What is possible with Netinstall?
MikroTik RouterOS reinstall
MikroTik RouterOS password reset with saving router's configuration
MikroTik RouterOS configuration reset
Netinstall is a powerful utility provided by MikroTik that allows reinstallation of RouterOS on RouterBOARD devices. It is primarily used for:
Reflashing or reinstalling RouterOS
Recovering devices that are not booting correctly
Clearing configurations during reinstall
It does not allow you to reset the password without losing the configuration, nor is it used just for configuration reset.
MTCNA Official Course Material – Tools & Netinstall:
“Netinstall is used to reinstall RouterOS onto a MikroTik device via the network. It can be used to install a specific RouterOS version or wipe the existing installation.”
René Meneses MTCNA Guide – Tools Chapter:
“Netinstall allows you to reinstall RouterOS and optionally reset the configuration. It does not allow recovery of the existing password or configuration unless backed up beforehand.”
MikroTik Wiki – Netinstall Utility:
“Netinstall is a tool used for reinstalling RouterOS. It formats the system partition and reinstalls RouterOS. This is useful in case of misconfiguration or firmware corruption.”
Option B is incorrect — password reset is only possible via full configuration wipe.
Option C is not accurate — Netinstall reinstalls the entire OS, not just resets configuration.
Only A is correct.
Final Answer: AQUESTION NO: 90 [Wireless]
You would like to allow multiple logins with one user name on a HotSpot server. How should this be configured?
A. Set "Shared Users" option at /ip HotSpot user profile
B. It's not possible
C. Set "Shared Users" option at /ip HotSpot
D. Set "only-one=no" at /ip HotSpot
Answer: A
MikroTik HotSpot user management allows defining how many simultaneous sessions a single username can support. This is done via the "Shared Users" option in the user profile configuration, not in the general HotSpot or interface settings.
MTCNA Course Material – HotSpot Section:
“Shared Users in user-profile allows multiple concurrent logins using the same username/password combination. Default is 1. If set to 3, then three sessions can be active simultaneously.”
René Meneses MTCNA Study Guide – HotSpot Configuration:
“The shared-users parameter in /ip hotspot user profile allows multiple concurrent sessions for the same user. This is commonly used in shared environments like hotels or cafes.”
Terry Combs MTCNA Notes – HotSpot Profiles:
“Shared-users is set per profile, not per user. If you want three devices to log in with the same account, set shared-users=3 in the profile assigned to that user.”
Option A is correct.
Option B is false — it is definitely possible.
Option C is incorrect — /ip hotspot does not contain this parameter.
Option D is invalid — “only-one” is not a known parameter in HotSpot configuration.
Final Answer: AQUESTION NO: 91 [Routing]
When adding a static route, you must always ensure that you add both the gateway and the interface.
A. False
B. True
Answer: A
In RouterOS, specifying the gateway IP is sufficient for static routing as long as the gateway IP is reachable via a directly connected interface. The system automatically determines the correct interface based on the routing table. Adding an interface manually is only required in special cases, such as point-to-point links.
MTCNA Course Material – Static Routing Section:
“You can configure static routes by specifying the destination and gateway only. The system can resolve the interface automatically if the gateway is reachable.”
René Meneses MTCNA Study Guide – Routing Examples:
“The interface field is optional in most routing scenarios. MikroTik will find the outgoing interface if the gateway IP is in a directly connected subnet.”
MikroTik Wiki – Routing Configuration:
“In most cases, just the dst-address and gateway are sufficient. The interface will be determined by the router.”
Therefore, the idea that both gateway and interface must always be defined is incorrect.
Final Answer: AQUESTION NO: 92 [Wireless]
Please select valid scan-list values in interface wireless configuration:
A. 5560,5620-5700
B. 5640~5680
C. default,5560,5600,5660-5700
D. 5540,5560,5620+5700
Answer: C
The scan-list option defines the frequencies that a wireless interface should scan or operate on. Valid formats include:
Single frequencies: e.g., 5560
Ranges: e.g., 5660-5700
Including "default" for system-determined values
Comma-separated lists are accepted
Characters like ~ or + are not allowed.
MTCNA Official Course Material – Wireless Configuration:
“scan-list can include frequency numbers and ranges separated by commas. Example: 5500,5520-5700. Use ‘default’ to use the standard channel list.”
René Meneses MTCNA Guide – Wireless Interface Options:
“Valid scan-list includes entries like: 5180,5200-5320, or default. Invalid characters such as ‘~’ or ‘+’ are not supported.”
MikroTik Wiki – Wireless Manual:
“Values can be comma-separated frequencies and ranges. Symbols such as ‘+’ or ‘~’ are not allowed in scan-list values.”
Option A: valid format
Option B: invalid (‘~’ is not allowed)
Option C: valid — includes default and proper ranges
Option D: invalid — ‘+’ symbol is not allowed
Thus, Option C is the only valid and complete answer.
Select all tunnels that support authentication of clients with a username and password.
PPPoE
OpenVPN
IPIP
PPTP/L2TP
EoIP
Only tunnel types built on PPP support authentication with username and password:
A.✔PPPoE – Built on PPP, uses CHAP, PAP authentication.
B.✔OpenVPN – Supports user/password login for client authentication.
C.✘IPIP – A stateless Layer 3 tunnel; no authentication support.
D.✔PPTP/L2TP – Both are PPP-based and support username/password authentication.
E.✘EoIP – MikroTik proprietary Layer 2 tunnel; no username/password authentication.
Extract from MTCNA Course Material – Tunnel Types:
“PPPoE, PPTP, and L2TP are PPP-based and support user/password authentication. IPIP and EoIP do not.”
Extract from René Meneses Study Guide – Tunnel Protocols:
“Authentication (PAP/CHAP) is part of PPP. Use PPPoE, PPTP, L2TP, or OpenVPN for user logins.”
Extract from MikroTik Wiki – Tunnel Protocols Overview:
“Only PPP-based tunnels support authentication via username/password.”
===========
What does the firewall action "log" do?
It logs and blocks the packet
It blocks and logs the packet
It adds a prefix to the packet and passes it through
It logs the packet
The log action in MikroTik's firewall does not block or drop packets. Instead, it generates a log entry for packets that match the rule and passes the packet to the next rule in the chain. It is used for monitoring, debugging, or auditing network behavior.
MTCNA Official Course Material – Firewall Filters:
“The action 'log' creates a log entry when a packet matches the rule. It does not terminate or alter the packet's flow. The packet continues to be processed by subsequent rules.”
René Meneses MTCNA Study Guide – Firewall Logging:
“Log action is used to generate logs for matched packets. It does not block or modify traffic.”
MikroTik Wiki – Firewall Actions:
“log – This action writes matching packets to the log. Logging rules have no effect on the packet’s behavior.”
Hence, Option D is correct: It logs the packet, nothing more.
Final Answer: DQUESTION NO: 86 [Firewall]
Which of the following is true for connection tracking?
A. Connection tracking must be enabled for NAT'ed network
B. Enabling connection tracking reduces CPU usage in RouterOS
C. Disable connection tracking for mangle to work
D. Connection tracking must be enabled to be able to use all firewall features
Answer: D
Connection tracking (conntrack) is a feature that enables RouterOS to monitor and manage the state of all network connections passing through the router. It is essential for features like NAT, stateful firewalling, and proper use of mangle and filter rules.
MTCNA Course Material – Connection Tracking:
“Most firewall and NAT functionality depends on connection tracking being enabled. Without connection tracking, many features (like NAT) won’t function properly.”
René Meneses MTCNA Study Guide – Firewall Section:
“Connection tracking is required for NAT and most firewall filters. When disabled, connection-state-based filtering or NAT is not possible.”
Terry Combs MTCNA Notes – Conntrack Section:
“Conntrack must be enabled to use full firewall capabilities, including NAT and filtering by connection states like established and related.”
Option A is partially true but not complete.
Option B is incorrect – conntrack may increase CPU load due to session tracking.
Option C is incorrect – mangle rules often depend on connection marks which require conntrack.
Only Option D accurately captures the critical requirement of connection tracking.
Final Answer: DQUESTION NO: 87 [RouterOS Introduction]
Which of the following keystrokes enables safe mode in console?
A. Ctrl+x
B. Ctrl+c
C. Ctrl+d
D. Ctrl+s
Answer: D
Safe Mode in MikroTik CLI is a protective mode that helps revert any unintended changes if you get disconnected. It is activated by pressing Ctrl+X in older versions, but the current standard keybinding for enabling safe mode is Ctrl+S.
MTCNA Course Material – Safe Mode:
“To enable safe mode in the terminal, press Ctrl+S. A confirmation [Safe Mode] will appear in the prompt. If the terminal is closed or disconnected, the changes are rolled back.”
René Meneses MTCNA Study Guide – Terminal Commands:
“Safe Mode can be activated using Ctrl+S. This is useful during remote configuration. It reverts changes if the terminal is closed.”
MikroTik Wiki – Safe Mode Section:
“To enter safe mode, press Ctrl+S in CLI. This ensures configuration rollback if disconnected.”
Other options:
Ctrl+C terminates commands or CLI input
Ctrl+X may not activate safe mode in newer versions
Ctrl+D is used to log out in some Unix-like terminals
Correct answer: Ctrl+S
Final Answer: DQUESTION NO: 88 [Wireless]
Select minimal set of software packages in RouterOS required to configure a wireless AP:
A. Wireless
B. advanced-tools
C. dhcp
D. routing
E. system
Answer: A
To configure a wireless access point (AP) in RouterOS, the only required software package is wireless. All other functionalities like DHCP or routing are optional depending on the network setup. The system package is always present and not removable, so it's not listed as a required dependency in package selection.
MTCNA Course Material – Wireless Configuration Basics:
“Wireless functionality is provided by the wireless package. Without it, no wireless interfaces are present or configurable.”
René Meneses MTCNA Guide – Wireless Module:
“Only the wireless package is required to configure an AP. DHCP is used optionally for IP address assignment.”
MikroTik Wiki – Packages:
“The wireless package is responsible for enabling WLAN interfaces and features such as AP mode, client mode, and security.”
Other packages:
advanced-tools: includes tools like bandwidth-test and traffic generator
dhcp: only needed if the router is issuing IPs
routing: required for static/dynamic routing but not AP setup
Only Option A is required.
Which command is used to upgrade an IOS on a Cisco router?
copy tftp run
copy tftp start
config net
copy tftp flash
To upgrade or install a new Cisco IOS image on a router, you typically copy the IOS image file from a TFTP server into the router’s flash memory. The correct syntax is:
copy tftp flash
This command tells the router to copy the IOS image from a TFTP server into flash storage, where it can be booted.
Cisco IOS Documentation – Image Upgrade Process:
“Use the command copy tftp flash to transfer an IOS image from a TFTP server to the router’s flash memory.”
Other options:
A: copy tftp run – invalid; you cannot copy into the running-config that way
B: copy tftp start – used to copy configuration, not IOS image
C: config net – an older and deprecated command, not for IOS upgrades
Final Answer: DQUESTION NO: 122 [RouterOS Introduction – ICMP and Diagnostics]
Which protocol does Ping use?
A. TCP
B. ARP
C. ICMP
D. BootP
Answer: C
Ping is a diagnostic utility used to test reachability between devices. It sends ICMP Echo Request packets and waits for ICMP Echo Replies. ICMP (Internet Control Message Protocol) is used for these types of control messages and is encapsulated within IP.
MTCNA Course Material – Diagnostic Tools:
“Ping uses ICMP Echo Requests to verify if a destination is reachable. It does not use TCP or UDP.”
René Meneses MTCNA Study Guide – Ping and ICMP:
“Ping uses ICMP, not TCP or ARP. ICMP packets are used to check basic connectivity.”
MikroTik Wiki – Ping Tool Description:
“Ping works by sending ICMP packets. It cannot use TCP.”
Other options:
TCP: Used by protocols like HTTP, FTP
ARP: Resolves IP to MAC, not used for ping
BootP: DHCP-related protocol, not diagnostic
Final Answer: CQUESTION NO: 123 [Cisco – Frame Relay Troubleshooting]
What command will display the line, protocol, DLCI, and LMI information of an interface?
A. sh pvc
B. show interface
C. show frame-relay pvc
D. show run
Answer: C
In Cisco IOS, to display detailed Frame Relay virtual circuit information, including the line status, protocol status, DLCI (Data Link Connection Identifier), and LMI (Local Management Interface) details, the correct command is:
show frame-relay pvc
Cisco IOS Command Reference – Frame Relay:
“The show frame-relay pvc command displays information about PVC status, including DLCI numbers and LMI statistics.”
Breakdown:
A: sh pvc – shorthand and ambiguous, may not be recognized
B: show interface – general interface stats but lacks detailed LMI/DLCI info
C: show frame-relay pvc –✔correct, provides detailed DLCI/LMI info
D: show run – shows current configuration, not real-time PVC status
Final Answer: CQUESTION NO: 124 [Networking Fundamentals – Ethernet and Switching]
How many collision domains are created when you segment a network with a 12-port switch?
A. 1
B. 2
C. 5
D. 12
Answer: D
Each port on a switch creates its own collision domain. Unlike hubs (which extend a single collision domain), switches segment each interface, allowing full-duplex communication and eliminating collisions.
MTCNA Course Material – Ethernet Switching Concepts:
“Each switch port is a separate collision domain. A 24-port switch creates 24 separate collision domains.”
René Meneses MTCNA Study Guide – Collision and Broadcast Domains:
“Switches break up collision domains per port, unlike hubs.”
Therefore, a 12-port switch creates 12 individual collision domains.
What does this simple queue do (check the image)?
The screenshot shows a Simple Queue named "host_A" with:
Target Address: 192.168.1.10
Target Upload: Checked
Target Download: Checked
Max Limit: 1M (upload), unlimited (download)
Queue guarantees upload data rate of one megabit per second for host 192.168.1.10
Queue limits host 192.168.1.10 download data rate to one megabit per second.
Queue limits host 192.168.1.10 upload data rate to one megabit per second.
Queue guarantees download data rate of one megabit per second for host 192.168.1.10
The “Max Limit” value in MikroTik Simple Queues defines the maximum allowed bandwidth. In this case:
Target Address: 192.168.1.10
Target Upload = 1M → The host can upload at a maximum of 1 Mbps
Target Download = unlimited → No restriction on download
This does not “guarantee” bandwidth — it enforces a ceiling. A guaranteed rate would require "Limit-at" to be set.
Evaluation:
A.❌This queue limits, it does not guarantee a minimum bandwidth.
B.❌Download is set to unlimited — no limitation.
C.✅Upload is limited to 1 Mbps — correct.
D.❌Download rate is unlimited — no guarantee or limit.
MTCNA Course Manual – Simple Queue Explanation:
“Max-limit sets the maximum throughput for upload/download. It’s a ceiling, not a guarantee.”
René Meneses Guide – Simple Queues Explained:
“In this case, upload is capped at 1M. No burst or download limit is applied.”
Terry Combs Notes – Queue Properties:
“Always distinguish between 'limit-at' (minimum guarantee) and 'max-limit' (maximum cap).”
Firewall NAT rules process only the first packet of each connection.
True
False
MikroTik’s NAT (Network Address Translation) is part of the connection tracking mechanism. NAT rules are applied only to the first packet of a connection. Subsequent packets belonging to the same connection are automatically handled by the connection tracking module using the same translation mappings established by that first packet.
Option Analysis:
A.✔True – NAT is evaluated only on the first packet of a new connection.
B.✘False – Subsequent packets are not re-evaluated against NAT rules.
Extract from Official MTCNA Course Material – Firewall & NAT Section:
“NAT rules apply to the first packet in a connection. After that, RouterOS uses the tracked connection entry.”
Extract from René Meneses MTCNA Study Guide – NAT & Firewall Concepts:
“Once the initial packet matches a NAT rule, connection tracking applies it to the whole session.”
Extract from MikroTik Wiki – NAT Implementation:
“NAT is evaluated on the first packet. Other packets in the same connection follow the established NAT mapping.”
===========
What is necessary for PPPoE client configuration?
Interface (on which PPPoE client is going to work)
Static IP address on PPPoE client interface
ip firewall nat masquerade rule
To configure a PPPoE client on MikroTik, you need to:
Set the client interface (usually ether1 or another WAN-facing port).
Optionally add NAT masquerading to enable LAN users to reach the internet.
IP address on the interface is assigned dynamically from the ISP after PPPoE negotiation, so a static IP is not required.
Option Analysis:
A.✔Required – You must select the interface that initiates the PPPoE connection.
B.✘Not Required – The IP is typically assigned by the PPPoE server (ISP).
C.✔Required – NAT masquerade is commonly used to allow internet access for private IP clients behind the router.
Extract from MTCNA Course Material – PPPoE Client Setup:
“The PPPoE client must have an interface specified. A NAT masquerade rule is recommended for internet access sharing.”
Extract from René Meneses MTCNA Study Guide – PPPoE:
“You do not need to assign a static IP to the PPPoE client interface. IP is received after successful login.”
Extract from MikroTik Wiki – PPPoE Client:
“After setting up the interface and credentials, PPPoE client negotiates and receives dynamic IP. Add NAT if routing LAN traffic.”
===========
A client uses a RouterBOARD1000. The clock is configured in '/system clock'. The clock resets to default after each reboot.
Select the best solution for the problem.
Write a script in '/system script' to set the clock
Configure '/system ntp server' and set a valid and reachable NTP client address
Configure '/system ntp client' and set a valid and reachable NTP server address
Open the router and ensure the CMOS battery is fine
RouterBOARD devices (such as RB1000) typically do not have a battery-backed hardware clock (RTC). This means the system time resets after each reboot. To keep time accurate, you must configure the router to synchronize with an external NTP (Network Time Protocol) server.
A.✘Inefficient and non-scalable solution.
B.✘The /system ntp server is used to act as an NTP server for others — not for receiving time.
C.✔Correct – You must enable /system ntp client and point to a reachable NTP server to get the correct time on boot.
D.✘Irrelevant – RouterBOARDs do not have CMOS batteries for timekeeping like traditional PCs.
Extract from MTCNA Course Material – Time Synchronization:
“To maintain correct system time, configure NTP client to sync with a public or internal time server after reboot.”
Extract from René Meneses Study Guide – Clock and Scheduler:
“RouterBOARD devices don’t have battery-backed RTC. Use the NTP client to update time after reboot.”
Extract from MikroTik Wiki – NTP Setup:
“Use /system ntp client to sync time. /system clock alone will reset on reboot without NTP.”
===========
From which of the following locations can you obtain Winbox?
Router’s webpage
Files menu in your router
Via the console cable
mikrotik.com
Winbox is a small, native Windows utility provided by MikroTik for graphical administration of RouterOS devices. It is typically downloaded from MikroTik's official website.
A. Router’s webpage → Incorrect. While the router’s WebFig interface may allow configuration, it does not offer a Winbox download.
B. Files menu → Incorrect. The Files menu is for storing backups or firmware packages, not distributing Winbox.
C. Console cable → Incorrect. Console access is CLI only; no GUI utilities can be transferred through it.
D. mikrotik.com → Correct. The only official and secure location to download Winbox is the MikroTik website.
Extract from Official MTCNA Course Material – RouterOS Introduction:
“Winbox can be downloaded from the official MikroTik website. It provides a GUI frontend for managing RouterOS.”
Extract from René Meneses MTCNA Study Guide – RouterOS Access Methods:
“You can download Winbox from mikrotik.com under the Software Tools section.”
Extract from Terry Combs MTCNA Notes – Access Methods:
“Winbox is a Windows application that must be downloaded from MikroTik’s website. It is not available directly from the router.”
===========
If you need to make sure that one computer in your Hot-Spot network can access the Internet without Hot-Spot authentication, which menu allows you to do this?
Users
IP bindings
Walled-garden
Walled-garden IP
In a MikroTik Hotspot environment, you can bypass authentication for specific users using the IP Bindings feature. This feature lets you mark a host as bypassed (authorized without login), blocked, or regular.
A. Users → Incorrect. This contains login credentials for regular authenticated users.
B. IP bindings → Correct. This allows specific devices (by IP or MAC) to bypass login requirements.
C. Walled-garden → Incorrect. This allows unauthenticated access to specific domains or URLs, not devices.
D. Walled-garden IP → Incorrect. Similar to option C, it controls destination IP access, not client exemption.
Extract from Official MTCNA Course Material – Hotspot:
“To allow a specific host to bypass authentication, use IP Bindings with the ‘bypassed’ type.”
Extract from René Meneses MTCNA Study Guide – Hotspot Section:
“The IP Bindings tab in the Hotspot menu is used to set specific IPs or MACs as bypassed. This exempts them from login.”
Extract from Terry Combs MTCNA Notes – Hotspot Bypass:
“Use IP Bindings for fixed clients (e.g., printers or servers) that should not be challenged by the Hotspot portal.”
===========
