule must be created to forward incoming requests (e.g., TCP port 80) to the internal web server IP →✅Required

C. Connection Tracking must be enabled, otherwise NAT rules won’t function →✅Required

D. A route between the NAT router and the web server must exist (usually a directly connected subnet) →✅Required

Incorrect Options:

A. The public IP does not need to be installed on the web server — it remains private →❌

E. Private LAN IP (like 192.168.x.x) does not need to be routable on the internet →❌

MTCNA Course Manual – NAT and Port Forwarding Section:

“To expose internal services to the public internet, use dst-nat. Ensure connection tracking is active and the server is reachable through routing.”

René Meneses Guide – NAT Configuration:

“DST-NAT forwards specific ports to internal IPs. Connection tracking is a prerequisite. LAN IPs remain private.”

Terry Combs Notes – Web Server NAT Rules:

“No need to assign public IP to server. Just configure a proper NAT rule and ensure routing exists internally.”

════════════════════════════════════════════

When ARP is set to reply-only on a MikroTik interface, the router will not respond to any ARP requests unless a matching static entry exists in the /ip arp list. It will also not learn new dynamic entries — only pre-defined static IP-MAC pairs will be accepted and responded to.

Option breakdown:

A.✘Incorrect – The router doesn't operate solely based on MAC, but on IP-MAC pairings.

B.✔Correct – Only combinations that match entries in /ip arp are accepted.

C.✘Incorrect – reply-only mode disables dynamic ARP learning.

D.✘Incorrect – Again, no new IPs are dynamically added.

E.✘Incorrect – Static ARP is enforced by IP-MAC pairs, not just IP.

Extract from MTCNA Course Material – ARP Modes:

“Reply-only mode will respond to ARP requests only if a matching static ARP entry exists. No dynamic learning occurs.”

Extract from René Meneses Study Guide – ARP Explanation:

“Use ARP=reply-only to force strict IP-MAC pairing. It prevents spoofing but requires all valid pairs to be preconfigured.”

Extract from MikroTik Wiki – ARP Settings:

“reply-only: Only respond to ARP requests if the requester matches a static /ip arp entry. New dynamic entries are not created.”

===========

To configure a PPPoE client on MikroTik, you need to:

Set the client interface (usually ether1 or another WAN-facing port).

Optionally add NAT masquerading to enable LAN users to reach the internet.

IP address on the interface is assigned dynamically from the ISP after PPPoE negotiation, so a static IP is not required.

Option Analysis:

A.✔Required – You must select the interface that initiates the PPPoE connection.

B.✘Not Required – The IP is typically assigned by the PPPoE server (ISP).

C.✔Required – NAT masquerade is commonly used to allow internet access for private IP clients behind the router.

Extract from MTCNA Course Material – PPPoE Client Setup:

“The PPPoE client must have an interface specified. A NAT masquerade rule is recommended for internet access sharing.”

Extract from René Meneses MTCNA Study Guide – PPPoE:

“You do not need to assign a static IP to the PPPoE client interface. IP is received after successful login.”

Extract from MikroTik Wiki – PPPoE Client:

“After setting up the interface and credentials, PPPoE client negotiates and receives dynamic IP. Add NAT if routing LAN traffic.”

===========

The OSI (Open Systems Interconnection) model is a conceptual framework that standardizes the functions of a communication system into seven distinct layers. It is used to understand and design computer networking systems.

The seven layers of the OSI model are:

Application

Presentation

Session

Transport

Network

Data Link

Physical

Each layer has its own specific purpose and interacts with adjacent layers to perform data transmission functions.

MTCNA Official Course Material – OSI Model Chapter:

“The OSI model consists of 7 layers. Understanding these layers is critical for troubleshooting and protocol analysis.”

René Meneses MTCNA Study Guide – OSI Model Section:

“There are exactly seven OSI layers. They range from the Physical Layer (Layer 1) to the Application Layer (Layer 7).”

Terry Combs Notes – OSI Summary Page:

“OSI = 7 Layers. The most important ones for network engineers are Layer 1 through Layer 4.”

Answer: DQUESTION NO: 13 [Routing]

How many usable IP addresses are there in a 20-bit subnet?

A. 4096

B. 4094

C. 2046

D. 2048

E. 2047

Answer: B

A /20 subnet means that 20 bits are used for the network portion, and 12 bits are left for host addresses. The total number of IP addresses available in such a subnet is:

2^12 = 4096 (total addresses)

Usable IP addresses = 4096 - 2 = 4094

→ (1 address is reserved for the network ID, and 1 for the broadcast address)

MTCNA Course Manual – Subnetting and IP Allocation:

“A subnet with n host bits gives 2^n total addresses. Always subtract 2 to account for network and broadcast addresses.”

René Meneses Study Guide – Subnet Calculations:

“/20 = 12 host bits → 4096 total IPs. Usable = 4094. Remember to subtract 2.”

Terry Combs MTCNA Notes – Addressing Math:

“20-bit subnet = 4094 usable IPs. Know how to compute 2^x and subtract 2.”

Answer: BQUESTION NO: 14 [Routing]

You have a router with configuration

Public IP: 202.168.125.45/24

Default gateway: 202.168.125.1

DNS server: 248.115.148.136, 248.115.148.137

Local IP: 192.168.2.1/24

Mark the correct configuration on client PC to access the Internet:

A. IP: 192.168.0.1/24, gateway: 192.168.2.1

B. IP: 192.168.2.253/24, gateway: 202.168.0.1

C. IP: 192.168.2.115/24, gateway: 192.168.2.1

D. IP: 192.168.2.2/24, gateway: 202.168.125.45

E. IP: 192.168.1.223/24, gateway: 248.115.148.136

Answer: C

To correctly configure a host in a private network behind a router:

The IP must match the local subnet (192.168.2.0/24)

The gateway must be the router’s local IP (192.168.2.1)

DNS settings can be default or custom, but IP and gateway must be valid

Let’s evaluate:

A. 192.168.0.1 → Wrong subnet (192.168.0.0/24 ≠ 192.168.2.0/24)❌

B. Gateway 202.168.0.1 → Invalid internal gateway❌

C. IP 192.168.2.115 with gateway 192.168.2.1 →✅Correct subnet and correct gateway

D. Gateway 202.168.125.45 → This is router’s public IP, not the correct gateway for LAN❌

E. IP 192.168.1.223 → Wrong subnet; also, gateway is DNS IP❌

MTCNA NAT Section – Network Configuration:

“Clients should be in the same subnet as the router’s local IP and must use that local IP as their gateway to reach outside networks.”

René Meneses Guide – Gateway and Addressing:

“The client’s IP should belong to the same subnet as the local router interface. Always verify gateway IP points to the internal address.”

Terry Combs Notes – Default Gateway Setup:

“The default gateway for local clients must be the internal router IP — not the public or DNS IP.”

Answer: CQUESTION NO: 15 [RouterBOARD Hardware]

Collisions are possible in full-duplex Ethernet networks:

A. true

B. false

Answer: B

In full-duplex Ethernet, devices can transmit and receive simultaneously on separate physical or logical channels. This eliminates the possibility of collisions because there is no need for devices to listen before transmitting — unlike half-duplex Ethernet, which uses CSMA/CD to manage potential collisions.

Full-duplex connections are the standard in modern switching environments and are always collision-free.

MTCNA Official Course Material – Ethernet & Duplex Modes:

“In full-duplex Ethernet, there are separate transmit and receive paths, and therefore, collisions cannot occur.”

René Meneses Study Guide – Ethernet Basics:

“Full-duplex = simultaneous send/receive = no collisions. Collisions are a legacy issue from half-duplex Ethernet.”

Terry Combs MTCNA Notes – CSMA/CD and Ethernet:

“Collision Detection (CD) is not used in full-duplex. Only half-duplex environments use CSMA/CD to manage access.”

The /interface wireless access-list in MikroTik is used to define a set of rules that permit or deny wireless clients based on their MAC addresses and signal strength.

This list applies only to clients trying to connect to the router’s wireless interface when it is configured as an Access Point.

Let’s break down the options:

A.✅Correct – Used to allow or deny client MAC addresses and apply settings like rate limits, VLANs, etc.

B.❌That’s the role of the registration table.

C.❌Security profiles are configured separately under /interface wireless security-profiles.

D.❌Hotspot authentication is handled via /ip hotspot, not wireless access lists.

MTCNA Wireless Module – MAC Access Control:

“Access-list matches incoming clients by MAC. You can allow, deny, and apply custom settings.”

René Meneses Study Guide – Wireless Security:

“Access-list is used to explicitly permit or block clients based on their MAC address.”

Terry Combs Notes – Wireless Filtering:

“Think of access-list like a whitelist/blacklist for Wi-Fi clients.”

Answer: AQUESTION NO: 65 [Firewall]

One host on an internal network is accessing an external web page through a MikroTik router that is doing source NAT. Select the correct statement about the packets that flow from that web page to the host:

A. Packets go through the input chain

B. Packets go through the forward chain

C. Packets go through the output chain

D. Packets go through the input chain before the routing decision and after that through output chain

Answer: B

When a host on a LAN accesses a website on the internet via a MikroTik router that’s performing source NAT (e.g., masquerade), the traffic path is as follows:

From LAN host to internet → forward chain → NAT (src-nat)

From internet back to LAN host → forward chain again → connection-tracked → src-nat reversed

Since the router is only routing the packets and is not the originator or final destination, the packet passes through the forward chain.

Clarifying the options:

A.❌input chain is for packets destined to the router itself

B.✅Correct – packet is routed through the router (forwarded)

C.❌output chain is for packets originating from the router

D.❌This description applies to packets sourced by the router itself

MTCNA Course Manual – Packet Flow Diagram:

“Forward chain handles packets that are being routed through the device (not destined to or from the router itself).”

René Meneses Guide – Firewall Chains:

“For routed traffic, the forward chain is used. This includes NATed traffic between LAN and WAN.”

Terry Combs Notes – Packet Flow:

“Understand the router’s role. If it’s just forwarding, only the forward chain applies.”

Answer: BWould you like to continue with Questions 66–70, or generate a full summary (PDF-style) of all 65 completed qu

Netinstall is a MikroTik tool for reinstalling RouterOS on RouterBOARD devices. It uses the RARP (Reverse ARP) protocol during the boot phase to obtain the host from which to download the OS. It does not rely on DHCP, ARP, or BOOTP in standard Netinstall scenarios.

A.✘arp – Not used by Netinstall for initial boot communication

B.✘bootp – Not used in Netinstall process

C.✘dhcp – Not used for booting RouterBOARD into Netinstall

D.✔rarp – Used by Netinstall to allow the RouterBOARD to request an address and boot image

Extract from MTCNA Course Material – Netinstall Boot Process:

“Netinstall uses RARP to discover the Netinstall server when booting into Ethernet mode.”

Extract from MikroTik Wiki – Netinstall:

“Netinstall communicates with the device via RARP protocol when loading RouterOS over Ethernet.”

Extract from René Meneses MTCNA Study Guide – Netinstall Chapter:

“RARP is used for booting during Netinstall. DHCP is not required for this operation.”

To block a client’s application traffic (like MSN Messenger) that is passing through the router (from LAN to WAN or vice versa), the forward chain must be used. This chain processes packets that are routed through the router.

Evaluation:

A. static →❌Not a valid firewall chain.

B.✅forward → Correct – used to filter traffic that passes through the router.

C.❌output → Filters traffic originating from the router itself.

D.❌input → Filters traffic destined for the router itself.

MTCNA Firewall Section – Chain Descriptions:

“forward – Used for filtering transit traffic (client to internet or internet to client).”

René Meneses Guide – Firewall Chains:

“To block client application traffic, use the forward chain. Input/output are for local router access.”

Terry Combs Notes – Chain Matching:

“forward = traffic passing through router, like client web or chat traffic.”

Answer: BQUESTION NO: 71 [Routing]

There are two routes in the routing table:

0 dst-addr=10.1.1.0/24 gateway=5.5.5.5

1 dst-addr=10.1.1.4/30 gateway=5.6.6.6

Which gateway will be used to get to the IP address 10.1.1.6?

A. both – half of the traffic will be routed through one gateway, half through the other

B. 5.5.5.5

C. the required route is not in the routing table

D. 5.6.6.6

Answer: D

Routing decisions are made based on the longest prefix match (most specific route).

10.1.1.6 falls within:→ 10.1.1.0/24 → range: 10.1.1.0 – 10.1.1.255 (prefix length: 24)→ 10.1.1.4/30 → range: 10.1.1.4 – 10.1.1.7 (prefix length: 30)

Because /30 is more specific than /24, it will be selected for routing the packet.

MTCNA Routing Module – Prefix Length Decision:

“Router chooses the route with the longest subnet mask (most specific match).”

René Meneses Study Guide – Longest Match Principle:

“10.1.1.6 falls within 10.1.1.4/30 → use gateway 5.6.6.6.”

Terry Combs Notes – Routing Table Resolution:

“Always check if multiple routes match. Use the one with the longest prefix.”

Answer: DQUESTION NO: 72 [Wireless Security]

In order to use dynamic keys in your wireless security profile for an AP, you MUST set up the DHCP server to provide the dynamic keys.

A. true

B. false

Answer: B

MikroTik RouterOS supports dynamic key exchange for wireless networks using WPA/WPA2 (with PSK or EAP). These dynamic keys are not provided by the DHCP server but are instead part of the wireless security profile configured under /interface wireless security-profiles.

DHCP only assigns IP addresses and other network configuration parameters — it does not provide encryption keys.

MTCNA Wireless Security Module – WPA/WPA2 Explained:

“Dynamic keys are negotiated during the WPA/WPA2 authentication process, not via DHCP.”

René Meneses Guide – Wireless Authentication:

“Security profiles define pre-shared or dynamic key exchange (WPA-EAP). DHCP is unrelated.”

Terry Combs Notes – Misconceptions in Wireless Setup:

“DHCP and wireless encryption are separate layers. Keys are not assigned through DHCP.”

Answer: BQUESTION NO: 73 [Firewall / Security]

Which firewall chain should you use to filter SSH access to the router itself?

A. output

B. input

C. prerouting

D. forward

Answer: B

SSH access to the router targets the router itself. Therefore, any packets destined for the router (for example, to TCP port 22) are evaluated in the input chain of the firewall.

Evaluation:

A. output →❌For packets originating from the router, not to it.

B.✅input → Correct – handles traffic destined for the router (like SSH, Winbox, etc.)

C.❌prerouting → Used for NAT and mangle operations, not filtering

D.❌forward → Used for traffic routed through the router (not for router itself)

MTCNA Firewall Section – Chain Functions:

“SSH access to the router is incoming traffic. Use input chain to filter or allow it.”

René Meneses Guide – Access Protection:

“input chain is responsible for traffic to the router’s IP – block/allow SSH, Winbox, etc.”

Terry Combs Notes – Firewall Management:

“Always use input chain for filtering incoming management protocols like SSH.”