150 Question Certificate Mikrotik MTCNA

2020 (English Version)

1. When viewing a route (gateway) in Winbox, some routes (gateway) will display "DAC" in the
first column. This flag means:
A. Direct, Available, Connected
B. Dynamic, Available, Created
C. Dynamic, Active, Connected
D. Dynamic, Active, Console
Answer: C
Discussion: Can be seen in the Mikrotik settings in the IP-Routes Tab in the section below

2. The PPPoE server only works in one Ethernet broadcast domain that is connected to it. If there
is a router between the server and the end-user host, it will not be able to create a PPPoE Tunnel
to the PPPoE server.
A. Right
B. False
Answer: A
Discussion: PPPoE uses Layer 2 (MAC) as a means to connect, so between the PPPoE server
and the PPPoE Client must be able to know each other's MAC Address. If there is a Router
between Server & End-User so the MAC cannot be recognized, PPPoE cannot connect.

3. Which configuration menu should you use to change the default Winbox router port?
A. / system resource
B. / ip firewall filter
C. / ip service
D. / ip firewall service-ports
Answer: c
Discussion:
4. Total-Max-limit on Simple Queues will limit the combined upload and download
A. Right
B. False
Answer: A
Discussion: Yes, Total is a Combination of Upload and Download. Regarding the distribution
will be divided automatically. For example, a total of 10 Mb, then it could be Upload 3 Mb,
Download 7 Mb or Upload 6MB, Download 4 Mb

5. How many different priorities can be chosen for Queues on MikroTik RouterOS?
A. 1
B. 8
C. 0
D. 16
Answer: b
Discussion:
By default priority in Queue is already filled with the number 8. That is the lowest priority in the
queue (Queue). This means that there are Priority Options 1 - 8 in the Mikrotik Queue

6. The highest priority queue (queue) is

A. 8
B. 16
C. 1
D. 256
Answer: c
Discussion: There is Discussion on Problem No. 5 above

7. On the Wireless path with mode = ap-bridge. According to tool constraints, what is the
maximum number of clients that can be connected to it?
A. 2012
B. 2048
C. 1024
D. 2007
Answer: d
Discussion: please look at the wireless Tab, look for the posts Max. Station Count as shown
below
8. The router's firewall rules are:
/ ip firewall filter add chain = forward action = jump jump-target = custom
/ ip firewall filter add chain = custom action = passthrough
/ ip firewall filter add chain = forward action = log
When traffic reaches the end of 'chain = custom'. What will happen next?
A. Traffic will continue in the chain = forward action = log
B. Traffic will be accepted in the chain = custom
C. Traffic will be dropped in the chain = custom
Answer: a
Discussion:

It can be seen from the picture above that the Bytes and Packets column has the same number,
meaning that the packet sent by passing to the 3 rule filter. so the last action performed by the
filter is to log.

9. To perform static routing functions, additional to the RouterOS 'system' package, you also
need the following software packages:
A. advanced-tools
B. no extra package required
C. dhcp
D. routing
Answer: b
Discussion: As per https://wiki.mikrotik.com/wiki/Manual:System/Packages Packages System
includes the most basic system needed for routing, including static routing.
10. What is the correct action for NAT rules on routers that must intercept SMTP traffic and send
it to a specific mail server?
A. Passthrough
B. tarpit
C. redirect
D. ff-nat
Answer: d
Discussion: To a particular Mail Server, meaning the mail server is outside the proxy itself, then
the action that can be used is dst-nat

11. Where should you upload the new MikroTik RouterOS package package to upgrade the
router?
A. Any directory in / files
B. FTP the root directory or / files directory of the router
C. System Backup menu
D. System Package menu
Answer: b
Discussion: Router OS Mikrotik Firmware must be placed / uploaded to the outermost folder or
commonly called the root folder so that it can be read by the proxy system and upgraded.

12. Can be more than one PPPoE server in one broadcast domain
a. correct
b. is wrong
Answer: a
Discussion:

As seen in the picture above, in one interface can have several PPPoE servers, later the
difference is the Profile.

13. What type of encryption can be used to make a connection with a simple access code without
using an 802.1X authentication server?
A. WPA EAP / WPA2 EAP
B. WPA PSK / WPA2 PSK
Answer: a
Discussion: Authentication Server can be implemented in PSK Mode, while encryption without
an authentication server is EAP.

14. The routing table has the following entries:

0 ff-address = 10.0.0.0 / 24 gateway = 10.1.5.126
1 dst-address = 10.1.5.0 / 24 gateway = 10.1.1.1
2 dst-address = 10.1.0.0 / 24 gateway = 25.1.1.1
3 dst-address = 10.1.5.0 / 25 gateway = 10.1.1.2
Which gateway will be used for packages with the destination address 10.1.5.126?
A. 25.1.1.1
B. 10.1.1.2
C. 10.1.5.126
D. 10.1.1.1
Answer: b
Discussion: RouterOS in choosing the Route Gateway will choose several factors, the
first factor is whether or not the IP gateway is connected
based on distance. The smaller the distance, the first priority will be the gateway path
when it is a subnet. at the same IP destination, then the smallest number of subnets, that is the
priority as the main route gateway.

15. RouterOS log messages are stored on disk by default:

a. correct
b. is wrong
Answer: b
Discussion: The defauld log is stored in memory, so when the proxy restarts the log will
disappear. But it can be changed to be stored in DISK, only it will make a full microtic disk.

16. Which port does PPTP use by default?

A. UDP 1721
B. TCP 1723
C. UDP 1723
D. TCP 1721
Answer: b
Discussion: As stated at the address https://en.wikipedia.org/wiki/Point-to-
Point_Tunneling_Protocol PPTP uses the TCP Port 1723 Protocol

17. How many DHCP servers can be configured per interface on RouterOS?
A. Two
B. One
C. Unlimited
D. Five
Answer: b
Discussion: DHCP server can only be made 1 per interfaces. If you try to create a dhcp server
again with an interface that you have used before, it will error / fail.

18. Network ready devices are connected directly to MikroTik RouterBOARD 750 with the
correct UTP. RJ45 functioning cable. The device is configured with the IPv4 address
192.168.100.70 by using the subnet mask 255.255.255.252. What will be a valid IPv4 address
for RouterBOARD 750 for a successful connection to the device?
a.192.168.100.70 / 255.255.255.252
b. 192.168.100.69/255.255.255.252
c. 192.168.100.71/255.255.255.252
d. 192.168.100.68/255.255.255.252
Answer: b
Discussion: calculation of subneting from 192.168.100.70/30 is
Net-ID 192.168.100.68
Range IP 192.168.100.69-192.168.100.70
Broadcast 192.168.100.71

19. How many IP addresses can we find in the header of an IP packet?

a. 1
b. 3
c. 2
d. 4
Answer: a
Discussion: in every 1 IP packet, the Header is only 1.

20. Net Id is
a. The first address is used from the subnet
b. The last address of the subnet
c. The first address subnet
Answer: c
Discussion: Net Id is the first address in the subnet, and the net id cannot be used by the host.

21. What is the term for the address code on the hardware found on the interface?
a. IP address
b. MAC address
c. FQDN address
d. interface address
Answer: b
Explanation: Address Code here is meant is a unique code that is on each network interface, as
an introduction to tools in the network. The unique code will be different for each network
device.
22. How many IP addresses can be used in a 23-bit subnet (255.255.254.0)?
a. 512
b. 510
c. 508
d. 254
Answer: b
Explanation: In the calculation of Subneting / 23 or commonly written 255.255.254.0 has a total
of 512 IPs, but the first IP is a Net ID, while the last IP is Broadcast, so there are only 510 IPs
that CAN BE used.

23. Is ARP used in the IPv6 protocol?

a. False
b. Correct
Answer: a
Explanation: ARP is a combination table between MAC address and IPv4 connected in the
network. As for IPv6, the ARP function has been changed to NDP. References can be found at
https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol

24. If ARP = reply-only is configured on an interface, the interface will be carried out by the
interface.
a. Accept all IP / MAC combinations listed in / ip arp as static entries
b. Accept all IP addresses listed in / arp ip as static entries
c. Add a new MAC address on the arp / ip list
d. Accept all MAC addresses listed in / arp ip as static entries
e. Add a new IP address on the arp / ip list
Answer: a
Discussion: When ARP is set up with Reply-Only on an interface, the interface will only accept
connections from statically registered Mac & IP combinations.

25. If ARP = reply-only is activated on one router interface, the router can add dynamic ARP
entries for a particular interface.
a. False
b. Correct
Answer: b
Explanation: ARP = reply-only settings only apply to each interface that is set, so when only one
interface is set to reply-only, the other interfaces can still do dynamic ARP.

26. The basic physical network units (OSI Layer 1) are:

a. Header
b. Bytes
c. Bit
d. Decimal
Answer: c
Explanation: Osi layer 1 which is a physical only understands Bit numbers, because a machine
only understands the values of + (1) and - (0) of an electric voltage.

27. Which of the following is a valid IP address?

a. 192.168.13.255
b. 10.10.14.0
c. 192.168.256.1
d. 1.27.14.254
Answer: a, b, d
Explanation: A valid IP address is a collection of numbers consisting of 32 bits with 4 octets,
which have some standard rules. And because the problem above is not explained by the subnet
used by each IP, then all IPs except the answer C are valid according to the subnet. If the
answers A and B are smaller or equal to / 24 then the IP becomes invalid and cannot be used, but
if the subnet is / 22 then it can be used.
28. How many IP addresses can be used in a 20-bit subnet?
a. 2046
b. 2047
c. 4094
d. 4096
e. 2048
Answer: c
Explanation: Total IP from / 20 is 4096 minus Net id & Broadcast. So the IP that can be used on
subnet 20 is 4096-2 = 4094

29. Which of the following is NOT a valid MAC Address?

a. 13: 16: 86: 53: 89: 43
b. 80: GF: AA: 67: 13: 5D
c. 88: 0C: 00: 99: 5F: EF
d. EA: BA: AA: EE: FF: CB
e. 95: B5: DD: EE: 78: 8A
Answer: b
Explanation: MAC addresses are a combination of Hexadecimal, so only 0-F numbers are
recognized. and a maximum of 2 combinations of numbers in 1 octet

30. The MAC layer in the OSI model is also known as

a. Layer 3
b. Layer 7
c. Layer 1
d. Layer 2
e. Layer 6
Answer: d
Explanation: Mac addresses are at layer 2, known as the data link layer. reference:
https://en.wikipedia.org/wiki/OSI_model

31. Choose a valid MAC address

a. G2: 60: CF: 21: 99: H0
b. 00:00: 5E: 80: EE: B0
c. AEC8: 21F1: AA44: 54FF: 1111: DD
d. AE: 0212: 1201
e. 192.168.0.0/16
Answer: b
Explanation: As explained in no.29

32. How many layers does the Open System Interconnection model have?
a. 7
b. 6
c. 5
d. 12
e. 9
Answer: 7
Explanation: In accordance with the references on https://en.wikipedia.org/wiki/OSI_model , the
Open System Interconnection or abbreviated OSI has 7 layers.

33. Action = redirect applied to him.

a. chain = srcnat
 b. chain = dstnat
c. chain = forward
Answer: c
Explanation: A redirect action is an action that changes the destination / destination from the
network back to the router, and it can only be done in the NAT firewall. So the chain applied is
dstnat.

34. You have an 802.11b / g Wireless card. What frequency is available for you?
a. 5800MHz
b. 5210MHz
c. 2422MHz
d. 2327MHz
Answer: c
Explanation: 802.11b / g standard is a WiFi Standard for free Frequency at 2.4Ghz, which is
divided up to 14 Channels and each country has a different standard2. Some only use channel 1-
11, others use channel 1-14. For Indonesia itself using channels 1-13, or more precisely
2412Mhz - 2472Mhz (up 5Mhz not channel)

35. Select all valid host addresses for subnets 15.242.55.62/27

a. 15.242.55.31-15.242.55.62
b. 15.242.55.32-15.242.55.63
c. 15.242.55.33-15.242.55.62
d. 15.242.55.33-15.242.55.63
Answer: c
Explanation: The total IP of 15.242.55.62/27 is 15.242.55.32-15.242.55.63, while the valid host
address is 15.242.55.33-15.242.55.62

36. Which is the correct masquarade rule for network 192.168.0.0/24 on routers with out-
interface = ether1?
a. / ip firewall nat add action = masquarade chain = srcnat
b. / ip firewall nat add action = masquarade chain = srcnat src-address = 192.168.0.0 / 24
c. / ip firewall nat add action = masquerade out-interface = ether1 chain = dstnat
d. / ip firewall nat add action = masquarade chain = srcnat out-interface = ether1
Answer: d
Explanation: confused explain it ... but if you ever practice in the proxy directly, surely
understand ... basically the answer D ^^
37. Can you add drivers manually to RouterOS if your PCI Ethernet card is not recognized?
a. Yes
b. Not
Answer: b
Explanation: Not all PCI Ethernet on the market can run RouterOS Mikrotik. Therefore, if you
find a PCI Ethernet driver that cannot be read by RouterOS it is expected to report to the
Mikrotik to make the driver.

38. Which part needs to be / Simple Queues to set the bandwidth limit?
a. target-address, max-limit
b. target-address, dst-address, max-limit
c. target-address, etc-address
d. max-limit
Answer: a
Explanation: When setting Simple Queue, there are 2 things we must set at a minimum. i.e.
target address and max limit. while other settings such as bursh, limit at, time, parrent are not
required to be set.

39. What protocol is used for the Ping and Trace route?
a. DHCP
b. IP
c. TCP
d. ICMP
e. UDP
Answer: d
Explanation: Ping and Trace use the ICMP Protocol. Reference:
https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol

40. Why is it useful to set the Radio Name in the Radio Interface?
a. Identifies the station in the connected Client List
b. Identifies the station in the Access List
c. Identifies a station on the Neighbor List
Answer: c
Explanation: in a large network environment with many devices it is necessary to name the radio
so that it is easy to set up. so even though the SSID issued by the radio is the same name, we can
still distinguish through the Neighbor List Facility to see the Radio Name / Radio Name

41. Routers A and B both run as PPPoE servers on a broadcast domain that is different from your
network. Is it possible to set Router A to use the "/ ppp secret" account from Router B to
authenticate PPPoE customers?
a
b.No
Answer: b
Explanation: PPPoE Server Authentication must be in 1 Local network, because it must be
physically connected. must know each other's MAC Address from the PPPoE server and from
the Host

42. If you need to ensure that one computer on your HotSpot network can access the Internet
without HotSpot authentication, which menu allows you to do this?
a. User
b. IP Binding
c. Walled-garden
d. Walled-garden IP
Answer: b
Explanation: IP Binding is one of the facilities in a proxy hotspot to specialize a computer with a
certain MAC / IP to pass through the Hotspot login page. Can also to block, so can not enter the
hotspot page.

43. Which default route will be active?

/ ip route
Add disabled = no distance = 10 ff-address = 0.0.0.0/0 gateway = 1.1.1.1
Add disabled = no distance = 5 etc. address = 0.0.0.0/0 gateway = 2.2.2.2
a. Route via gateway 1.1.1.1
b. Route via gateway 2.2.2.2
Answer: b
Discussion: RouterOS in choosing the Route Gateway will choose several factors, the
first factor is whether or not the IP gateway is connected
based on distance. The smaller the distance, the first priority will be the gateway path
when it is a subnet. at the same IP destination, then the smallest number of subnets, that is the
priority as the main route gateway.

44. How long is a level 1 (demo) license valid?

a. 24 hours
b. Unlimited time
c. 1 month
d. 1 year
Answer: b
Explanation: there are 7 types of licenses in the proxy, from license 0 to license 6, according to
their respective facilities. But based on the time there are 2 categories, namely license 0 which
has an active period of 24 hours, and licenses 1-6 which have an active period forever.

45. PCs with IP 192.168.1.2 can access the internet, and a static ARP has been set for the IP
address at the gateway. When the PC Ethernet card fails, the user changes it to a new card and
sets the same IP for it. What else to do?
a. Old static ARP entries at the gateway must be updated for the new MAC Adreess
b. Nothing - this will work as before
c. The MAC-address of the new card must be changed to the old card's MAC-address
d. Another IP must be added for Internet access
Answer: a
Explanation: Because the static ARP method is turned on, the Router will only handle
connections from a combination of IP and MAC that are already registered on the Router. So
when there is a change of Ethernet Card in the client, you must change the Mac Address in the
ARP table list owned by IP 192.168.1.2 with the Mac Address of the newly installed Ethernet
Card.

46. The default TTL (time to live) on the router that can be fed by an IP packet is:
a. 60
b. 30
c. 1
d. 64
Answer: d
Explanation: By default TTL uses an IP packet of 64, although in some cases there are device
manufacturers that use TTL 128 (usually used to flash firmware)

47. You have a router with configuration

- Public IP: 202.168.125.45/24
- Default gateway: 202.168.125.1
- DNS server: 248.115.148.136, 248.115.148.137
- Local IP: 192.168.2.1/24
Mark the correct configuration on the client PC to access the Internet
a. IP: 192.168.0.1/24 gateway: 192.168.2.1
b. IP: 192.168.2.253/24 gateway: 202.168.0.1
c. IP: 192.168.1.223/24 gateway: 248.115.148.136
d. IP: 192.168.2.115/24 gateway: 192.168.2.1
e. IP: 192.168.2.2/24 gateway: 202.168.125.45
Answer: d
Explanation: The router's IP for local is 192.168.2.1/24 meaning that the client can use IP
starting from 192.168.2.2/24 with gateway 192.168.2.1

48. In the advanced menu of the wireless setup there is a parameter called "Area", it works
directly with:
a. Connect List
b. Access list
c. There isn't any
d. Safety Profile
Answer: c
Explanation: Still Not Knowing the reason, maybe someone can explain in the comments column
or can directly contact me through contact.

49. When backing up a router, you use the 'Export' command, the following happens:
a. Winbox user names and passwords are reserved
b. Export files can be edited with a standard text editor after creation
c. You are asked to name the export file
Answer: c
Explanation: When Performing the 'Export' command only, you will be asked to enter the name
of the Export file. For further information File Export is a copy of CLI-based commands for
configuring RouterOS. So that the Export File can be edited and can be entered into a Router
with a different type.

50. You need to reboot RouterBoard after importing the previously exported rsc file to activate
the new configuration.
a. Correct
b. False
Answer: wrong
Explanation: Unlike backup files or firmware upgrade files. The router does not need to restart to
run the rsc file. but must be called via the CLI with the Import command.

51. It is not possible to disable the "admin" user on the "/ user" menu
a. Correct
b. False
Answer: b
Explanation: admin user can be disabled or deleted as long as there are other users with full
groups (Full Access to all parts of routerOS)

52. We have two radio cards in a point-to-point relationship with the settings:
Card Number 1: mode = ap-bridge ssid = "office"
frequency = 2447 band = 2.4ghz-b / g default-authentication = yes default-forwarding = yes
security-profile = wpa
Card Number 2: mode = ssid station = "office"
frequency = 2412 band = 2.4ghz-b / g default-authentication = yes default-forwarding = yes
security-profile = wpa2
Is the Nr2 Card. able to connect to Card Nr 1.?
a. Yes, if Nstreme is activated or deactivated in both
b. Yes, if the security profile settings are compatible with each other and Nstreme is enabled or
disabled in both
c. No, because of different frequencies
d. No, because of different security profiles
Answer: c
Explanation: The relationship between wireless devices must be based on several things. But the
main thing is the selection of the same frequency.

53. What is the default protocol / port of Winbox?

a. UDP / 8921
b. TCP / 8291
c. TCP / 22
d. TCP / 8080
Answer: b
Explanation:
54. Select the following as 'Public IP Address':
a. 192.168.0.1
b. 172.168.254.2
c. 172.28.73.21
d. 10,110.50.37
e. 11.63.72.21
Answer: a
Explanation: personally I do not really understand about this part, because so far I used to use the
classless system for that, please read the reference at
https://id.wikipedia.org/wiki/Alamat_IP_versi_4#Alamat_publik

55. Which computer can communicate directly (without a router involved)

a. 192.168.17.15/29 and 192.168.17.20/28
b. 192.168.0.5/26 and 192.168.0.100
c. 10.5.5.1/24 and 10.5.5.100/25
d. 10.10.0.17/22 and 10.10.1.30/24
Answer: c
Explanation: so that two or more computers can communicate without involving a router, the
first condition must be connected, can use wire or wireless. the two must be on the same or the
same subnet.

56. What configuration was added by the / ip hotspot setup?

a. / ip service
b. / ip user hotspot
c. / ip Wallet-Garden hotspot
d. / ip dhcp-server
e. / queues tree
Answer: d
Explanation: When creating a hotspot server and clicking on a hotspot setup, we will be given
several setting options, one of which is the dhcp-server option or rather IP-Pool. While other
settings can be set after the server is finished.
57. By using the connect list, it is possible to prioritize connections to one Access Point among
other Access Points by changing the order of entries.
a. False
b. Correct
Answer: b
Explanation: Connect List is a facility in the wireless proxy that functions when we set the proxy
wireless as a client. Connect List will set our Wireless to be connected with a combination of
SSID & Mac which are priority according to the order of entries.

58. What can be used as a 'target-address' in Simple Queue?

a. client address
b. client's MAC address
c. server address
d. name list address
Answer: a
Explanation: The target address in simple queue can be filled with IP Client or Router Interface.
While the server IP is usually included in the Etc. Address.

59. MikroTik RouterOS sends logs to an external syslog server. Which protocols and ports does
RouterOS use to send logs (by default)?
a. UDP 514
b. UDP 215
c. UDP 213
d. TCP 510
Answer: a
Explanation: reference https://wiki.mikrotik.com/wiki/Manual:System/Log

60. Which route will be used to reach host 192.168.1.55?

/ ip route
Add disable = no distance = 1 etc-address = 192.168.1.0 / 24 gateway = 1.1.1.1
Add disable = no distance = 1 etc-address = 192.168.1.0 / 25 gateway = 2.2.2.2
Add disable = no distance = 1 etc-address = 192.168.0.0 / 16 gateway = 3.3.3.3
a. Route via gateway 1.1.1.1
b. Route via gateway 3.3.3.3
c. Route via gateway 2.2.2.2
Answer: c
Discussion: RouterOS in choosing the Route Gateway will choose several factors, the
first factor is whether or not the IP gateway is connected
based on distance. The smaller the distance, the first priority will be the gateway path
when it is a subnet. at the same IP destination, then the smallest number of subnets, that is the
priority as the main route gateway.

61. To use masquerade, you need to specify it

a. action = accept, out-interface, chain = src-nat
b. action = masquerade, out-interface, chain = src-nat
c. action = masquerade, in-interface, chain = src-nat
d. action = masquerade, out-interface, chain = dst-nat
Answer: b
Explanation: Action Masquerade on the NAT firewall feature requires a number of key settings,
i.e. the mandatory src-nat and out-interface chains.

62. Please select a valid scan-list value in the wireless interface configuration:
a. 5560,5620-5700
b. 5640 ~ 5680
c. default, 5560.5600,5660-5700
d. 5540,5560,5620 + 5700
Answer: a
Explanation: Scan List is a list of frequencies that will be scanned by wireless when wireless is
in station mode, the correct writing is by commas or -
63. When adding static routes, you must always ensure that you add gateways and interfaces.
A. False
b. Correct
Answer: a
Explanation: In adding a Static Route, only 2 need to be filled in, namely Etc. Address and
Gateway. Interfaces will be automatically searched by routes according to the gateway entered.

64. You want to allow multiple people to log in with one user on the HotSpot server. How should
this be configured?
a. Set the "Shared User" option in the User Profile / ip hotspot
b. It is impossible
c. Set the "Shared User" option in / ip hotspot
d. Set "only-one = no 'at / ip hotspot
Answer: a
Explanation: In order for 1 user to be used by several people, it needs to be set in the Shared
User, and the Shared User at the User Profile Hotspot.

65. In what order are entries in the access list and connect list processed?
a. In descending order
b. In random order
c. With a Signal Strength Range
d. With the name of the interface
Answer: a
Explanation: As a rule, all processes in RouterOS must be sequential and each has a rule on how
the order is arranged, as in routes, which are based on distance and subneting, while the access lit
and connect list are in sequence.

66. Could the client get an IP address but no gateway after a successful DHCP request?
a. False
b. Correct
Answer: a
Explanation: in a DHCP Server, besides sending an IP Address to the client, SURE will also
send a Gateway. While DNS might not be sent. Because in the settings the Gateway is required
to be filled.
67. The firewall configuration is as follows:
1) / ip firewall filter add chain = input protocol = icmp action = jump jump-target = ICMP
2) / ip firewall filter add chain = input protocol = icmp action = log log-prefix = ICMP-DENY
3) / ip firewall filter add chain = input protocol = icmp action = drop
4) / ip firewall filter add chain = ICMP protocol = icmp action = log log-prefix = JUMP-ICMP-
DENY
5) / ip firewall filter add chain = ICMP protocol = icmp action = drop
The client sends "pings" to the router. What will the router do?
a. The router will drop packets on the ICMP (jump) chain drop rule (rule 5)
b. The router will record it with the prefix: ICMP-DENY
c. The router will drop packets on the drop drop rule (rule 3)
d. The router will record it with the prefix: JUMP-ICMP-DENY
Answer: a
Explanation: In the Firewall configuration above we can know the order of rules as follows:
rule 1. when there are people who do PING through the icmp protocol, they will immediately
jump to the chain = ICMP (rule 4)
rule 4. after entering rule 4, the router will logging (JUMP-ICMP-DENY). after that the traffic
will continue to the next rule (rule 5)
rule 5. PING traffic will be dropped in accordance with the rule

68. / ip firewall nat

add chain = dstnat in-interface = ether1 protocol = tcp dst-port = 3389 action = dst-nat to-address
= 192.168.1.2 to-ports = 81
The commands shown above:
a. Add IP address 192.168.1.2 to interface ether1
b. redirect all incoming TCP traffic through ether1 port 3389 to port 81 of the internal host
192.168.1.2
c. redirect all TCP traffic from 192.168.1.2 to port 81 of the ether1 interface
d. redirect all incoming TCP traffic through ether1 port 81 to port 3389 from the internal host
192.168.1.2
Answer: b
Explanation: if seen from the CLI Command above, it is a command to deflect a traffic from
ether1 to port 3389 directed to 192.168.1.2 port 81

69. When solving network problems from within the network, you find that you can ping the
gateway normally, but you cannot surf the Internet. What is the most likely problem?
a. DNS not available
b. The computer does not get an IP address
c. Network card and / or cable does not work
d. Masquarade Rules do not apply
Answer: a
Explanation: in addition to ensuring that the internet is connected to the Gateway, it must also be
connected to the DNS. Gateway for Checking Paths to the internet, while DNS functions to
change IP addresses to web addresses.
70. What is indicated by connection-state = established matcher?
a. The packet starts a new TCP connection
b. The package does not match the known connection
c. Packages belonging to an existing connection, for example a reply package or a package that
includes a connection that has been answered
d. The packet is related to, but is not part of an existing connection
Answer: c
Explanation: established is a reply data connection from the packet being connected. reference:
https://www.linuxtopia.org/Linux_Firewall_iptables/x1347.html

71. For static routing functionality, in addition to the RouterOS system package, you also need
the following software packages:
a. route
b. there is no
c. dhcp
d. advanced tool
Answer: b
Discussion: As per https://wiki.mikrotik.com/wiki/Manual:System/Packages Packages System
includes the most basic system needed for routing, including static routing.

72. Configuring HotSpot is possible on MikroTikRouterOS only with the Wireless interface.
a. yes
b. Not
Answer: b
Explanation: Hotspot configuration on the RouterOS Router can be done on several interfaces,
such as Ethernet, wireless, VLAN, Bridge.

73. Which choice should you use when you want to prevent access from one particular address to
your router's web interface?
a. add chain = forward in the Firewall Filter
b. add Chain in the Firewall Filter
c. Group settings for System users
d. WWW Service from / IP Service
Answer: d
Explanation: in order to prevent inward access through the proxy webfig facility, it is necessary
to turn off the www service feature located at / ip service
74. Which of the following prevents unknown clients from connecting to your AP?
a. Check the "Don't Accept Unknow Client" box in the Wireless configuration
b. Uncheck "Default Authenticate" on the Wireless card configuration, and add each known
client MAC address to your Access List configuration which ensures that you enable
"authentication" on the entry
c. Adding each known client MAC address to your Access List configuration is the only step
required
d. Uncheck "Default Authenticate" on the Wireless card configuration, and add each known
client MAC address to the configuration list of the Connect List
e. Configure radius server under "/ radius"
Answer: b
Explanation: turn off the default Authenticate feature in the wireless settings
75. Check the permitted input formats for the Wireless scan list.
a. 5500 5700
b. 5500-5700
c. 5500,5700
d. 5500 - 5700
e. 5500/5700
Answer: b
Explanation: Scan List is a list of frequencies that will be scanned by wireless when wireless is
in station mode, the correct writing is by commas or -

76. After entering this rule:

/ ip firewall
add chain = input action = drop,
You can still access the Router using mac-address.
a. Yes
b. Not
Answer: a
Explanation: if seen in the command above, it is a command to block incoming traffic to the
Router. However, IP Firewall works by layer 3 by default, so only IP connections, not MAC
addresses, are blocked.

77. What is needed for PPPoE client configuration?

a. ip firewall nat masquerade rule
b. Interface (where the PPPoE client will work)
c. Static IP address on PPPoE client interface
Answer: b
Explanation: When Configuring PPPoE the most important is the Interface, after that only the
PPPoE User.

78. Router OS can set vlan-id values from - to:

a. 1-2049
b. 1-4096
c. 1-4095
d. 1-2048
Answer: c
Explanation: In accordance with the reference at http://mikrotik.co.id/artikel_lihat.php?id=202 ,
the value of the vlan ID is between 1-4095

79. Collisions are possible on a full-duplex Ethernet network

a. Correct
b. False
Answer: b
Explanation: in a full duplex network, data collisions will never occur, because each path has
boundaries that are not possible to cross into other paths.

80. Where can you see real-time connections processed by the router?
a. Query Tree
b. Torch Tool
c. Firewall Counter
d. Connection Tracking Firewall
Answer: d
Explanation: Connection Traking is a proxy feature for capturing traffic that passes through the
router in realtime:

81. Action = redirect applies to

a. SRC-NAT rules
b. DST-NAT rules
c. Firewall Filter Rules
d. Route rules
Answer: b
Explanation: The Redirect action can only be applied to the DST-NAT chain, because the
redirect action serves to divert traffic to the router.

82. Could the same IP address be included in several address lists and still be used by some of
the address lists?
a. correct
b. is wrong
Answer: a
Explanation: The address list in a firewall is a table that contains the IP and its categories. and
you can enter the same IP into several categories, all of which are active according to the rules
that are applied in the filter rule, nat, or mangle.

83. The default 'target-scope' value for static routes is:

a. 30
b. 1
c. 10
d. 255
Answer: c
Explanation: by default the 'target-scope' on the RouterOS is worth 10
84. Which chain firewall will be used to block MSN client traffic on the router?
a. Forward
b. Static
c. Input
d. The output
Answer: a
Explanation: MSN client is a Chat Application that is connected from client to server by passing
through the router. meaning that the traffic is Forward, because it only passes.

85. You want to limit bandwidth for your HotSpot users. HotSpot can create a Dynamic Queue
for user logins to limit bandwidth.
a. Yes, right
b. Not wrong
Answer: b
Explanation: Bandwidth Limitation on Hotspots can be done in 2 places, namely in the Server
Profile as the Main / Overall Limitation. and in the User Profile to limit per User
86. You start a wireless scan on your Access Point. What will happen ?
a. All connected clients will disconnect
b. You will see all connected clients
c. You will see the available frequency
Answer: a
Explanation: when scanning wireless on wireless with AP-Bridge mode, all connected clients
will be disconnected. That is because during a wireless scan, the wireless mode will temporarily
(during the scan) change to station mode.

87. What types of users are listed on the "/ user" menu?
a. PPTP User
b. Wireless User
c. User Hotspot
d. User Router
Answer: d
Explanation: in the User menu there are only settings about the User Router

88. Which chain firewall should you use to filter ICMP packets from the router itself?
a. Input
b. Forward
c. Postrouting
d. The output
Answer: d
Explanation: a packet coming out of the router itself, meaning that the chain uses Output.

89. Which version of software can be installed to the following type of RouterBoard?
a. routeros-mipsbe-x.xx.npk on RB433
b. routeros-powerpc-x.xx.npk on RB333
c. routeros-mipsle-x.xx.npk on RB133
d. routeros-x86-x.xx.npk on RB1100
e. routeros-mipsbe-x.xx.npk on RB133
Answer: a and b
Explanation: Each Mikrotik Type has RouterOS respectively, for more details as a reference can
be seen at: https://mikrotik.com/download

90. MikroTik proxy features are:

a. POP3 caching
b. DNS Filtering
c. SMTP caching
d. HTTP caching
e. FTP caching
Answer: d
Explanation: Proxies on proxy are only able to win and save HTTP protocol.

91. You have a Wireless interface with Security to use the nstreme protocol?
a. Yes, but Nstreme will be used for all SSIDs assigned to that physical interface
b. Yes, but Nstreme can only be used for SSID = WLAN1.
c. No, Nstreme cannot be used on the Wireless interface if VirtualAP is in it.
d. Yes, but Nstreme can only be used for SSID = VAP1.
Answer: b
Explanation: both the nstreme and nV2 protocols can only be used / managed on WLAN1, while
the Vwlan / wlan2 cannot regulate both the nstreme and nV2 protocols.

92. / ip route configuration on router,

/ ip route add dst-address = 0.0.0.0/0 gateway = 192.168.0.1
/ ip route add dst-address = 192.168.1.0 / 24 gateway = 192.168.0.2
/ ip route add dst-address = 192.168.2.0 / 24 gateway = 192.168.0.3
/ ip route add dst-address = 192.168.3.0 / 26 gateway = 192.168.0.4
The router needs to send packets to 192.168.3.240. Which gateway will be used?
a. 192.168.0.2
b. 192.168.0.1
c. 192.168.0.3
d. 192.168.0.4
Answer: d
Discussion: RouterOS in choosing the Route Gateway will choose several factors, the
first factor is whether or not the IP gateway is connected
based on distance. The smaller the distance, the first priority will be the gateway path
when it is a subnet. at the same IP destination, then the smallest number of subnets, that is the
priority as the main route gateway.

93. What does the letter "R" in an active session in the PPP Active Connections menu mean?
a. Run
b. Radius
c. Random
d. Running
Answer: D
Explanation: in PPP, the meaning of Hurus R is Running

94. Routers have Wireless and Ethernet client interfaces, all client interfaces areridge. To create
DHCP services for all clients you must configure the DHCP server on:
a. every Port on the Bridge
b. only in Bridge Interface
c. Every Ethernet and Wireless interface
d. DHCP service is not possible in this setting
Answer: b
Explanation: when all interfaces are bridged, all main settings must be made on the bridge
interface. not in each of the interfaces anymore.

95. EoiP is:

a. MikroTik's exclusive Tunnel Protocol
b. Layer-3 Tunnel
c. Layer-2 Tunnel
Answer: a, b
Explanation: I myself still don't understand, but if you view
http://mikrotik.co.id/artikel_lihat.php?id=91 then EoiP is a microtic exclusive tunnel that works
on layer 3.

96. Netinstall can be used to:

A. Reinstall software without losing licence
B. Install package for different hardware architecture
C. Install different software version (upgrade or downgrade)
D. Keep configuration, but reset a lost admin password
Answer: a,c

97. PPP Secrets is used for:

A. PPtP clients
B. Router users
C. L2TP clients
D. PPPoE clients
E. IPSec clients
F. PPP clients
Answer: a,c,d

98. Mark all correct statements about / export file = {name of an rsc file}.
A. Exports files which can not edited
B. Exports full configuration of the router (without RouterOS user passwords)
C. Exports logs from /log print
D. Exports only part of the configuration (for example /ip firewall)
Answer: b,d

99. The possible IP action of the firewall filter is:

A. log
B. tarp
C. bounce
D. accept
E. add-to-list
F. tarpit
Answer: a,d,f

100. What firewall actions are "Redirect"? Select all correct statements.
A. Redirects a packet to a specified port on the router
B. Redirects a packet to a specified IP
C. Redirects a packet to the router
D. Redirects a packet to a specified port on a host in the network
Answer: a,c

101. On MikroTik RouterOS, Layer-3 communication between 2 hosts can be achieved using
subnet addresses from:
a. / 31
b. / 29
c. / 32
d. / 30
answer: b,c,d

102. Which computer can communicate directly (without a router involved)

a.192.168.17.15 / 29 and 192.168.17.20/28
b.192.168.0.5 / 26 and 192.168.0.100
c.10.5.5.1 / 24 and 10.5.5.100/25
d.10.10.0.17 / 22 and 10.10.1.30/23
answer: c & d

103. Which of the following protocols / ports is used for SNMP? (Simple Network Management
Protocol)
a. TCP 162
b. UDP 162
c. UDP 161
d. TCP 25
e. TCP 123
f. TCP 161
answer: b,c

104. What letters appear next to the route, which is automatically generated by RouterOS when
the user adds a valid address to the active interface?
A. A
B. C
C. S
D. I
E. D
Answer: e,a,b

105. What wireless standards can we use to achieve 100 Mbps throughput ?
a. 802.11 b / g
b. 802.11 a / b / g
c. 802.11 a
d. 802.11 a / n
e. 802.11 a / b / g / n
f. 802.11 a / n / ac
answer: e,d,f

106. Action = redirect allows you to create

a. Transparan DNS Cache
b. Forward DNS to the other device's IP address
c. Enable Local Services
d. Transparan HTTP Proxy
answer: a,d

107. Mark all features that are compatible with Nstreme

a. WDS between the device in station-wds mode and the device in station wds mode
b. Enkripsi
c. WDS between the device in ap-bridge mode and the device in wds station mode
d. Bridging devices in station mode with devices in ap-bridge mode
answer:a,c
108. Which of the following locations can you get from Winbox?
a. Router web page
b. File menu on your router
c. Through the console cable
d. mikrotik.com
answer: a,d

109. Two hosts, A and B, are connected to the broadcast LAN. Select all answers that indicate
pairs of IP addresses / masks that allow IP connections to be formed between the two hosts.
a. J: 10.1.2.66/25 day B: 10.1.2.109/26
b. A: 10.2.2.1/23 and B: 10.2.0.1/22
c. J: 10.1.2.192/24 day B: 10.1.2.129/26
d. J: 10.2.1.0/23 day B: 10.2.0.1/22
answer: a,d

110. What types of users are listed in the Secret PPP menu window?
a. pptp users
b. l2tp users
c. winbox users
d. wireless users
e. pppoe users
f. hotspot users
answer: a,b,e

111. Clients of the MikroTik RouterOS DHCP-server can receive the following options:
a. Batas Byte
b. IP Gateway
c. Tariff limit
d. Uptime Limit
e. IP and Subnet addresses
answer: b,e

112. You want to use PCQ and allow a maximum of 256k downloads and uploads for each
client. Select the correct argument value for the required queue.
at. jenis = pcq pcq-limit = 1256000 pcq-classifier = dst-address
b. jenis = pcq pcq-limit = 256000 pcq-classifier = dst-address
vs. jenis = pcq pcq-limit = 5000000 pcq-classifier = src-address
d. jenis = pcq pcq-limit = 256000 pcq-classifier = src-address
e. jenis = pcq pcq-limit = 5000000 pcq-classifier = dst-address
answer: b,d

113. Which of the following is true for connection tracking?

a. Enabling connection tracking reduces CPU usage on RouterOS
b. Connection tracking must be activated for an effective firewall
c. Connection tracking must be activated for NAT networks
d. Disable connection tracking for mangle to work
answer: b,c

114. Among the following statements are possible solutions for managing two network bridges
via a wireless link:
a. Both devices are in AP mode and activate WDS mode
b. One device in AP mode, another in station-pseudobridge-clone
c. One device in AP mode, another at the pseudobridge station
d. One device in AP mode, another at the station
answer: b,c

115. If a packet enters the router and starts a new connection that was not previously there, then
it is called:
a. no connection status will be applied to the package
b. new
c. invalid
d. establish
e. releated
answer: a

116. Identify the types of QoS available in RouterOS

a. SFQ - Antimisial Stochastic Fairness
b. DRR - Defisit Round Robin
c. FIFO - First In First Out
d. LIFO – Last In Fisrt Out
e. PCQ - Per Connection Queuing
f. RED - Random Early Detect
answer: a,c,e,f

117. In which situations can Netinstall NOT be used to install RouterBOARD?

a. The router does not have an operating system
b. The router is only connected to the wireless network
c. You do not know the router password
d. The router is connected only to the secondary Ethernet port
answer: a,c

118. You are planning a migration from a wireless link using 802.11a at 5GHz (without nstrem)
to using Nv2 at 5GHz. If you change the AP from 802.11a to Nv2, you don't want the client to
release it for more than a few seconds during the upgrade.
Assuming the client is able to operate with Nv2 (the correct hardware, encryption key and the
correct version of ROS), the settings for 'wireless protocol' must be enabled on the client so that
the client can automatically detect the protocol used by the AP and continue to connect with
802.11a or Nv2: (select all that apply)
a. Nv2
b. Nv2-nstreme-802.11
c. anything
d. not specified
answer: b

119. What can you do with Netinstall?

a. Reset password di RouterOS
b. Instal Linux
c. Add configuration to RouterOS
d. Reinstall RouterOS
answer: a,d

120. Netinstall can be used for

a. Install a different software version (upgrade or downgrade)
b. Save the configuration, but reset the admin password that is missing
c. Reinstall the software without losing the license
d. Install packages for different hardware architectures
answer: a,c

121. In Winbox, hide password is not checked so it can show a password for the following
a. RouterOS User
b. User Hotspot
c. RADIUS User
d. PPP Secret
answer: b, c, d

122. Choose the correct statement for the MikroTik proxy.

a. NAT destination rules are required to utilize transparent proxy facilities
b. To deny access to certain websites, caching must be activated
c. Control the domain or server that is allowed to be cached by the proxy
d. Can deny access to certain domains or servers, but not specific web pages
answer: a, b

123. MikroTik WebProxy is able to perform cache storage functions on internal and external
storage. What parameters are there on WebProxy to determine where cache storage is stored,
what parameters?
a. Cache path
b. Disk Cache
c. Cache on Storage
d. Cache On Disk1
answer: a

124. One of the network security can be done by the port knocking method, for example before
being able to access a server the user must first send a packet with a certain size, for example
1000 bytes. What parameters in the firewall can we use to detect the size of a packet?
a. Package Size
b. Counter Package
c. Conten Size
d. Counting Package
answer: a

125. If we use simple queues, what parameters determine the total amount of automatic
downloads and uploads
a. total max limit
b. Max total bandwidth
c. total max queue
d. total max rate
answer: a

126. One of the functions that exist in RouterOS is SMS, the RouterOS system can be instructed
to send an SMS to a certain number. What additional tools are needed so that this can be done?
a. GSM mode
b. SMS server
c. SMS gateway
answer: a

127. On Mikrotik wireless there is a tool that can detect the percentage of density usage around
the frequency?
a. freq. used
b. a scan
c. snooper
d. sniff
answer: a

128. There is a subnet with ip 10.10.10.167/26, what is the broadcast ip of that IP address?
a. 10.10.10.191
b. 10.10.10.164
c. 10.10.10.192
d. 10.10.10.165
e. 10.10.10.190
answer: a

129. On the bridge interface there is a parameter called RSTP

a. prevent looping
b. stabilize the connection
c. split lane division
d. selection of bridge type
answer: a

130. What parameters impose limits on a Queues that can be reached if the perent above still has
residual bandwidth that can be used?
a. max limit
b. max bandwidth
c. max queue
d. max rate
answer: a

131. Among the flow packets containing input, output, and postrouting, which packet is the last
packet, if the data packet from outside the router goes to the router?
a. the input
b. the output
c. postrouting
answer: a

132. If you want to use pcq for per-protocol perimeter, for example web, email, ftp, etc. What
classifier should we use to identify upload traffic?
a. Src. Address
b. Etc. Address
c. Upload Target
d. Upstream Tager
answer: a

133. Before installing a wireless access point radio, it helps you scan the area, Name 2 wireless
tools that can be used to scan!
a. snooper
b. a scan
c. scanning
d. sniffing
answer: a and b

134. What tools can monitor the amount of traffic on an interface and will run a triger if there is
a change in traffic passing under certain tools?
a. monitor traffic
b. monitoring interface
c. traffic interface
d. torch
answer: a

135. on firewall actions, one of them is through. What is the function of passthrough?
a. traffic just passes through the router
b. traffic will be forwarded to the next rule
c. traffic will be blocked
d. traffic will be forwarded but recorded first.
Answer: b

136. When a packet is sent, then the process of adding packet header is known as?
a. encapsulation
b. decapsulation
c. compression
d. labeling
answer: a

137. Regarding the OSI layer, which layer is responsible for maintaining the host to host
connection and also the stability of the connection?
a. Transport Layer
b. Network Layer
c. Session Layer
d. Presentation Layer
Answer: a

138. HTTPS protocol usually uses TCP protocol and port 443. Mention the type of tunnel that is
supported by proxy which also uses the protocol and the port!
a. OVPN
b. PPTP
c. PPOE
d. L2TP
Answer: a

139. Mikrotik has a DHCP client feature that can get IP automatically from a DHCP server.
Mention 2 types of interfaces that can be used as DHCP clients in addition to Ethernet!
a. wireless
b. bridge
c. vlan
d. pppeo
answer: a, b, c

140. Regarding routing, the default route on the proxy can be monitored using the check gateway
feature. Mention 2 monitoring methods that are applied to the check gateway process?
a. Arp
b. Ping
c. Trace
d. Trace route
e. Answer: a, b

141. On a web proxy we can limit the total cache amount on our OS router. What parameters can
we use to do this?
a. Max cache size
b. Max cache object size
c. Max proxy disk
d. Max Storage Used
Answer: a

142. We can block certain data packages by using the firewall filter feature. What parameters can
we use to detect data packages both the source port and the destination port on a connection?
a. Protocol
b. Port
c. In Interfaces
d. Out Interfaces
e. Target Port
f. Protocol Target
Answer: a, b

143. We want to use multilevel HTB with simple queue so there are rules that function as parents
and there are several rules that function as children. what should we fill in the target parameter in
the parent rule
a. 0.0.0.0/0
b. Interface Parent
c. All Interfaces
Answer: a

144. There are various tools provided on the proxy for monitoring networks. What monitoring
tools are able to identify the protocol as well as the port in realtime?
a. Torch
b. Traffic Monitoring
c. Graph
d. Realtime Traffic
Answer: a

145. To secure wireless access points on a proxy we can activate the security profile and use
WPA 1 or WPA 2. Explain what happens if both WPA 1 and WPA 2 are activated as security!
a. The client cannot be connected because it cannot determine what Security mode is used
b. The client will automatically choose the strongest Security
c. Mikrotik will randomly choose the security method
d. Mikrotik will arrange the security of the strongest in accordance with security facilities on the
client
Answer: d

146. There are features on the proxy where the Ethernet interface that is in the routerboard can be
combined into 1 segment but it can also be transferred without the need to overload the CPU.
What features does this feature use?
a. Switch chip
b. Master-Slave
c. Hardware-Offload
d. Bridge
Answer: a

147. Name 2 minimum parameters used to configure hosts on Queues!

a. Target-address
b. Max limit
c. Etc. Adreess
d. Limit-At
e. Priority
f. Parent
g. Queue Type
h. Time
Answer: a, b

148. There is a router whose ETH 1 interface is connected to a client pc device which then ETH
2 is connected to an internet device to capture data downloaded from the client, the ETH 1
interface can be used as what parameter on the firewall filter
a. Out interface
b. in interface
c. in interfaces list
d. out interfaces list
answer: a

149. Simple Queue number 0 defines 2M for upload and download for target IP 10.10.0.33.
Simple Queue number 1 defines 4M for upload and download for target IP 10.10.0.33.
Client 10.10.0.33 is be able to obtain
A. 2M upload / download
B. 4M upload / download
C. 0M upload / download
D. 6M upload / download
Answer: a

150 Look at the queue structure below!

queue "GP" max-limit = 10M
- queue "M" parent = "GP" limit-at = 4M max-limit = 6M
- - queue "C1" parent = "M" limit-at = 1M max-limit = 7M priority = 4
- - queue "C2" parent = "M" limit-at = 1M max-limit = 4M priority = 1
- - queue "C3" parent = "M" limit-at = 2M max-limit = 7M priority = 8
- queue "F" parent = "GP" limit-at = 5M max-limit = 8M
- - queue "D1" parent = "F" limit-at = 3M max-limit = 4M priority = 5
- - queue "D2 "parent =" F "limit-at = 2M max-limit = 5M priority = 2

Which queue will get more bandwidth than the limit-at in the worst case scenario?
Select one:
a.C3
b. C1
c. D1
d. C2
e. D2
Answer: D

Note: Please if there is an answer / explanation that is wrong, contact me so I can correct it
immediately. also include the wrong section and also send the link as a reference to the truth that
you convey