MikroTik Certification Exam Sample Questions Page 1

MTCNA
System – Services – Packages – Interfaces

1. /store allows you to save … to external disk

A. System configuration
B. Web-proxy data
C. DUDE data
D. User-Manager data

2. For static routing functionality, additionally to the RouterOS system package, you will also need the following software package:
A. none
B. dhcp
C. routing
D. advanced-tools

3. DHCP server is configured on a router’s ether1 interface. IP address 192.168.0.100/24 is assigned to the interface. Possible IP pools
that can be used by this DHCP server are:
A. 192.168.0.1-192.168.0.14
B. 192.169.0.1-192.169.0.254
C. 192.168.0.1-192.168.0.255
D. 192.168.0.1-192.168.0.99,192.168.0.101-192.168.0.254

4. You have a DHCP server on your MikroTik router. The IP addresses 10.1.2.2-10.2.2.20 are distributed in the DHCP network.
Additionally, 3 static IP address are defined for your servers: 10.1.2.31-10.1.2.33. After a while 20 more IP addresses need to be
distributed in the network. Is it possible to distribute the extra IP address without adding another DHCP Server? (YES/NO)

5. Collisions are possible in full-duplex Ethernet networks (TRUE/FALSE)

6. From which of the following locations can you obtain Winbox?

A. Mikrotik.com
B. Files menu in your router
C. Via the console cable
D. Router’s webpage

7. Which features are removed when advanced-tools package is uninstalled?

A. ip-scan
B. netwatch
C. bandwidth-test
D. ping
E. neighbors
F. LCD support

8. You have to connect to a RouterBOARD without any previous configuration. Select all possibilities to connect and do some basic
configuration
A. MAC-Winbox
B. Telnet
C. Serial Connection
D. Attach monitor/keyboard

9. When sending out an ARP request, an IP host is expecting what kind of address for an answer?
A. MAC Address
B. VLAN ID
C. 802.11g
D. IP address

10. Can you manually add drivers to RouterOS in case your PCI Ethernet card is not recognized, and you suspect it is a driver issue?
(YES/NO)
PROPERTY OF NetkromAcademy 2014 – For Internal Classroom Use Only!
 MikroTik Certification Exam Sample Questions Page 2

11. If ARP=reply-only is configured on an interface, what will this interface do?

A. Accept all IP/MAC combinations listed in /ip arp as static entries
B. Add new IP addresses in /ip arp list
C. Accept all MAC-addresses listed in /ip arp as static entries
D. Add new MAC addresses in /ip arp list
E. Accept all IP addresses listed in /ip arp as static entries

12. What can you do with Netinstall?

A. Reinstall RouterOS
B. Install Linux
C. Add configuration to RouterOS
D. Reset password in RouterOS

13. DNS configuration of the router, /ip dns static add address=192.168.0.1 name=www.test.com. Computer DNS server address is
router. You are sending ping to www.test.com from the computer. Which is the resolved address?
A. www.test.com is resolved to it's public IP address
B. It is not possible to resolve www.test.com
C. www.test.com is resolved as 192.168.0.1

14. An IP address pool can contain addresses from more than one subnet. (TRUE/FALSE)

15. Where should you upload new MikroTik RouterOS version packages for upgrading router
A. System Package menu
B. Any directory in /files
C. System Backup menu
D. FTP root directory or /files directory of the router

16. You need to reboot a RouterBoard after importing a previously exported rsc file to activate the new configuration. (TRUE/FALSE)

17. You want to transfer existing '/ip firewall filter' configuration from one router to a new system. Choose the best possible way to do:
A. Export global configuration and remove everything apart from '/ip firewall filter'
B. Create backup, edit backup file and restore on target router
C. Export only '/ip firewall filter'
D. Create backup only of '/ip firewall filter' rules

18. When backing up your router by using the 'Export' command, the following happens:
A. You are requested to give the export file a name
B. The Export file can be edited with a standard text editor after its creation
C. Winbox usernames and passwords are backed up

19. Mark correct statements.

A. Backup files are editable
B. Export files are not editable
C. Backup files are not editable

20. How long is level 1 (demo) license valid?

A. 24 hours
B. Infinite time
C. 1 month
D. 1 year

Bridge – EoIP – Wireless – Routing

1. You want to create an access point for several laptop (non-RouterOS) clients. Select all options you can set on the MikroTik
wireless interface:
A. mode=ap-bridge
B. Nstreme to optimize link
C. Security profile for WPA encryption
D. mode=bridge

PROPERTY OF NetkromAcademy 2014 – For Internal Classroom Use Only!

 MikroTik Certification Exam Sample Questions Page 3

2. When viewing the routes in Winbox, some routes will show "DAC" in the first column. These flags mean:
A. Direct,Available,Connected
B. Dynamic,Available,Created
C. Dynamic,Active,Connected
D. Dynamic,Active,Console

3. Which of the following would prevent unknown clients from connecting to your AP? Choose the BEST answer.
A. Check the "Do not permit unknown client" box in the wireless configuration
B. Uncheck "Default Authenticate" in the wireless card configuration, and add each known client's MAC address to your
connect-list configuration
C. Configure the radius server under "/radius"
D. Uncheck "Default Authenticate" in the wireless card configuration, and add each known client's MAC address to your
access-list configuration ensuring that you enable "authenticate" in the entry
E. Add each known client's MAC address to your access-list configuration is the only step needed

4. Which of the following are MikroTik Proprietary protocols

A. EoIP
B. IPIP
C. MLPPP
D. PPTP
E. Nstreme

5. You have a wireless interface with SSID="WAN1"mode="ap-bridge" and a VirtualAP with SSID="VAP1" on the router. Is it possible
to use nstreme protocol?
A. No, Nstreme can not be used on wireless interface if a VirtualAP is on it.
B. Yes, but Nstreme can be used only for SSID=WLAN1.
C. Yes, but Nstreme can be used only for SSID=VAP1.
D. Yes, Nstreme can be used for both SSIDs

6. You have a router with configuration

 Public IP :202.168.125.45/24
 Default gateway:202.168.125.1
 DNS server: 248.115.148.136, 248.115.148.137
 Local IP: 192.168.2.1/24

Mark the correct configuration on client PC to access to the Internet

A. IP:192.168.2.2/24 gateway:202.168.125.45
B. IP:192.168.0.1/24 gateway:192.168.2.1
C. IP:192.168.1.223/24 gateway:248.115.148.136
D. IP:192.168.2.115/24 gateway: 192.168.2.1
E. IP:192.168.2.253/24 gateway:202.168.0.1

7. It it possible to use the MikroTik Nstreme protocol with Windows wireless clients, if they install a special driver that can be
downloaded from the MikroTik webpage? (TRUE/FALSE)

8. Which of the following Routes statuses are possible?

A. D = Drop
B. S = Static
C. A = Active
D. C = Connected

9. Is it possible to limit how many clients are able to connect to an access point?
A. Yes
B. No it's not possible at all
C. Yes, but only with access-lists

10. You start a scan for wireless networks on you access point. What will happen?
A. You'll see all connected clients
B. All connected clients will disconnect
C. You'll see available frequencies

PROPERTY OF NetkromAcademy 2014 – For Internal Classroom Use Only!

 MikroTik Certification Exam Sample Questions Page 4

11. Check the allowed input formats for wireless scan-list.

A. 5500,5700
B. 5500 – 5700
C. 5500-5700
D. 5500/5700
E. 5500 5700

12. Wireless clients (mode=station) will work properly if bridged to ethernet (TRUE/FALSE)

13. Define a routing loop (choose the most precise description)

A. situation where the packet is routed through the same sequence of routers until the TTL expires
B. situation where the packet is routed through the same router twice
C. Situation where the packet does not reach it\'s destination
D. situation where the TTL of the packet expires

14. What letters appear next to a route, which is automatically created by RouterOS when user adds a valid address to an active
interface?
A. A
B. C
C. D
D. S
E. I

15. The default value of ‘target-scope’ for a static route is:

A. 255 B. 1 C. 30 D. 10

16. /interface wireless access-list is used for

A. Authenticate Hotspot users
B. Shows a list of Client's MAC Address that are already registered at AP
C. Handles a list of Client's MAC Address to permit/deny connection to AP
D. Contains the security profiles settings

17. In which order are the entries in Access List and Connect List processed?
A. By interface name
B. In a random order
C. In sequence order
D. By Signal Strength Range

18. Mark all correct answers

A. /ip firewall filter allows to deny authentication to AP
B. The only way to prevent wireless clients connections - disable wireless interface
C. Wireless access-list could allow and deny access to your AP
D. Default-Forwarding could be enabled for a specific clients by wireless access-list

19. Making use of a narrower channel width such as 10MHz or 5MHz will increase your wireless link speed. (TRUE/FALSE)

20. To connect your MikroTik router to a wireless access point, you have to:
A. Use the same Band (5 GHz, 2.4 GHz, ...)
B. Use the same SSID as on accesspoint
C. Use the same Radio Name

21. The following image shows a RouterOS Wireless Access List configuration

Wireless interface "Default Authenticate" is unchecked. What will happen with clients connecting to this AP?
A. No client is able to connect to the Wireless Access Point.
B. 00:0C:42:31:38:A2 will connect to wlan1 when the signal strength is greater than -60

PROPERTY OF NetkromAcademy 2014 – For Internal Classroom Use Only!

 MikroTik Certification Exam Sample Questions Page 5

C. Client with mac-address 00:0C:42:31:38:A2 will connect to wlan1

D. 00:0C:42:61:6C:90 client will connect to wlan1

22. In order to use dynamic keys in your security profile for an AP, you MUST set up the dhcp server to provide the dynamic keys.
(TRUE/FALSE)

HotSpot – VPN

1. When adding a user to your local ppp secrets/ppp profiles database, it is possible to
a. Allow/deny use of more than one login by this user
b. Deny services (like telnet) only for this user or for one group of users
c. Allow only pppoe login
d. Allow login by pppoe and pptp, but deny login by l2tp
e. Set max values for total transferred bytes (up- and download)

2. Is it possible to have PPTP Client and PPTP server on one MikroTik router at the same time? (TRUE/FALSE)

3. What kinds of users are listed in the Secrets window of the PPP menu?
a. winbox users
b. pptp users
c. l2tp users
d. wireless users
e. pppoe users
f. hotspot users

4. HotSpot is required on the interfaces ether2, ether3, wlan1 (in ap-bridge mode). These interfaces are bridged in the bridge1
interface. Which interface should the HotSpot server be configured on?
a. On ether3 interface
b. On ether2 interface
c. On bridge1 interface
d. On wlan1 interface

5. The HotSpot feature can be used only on ethernet interfaces. You have to use a separate access point if you want to use this
feature with wireless. (TRUE/FALSE)

6. You want to share the same user and password for different computers at the same time. Which menu is used for configuration?
a. /ip hotspot ip-binding
b. /ip hotspot profile
c. /ip hotspot user profile
d. /ip hotspot walled-garden

7. MikoTik PPPoE Server can be used only within a broadcast domain, that is, users can not run PPPoE protocol with a server if there
is a router between the customer and that PPPoE server. (TRUE/FALSE)

8. What configuration is added by /ip hotspot setup command? (select all that apply)
a. /queue tree
b. /ip hotspot walled-garden
c. /ip dhcp-server
d. /ip service
e. /ip hotspot user

9. Router A and B are both running as PPPoE servers on different broadcast domains of your network. Is it possible to set Router A to
use "/ppp secret" accounts from Router B to authenticate PPPoE customers? (YES/NO)

10. What is the meaning of letter "R" on an active session in the menu PPP Active Connections?
a. Radius

PROPERTY OF NetkromAcademy 2014 – For Internal Classroom Use Only!

 MikroTik Certification Exam Sample Questions Page 6

b. Running
c. Remote

11. Where are HotSpot authorized clients shown?

a. /ip hotspot
b. /ip hotspot user
c. /ip hotspot host
d. /ip hotspot active

12. You need to allow HTTP access to www.mikrotik.com for all HotSpot users without authorization. What should you use?
a. /ip hotspot user
b. /ip hotspot ip-binding
c. /ip hotspot walled-garden ip
d. /ip hotspot walled-garden

13. HotSpot server is installed on the router. All IP-phones are required to have access to outside networks without any HotSpot
authentication. Select the configuration options you can use to achieve this setup.
a. /ip hotspot ip-binding
b. /ip hotspot walled-garden ip
c. /ip hotspot service-ports

14. Hotspot ip-binding is used to allow access to Internet web servers specifing the IP address of the web server instead of the URL.
(TRUE/FALSE)

15. You would like to allow multiple logins with one user name on a HotSpot server. How should this be configured?
a. It's not possible
b. Set "only-one=no' at /ip hotspot
c. Set "Shared Users" option at /ip hotspot user profile
d. Set "Shared Users" option at /ip hotspot

16. Hotspot can be configured on a Virtual Access point interface (TRUE/FALSE)

Firewall Filter – NAT – Proxy

1. It is required to make a web server on a private LAN visible on the Public Internet. Only the web server port should be visible to the
public. Which of the following configuration steps must be met? (select all that apply)
a. Connection Tracking must be enabled on NAT router
b. Public IP address of the webserver must be installed on the NAT Router
c. in ip firewall NAT there should be a dst-nat between the public ip of the router and the private ip of the webserver
d. A route between the NAT Router and the webserver must exist
e. LAN address of the webserver should be routable on the internet

2. DST-NAT can process traffic sent from and through the router. (TRUE/FALSE)

3. Action=redirect can be used in NAT chain src-nat (TRUE/FALSE)

4. While troubleshooting a network from inside the network, you discover that you can ping the gateway reliably, but you cannot
browse the Internet. Skype, however, works flawlessly. What is the most likely issue?
a. Network card and/or cable is not working
b. The computer did not get an IP address
c. Masquerading rule is not applied
d. DNS is not available

5. After putting this rule: /ip firewall add chain=input action=drop, you will still be able to access the Router using the mac-address.
(TRUE/FALSE)

PROPERTY OF NetkromAcademy 2014 – For Internal Classroom Use Only!

 MikroTik Certification Exam Sample Questions Page 7

6. You wish to secure your RouterOS system. You do not want the RouterOS to be discoverable using MNDP or CDP locally. You also
want to deny management via the MAC addresses on all interfaces. Select the correct actions to accomplish this.
a. Place a proper input firewall rule to block mac discovery
b. Remove/Disable the Interfaces
c. Place a proper forward firewall rule to block mac discovery
d. Remove/Disable all interfaces under mac-server telnet
e. Remove/Disable all discovery interfaces
f. Add a Deny All input firewall rule
g. Remove/Disable all interfaces under mac-Server winbox

7. To use masquerade, you need to specify

a. action=accept, out-interface, chain=src-nat
b. action=masquerade, out-interface, chain=dst-nat
c. action=masquerade, out-interface, chain=src-nat
d. action=masquerade, in-interface, chain=src-nat

8. Which configuration menu should you use to change router's Winbox default port?
a. /ip firewall service-ports
b. /system resource
c. /ip firewall filter
d. /ip service

9. What protocol does ping use?

a. UDP
b. ICMP
c. TCP
d. ARP

10. log messages are stored on disk by default (TRUE/FALSE)

11. Mark correct answers for action=dstnat in chain=dst-nat.

a. Change source address and port
b. Add destination address to address-list
c. Change destination address and port
d. NAT source address

12. To make the masquerading of the network 192.168.0.0/24, configured on the interface Ether1, you should add rule
a. /ip firewall nat add chain=dstnat out-interface=ether1 src-address=192.168.0.0/24 action=masquerade
b. /ip firewall nat add chain=srcnat out-interface=ether1 src-address=192.168.0.0/24 action=masquerade
c. /ip firewall nat add chain=srcnat src-address=192.168.0.0/24 action=masquerade
d. /ip firewall nat add chain=dstnat in-interface=ether1 src-address=192.168.0.0/24 action=masquerade

13. Which is correct masquerade rule for 192.168.0.0/24 network on the router with outgoing interface=ether1?
a. /ip firewall nat add action=masquerade out-interface=ether1 chain=dstnat
b. /ip firewall nat add action=masquerade chain=srcnat
c. /ip firewall nat add action=masquerade chain=srcnat out-interface=ether1
d. /ip firewall nat add action=masquerade chain=srcnat src-address=192.168.0.0/24

14. To be able to do NAT the connection tracking does not need to be enabled. (TRUE/FALSE)

15. Which RouterOS packages should be installed on router for SSH server support?
a. SSH
b. advanced-tools
c. security
d. system

16. Consider the following network diagram. In R1, you have the following configuration:
PROPERTY OF NetkromAcademy 2014 – For Internal Classroom Use Only!
 MikroTik Certification Exam Sample Questions Page 8

 /ip route add dst-address=192.168.1.0/24 gateway=192.168.99.2

 /ip firewall nat add chain=srcnat out-interface=Ether1 action=masquerade
On R2, if you wish to prevent all access to a server located at 192.168.1.10 from LAN1 devices, which of the following rules would be
needed?
a. /ip firewall nat add chain=dstnat src-address=192.168.99.1 dst-address=192.168.1.10 action=drop
b. /ip firewall filter add chain=input src-address=192.168.99.1 dst-address=192.168.1.10 action=drop
c. /ip firewall filter add chain=forward src-address=192.168.99.1 dst-address=192.168.1.10 action=drop
d. /ip firewall filter add chain=forward src-address=192.168.0.0/24 dst-address=192.168.1.10 action=drop

17. What is the correct action for a NAT rule on a router that should intercept SMTP traffic and send it over to a specified mail server?
a. Passthrough
b. Tarpit
c. Redirect
d. dst-nat

18. 1Which is the default port of IP-Winbox?

a. TCP 8291
b. TCP 8192
c. TCP 80
d. UDP 8291

19. Which firewall chain should you use to filter clients HTTP traffic going through the router?
a. Output
b. Input
c. Prerouting
d. Forward

20. To block users on my Local Area Network from accessing http://www.facebook.com between 8:00am and 5:00pm
a. Only schedule a script to block http://www.facebook.com at 8:00am and allow at 5:00pm
b. Add firewall filter rule to block http://www.facebook.com and set time on the rule
c. Enable Webproxy, Transparent redirect http traffic, create access rule to drop http://www.facebook.com with a comment,
schedule script to enable access rule at 8:00am and disable rule at 5:00pm
d. Add simple queue to block the site at 8:00am and allow it from 5:00pm

21. It is possible to add user-defined chains in ip firewall mangle? (YES/NO)

22. The gateway router is configured with a transparent proxy with the following parameters:
 /ip proxy access add dst-host=www.mikrotik.com action=allow
 /ip proxy access add dst-host=www.mt.lv action=deny redirect-to=forum.mikrotik.com
When the user is opening www.mt.lv, what is shown in the browser?
a. forum.mikrotik.com
b. www.mikrotik.com
c. www.mt.lv

Queue & Mangle

1. Simple Queue number 0 defines 2M for upload and downloads for target IP 10.10.0.33.
Simple Queue number 1 defines 4M for upload and downloads for target IP 10.10.0.33.
Client 10.10.0.33 is being able to obtain…
a. 6M upload/download
b. 2M upload/download
c. 0M upload/download
d. 4M upload/download

PROPERTY OF NetkromAcademy 2014 – For Internal Classroom Use Only!

 MikroTik Certification Exam Sample Questions Page 9

2. How many different priorities can be selected for queues in MikroTik RouterOS?
a. 8
b. 0
c. 1
d. 16

3. What can be used as ’target-address’ in the simple queue?

a. client’s address
b. client’s MAC address
c. address list name
d. server’s address

4. In RouterOS queue configurations the word "total" usually represents

a. Upload
b. upload + download
c. download - upload
d. download

5. You want to use PCQ and allow 256k maximum download and upload for each client. Choose correct argument values for the
required queue.
a. kind=pcq pcq-limit=5000000 pcq-classifier=src-address
b. kind=pcq pcq-limit=1256000 pcq-classifier=dst-address
c. kind=pcq pcq-limit=256000 pcq-classifier=src-address
d. kind=pcq pcq-limit=5000000 pcq-classifier=dst-address
e. kind=pcq pcq-limit=256000 pcq-classifier=dst-address

6. Mark the queue types that are available in RouterOS

a. DRR - Deficit Round Robin
b. FIFO - First In First Out (for Bytes or for Packets)
c. SFQ – Stochastic Fairness Queuing
d. RED – Random Early Detect (or Drop)
e. LIFO - Last In First Out
f. PCQ – Per Connection Queuing

7. Which are necessary sections in /queue simple to set bandwidth limitation?

a. target-address, max-limit
b. target-address, dst-address
c. target-address, dst-address, max-limit
d. max-limit

8. The RouterOS graphing is used for

a. Bandwidth limitation
b. Real-time traffic and resource usage display
c. Bandwidth testing
d. Average traffic and resource usage display

9. Two mangle rules defining different mangle marks for the same traffic type will make it have both mangle marks. (TRUE/FALSE)

PROPERTY OF NetkromAcademy 2014 – For Internal Classroom Use Only!