1|MTCTCE

Soal MTCTCE

1. You have 10Mbps download link available to be used by your clients on the LAN. You
want to use PCQ and allow 512k maximum download for each client. The correct argument
values for the required queue type are:
A. kind=pcq pcq-limit=10000000 pcq-classifier=src-address
B. kind=pcq pcq-rate=512000 pcq-classifier=src-address
C. kind=pcq pcq-limit=10000000 pcq-classifier=dst-address
D. kind=pcq pcq-rate=512000 pcq-classifier=dst-address

2. How is the DHCP server able to track lease association with a particular client? The
identification can be achieved:
A. Based on "system identity" option
B. Based on “hostname” option
C. Based on “caller-id” option (dhcp-client-identifier from RFC2132)
D. Based on MAC address, if “caller-id” option is not specified.

3. The cache hit DSCP (TOS) number under the Web Proxy Settings is used
A. To identify data coming from the cached data to the client
B. To Identify data the proxy system has stored and returned to clients
C. To identify data received by the web proxy from the internet
D. To Identify data coming from the internet to the web proxy clients

4. You need to redirect a browser page from a search of "xxx" in google to another
website such as www.mikrotik.com
Choose correct proxy access rule.
A. /ip proxy access add dst-host=*xxx* action=deny redirect-to=www.mikrotik.com
B. /ip proxy access add dst-host=*.google.* path=*xxx* action=deny redirect-
to=www.mikrotik.com
C. /ip proxy access add path=*xxx* action=allow redirect-to=www.mikrotik.com
D. /ip proxy access add dst-host=*xxx* action=allow redirect-to=www.mikrotik.com

5. Address-list timeout could be used for

A. Deleting an address list entry from address-list after time runs out
B. Deleting an address list entry after a specified time
C. Can only be used with the target "add-dst-to-address-list" of ip firewall

6. You want to offer a static route to your DHCP clients (besides the default-route).
What is the best way to do that?
A. Set DHCP options 121
B. Set DHCP options 3
C. Set a static IP into /ip route and it will automatically be sent to clients
D. There is no way to send a static-route to DHCP clients
2|MTCTCE

7. To mangle all traffic going to the router itself on chain=prerouting, we can use parameter:
A. dst-address-type=local
B. dst-address-type=unicast
C. dst-address=127.0.0.1
D. dst-address=localhost

8. MikroTik proxy features are:

A. FTP caching
B. HTTP caching
C. SMTP caching
D. DNS name filtering
E. POP3 caching

9. You have a queue structure:

queue "MK" max-limit=23M
-queue "A" parent="MK" limit-at=10M max-limit=18M
--queue "AA" parent="A" limit-at=3M max-limit=5M priority=1
--queue "AB" parent="A" limit-at=1M max-limit=2M priority=2
--queue "AC" parent="A" limit-at=4M max-limit=8M priority=4
-queue "B" parent="MK" limit-at=10M max-limit=18M
--queue "BA" parent="B" limit-at=1M max-limit=10M priority=1
--queue "BB" parent="B" limit-at=2M max-limit=3M priority=3
Select the correct answer for the worst case scenario when all queues are trying to get all
available traffic.
A. queue "AA" will get 3M, "AB" 2M, "AC" 4M, "BA" 10M, "BB" 2M
B. queue "AA" will get 5M, "AB" 2M, "AC" 8M, "BA" 10M, "BB" 2M
C. queue "AA" will get 5M, "AB" 2M, "AC" 8M, "BA" 10M, "BB" 3M
D. queue "AA" will get 3M, "AB" 1M, "AC" 8M, "BA" 1M, "BB" 3M
E. queue "AA" will get 5M, "AB" 2M, "AC" 4M, "BA" 10M, "BB" 2M

10. Is it possible to use the serial port of MikroTik to communicate with an external device
connected by null-modem cable?
A. Yes, when other is a MikroTik router.
B. Yes, if port is not being used
C. Yes, it is always possible by /system serial-terminal command.

11. You want to use PCQ and allow 256k maximum download and upload for each
client. Choose correct argument values for the required queue.
A. kind=pcq pcq-limit=5000000 pcq-classifier=dst-address
B. kind=pcq pcq-limit=256000 pcq-classifier=dst-address
C. kind=pcq pcq-limit=256000 pcq-classifier=src-address
D. kind=pcq pcq-limit=5000000 pcq-classifier=src-address
E. kind=pcq pcq-limit=1256000 pcq-classifier=dst-address
3|MTCTCE

12. An IP packet has matched all the conditions of a firewall rule and the action reject
and the option icmp-network-unreachable was initiated for that packet. What will
happen with the packet content ?
A. The packet will be discarded regardless of its content
B. The whole packet will be forwarded back to the sender regardless of its contents
C. The packet header will receive a flag of \\\"icmp-network-unreacheble\\\"
D. The packet will be rejected only if the destination network is unreachable

13. If we have the following queue structure:

queue "A" max-limit=8M
- queue "B" parent="A" limit-at=2M max-limit=5M priority=1
- queue "C" parent="A" limit-at=3M max-limit=6M
- - queue "C1" parent="C" limit-at=1M max-limit=2M priority=2
- - queue "C2" parent="C" limit-at=2M max-limit=4M priority=3
If all queues are utilizing the maximum. what will be the traffic distribution ?
A. B-5M, C1-1M, C2- 2M
B. B-5M, C1-2M, C2- 1M
C. B-2M, C1-2M, C2- 4M
D. B-4M, C1-2M, C2- 2M
E. B-4M, C1-2M, C2- 4M

14. What is the correct action for a NAT rule on a router that should intercept SMTP traffic
and send it over to a specified mail server?
A. dst-nat
B. tarpit
C. passthrough
D. redirect

15. A firewall rule is used to redirect all incoming DNS requests. What is the source IP
address generated in the response by the router?
A. Source IP address of the response is broadcast to indicate the response was generated
by proxy
B. Source IP address of the response is IP address of router's out interface
C. Source IP address of the response is the highest active loopback bridge interface of the
router
D. Source IP address of the response is the same as destination IP address of the original
request

16. If we change TTL to 2 in mangle chain prerouting

A. packet will be forwarded to the next 2 L3 devices
B. packet will not be forwarded
C. packet will be forwarded only to next L3 device
D. packet will always reach its destination
4|MTCTCE

17. What is the recommended sequence for traffic marking by mangle for QoS?
A. Add only mark-connection
B. Add action=passtrough
C. Add mark-connection then mark-packet
D. Add only mark-packet

18. after putting this rule: /ip firewall add chain=input action=drop, you will still be
able to access the Router using the mac-address.
True

19. Mangle Routing (routing-mark) is possible, by using chains:

A. prerouting and forward
B. input and output
C. prerouting and output
D. forward and postrouting
E. forward and output

20. Which of these techniques equalizes the flow between connections when the link
is completely full:
A. SFQ
B. PCQ
C. FIFO
D. PFIFO
E. RED

21. You have a queue structure:

queue "GP" max-limit=10M
- queue "M" parent="GP" limit-at=4M max-limit=6M
- - queue "C1" parent="M" limit-at=1M max-limit=7M priority=4
- - queue "C2" parent="M" limit-at=1M max-limit=4M priority=1
- - queue "C3" parent="M" limit-at=2M max-limit=7M priority=8
- queue "F" parent="GP" limit-at=5M max-limit=8M
- - queue "D1" parent="F" limit-at=3M max-limit=4M priority=5
- - queue "D2" parent="F" limit-at=2M max-limit=5M priority=2
Which queue will get more than limit-at in worst case scenario?
A. D2
B. C3
C. C2
D. C1
E. D1

22. Choose correct statements for MikroTik proxy.

A. Destination NAT rule is required to utilize transparent proxy facility
B. To deny access to a specific website, caching should be enabled
C. Controls domains or servers which are allowed to cache by Proxy
D. Can deny access to a specific domains or servers, but not specific web pages
5|MTCTCE

23. You have a queue structure:

queue "GP" max-limit=10M
- queue "M" parent="GP" limit-at=4M max-limit=6M
- - queue "C1" parent="M" limit-at=1M max-limit=7M priority=4
- - queue "C2" parent="M" limit-at=1M max-limit=4M priority=1
- - queue "C3" parent="M" limit-at=3M max-limit=7M priority=8
- queue "F" parent="GP" limit-at=5M max-limit=8M
- - queue "D1" parent="F" limit-at=3M max-limit=4M priority=5
- - queue "D2" parent="F" limit-at=2M max-limit=5M priority=2
If queues "C2" and "C3" are not requiring any traffic, how is all the
available bandwidth going to be distributed in worst case scenario when all other queues are
trying to get all available traffic?
A. queue "C1" will get 5M, "D2" 2M, "D1" 3M
B. queue "C1" will get 2M, "D2" 5M, "D1" 3M
C. queue "C1" will get 4M, "D2" 7M, "D1" 4M
D. queue "C1" will get 4M, "D2" 3M, "D1" 3M
E. queue "C1" will get 3M, "D2" 3M, "D1" 5M

24. You are using Port Scan Detection feature in MikroTik Firewall. What ports are
considered as Low Ports?
A. 20-1024
B. 1-80
C. 1-1000
D. 1024-10000
E. 1-1024

25. If router receives packet with TTL=1 then:

A. packet will be forwarded only to next L3 device
B. packet will always reach its destination
C. packet will not be forwarded

12. which of the following chains are not available to mangle rules:
A. out-put
B. scr-nat
C. dst-nat
D. prerouting

17. It is required to make a web server residing on a private subnet in a LAN visible on the
public internet. Only the web server port should be visible to the public. Which of the
following configuration steps must be met (select all that).
A. A route between the NAT router and the web server must exist
B. LAN address of the web server should be routable on the internet
C. In IP firewall NAT there should be a dst-nat between the public address of the router and
the private IP of the web server
D. Public IP address of the web server must be installed on the NAT Router
E. Connection tracking must be enable on the NAT router
6|MTCTCE

18. You wish to secure your routerOS system. You do want the routerOS to be discoverable
using MNDP or CDP, you also want to deny management via the MAC Address on all
interfaces, select the correct actions to accomplish this:
A. Place a proper input firewall rule to block mac discovery
B. Add a deny all input firewall rule
C. Remove/disable all discovery interfaces
D. Remove/disable all interface under mac-server telnet
E. Place a proper forward firewall rule to block mac discovery
F. Remove/disable all interfaces under mac-server winbox

36. RouterOS log messages are stored on disk by default

False

21. Simple queue number 0 defines 2M for upload and download for target 10.10.10.33
Simple queue number 1 defines 4M for upload and download for target 10.10.10.33
The maximum bandwidth that the client 10.10.10.33 is the able to obtain is :
A. 0M upload/download
B. 6M upload/download
C. 4M upload/download
D. 2M upload/download

23. To block user on my local area network from accessing http://www.facebook.com

between 08:00am and 5:00pm:
A. Add firewall filter rule to block http://www.facebook.com and set time on the rule
B. Enable webproxy, Transparent redirect http traffic, create access rule to drop
http://www.facebook.com with a comment, schedule script to enable access rule at
8:00am and disable rule at 5:00pm
C. Add simple queue to block the site at 8:00am and allow it from 5:00pm
D. Only schedule a script to block http://www.facebook.com at 8:00am and allow at 5:00pm

25. An ISP running a transparent proxy on the router. You want to restrict certain
clients from accessing the proxy. Which firewall chain would you create the rule in:
A. Forward
B. Output
C. Input
D. Prerouting
E. Postrouting

1. If ARP=reply-only is configured on an interface, what will this interface do

a. Accept all IP/MAC combinations listed in /ip arp as static entries
b. Accept all IP addresses listed in /ip arp as static entries
c. Add new MAC addresses in /ip arp list
d. Accept all MAC-addresses listed in /ip arp as static entries
e. Add new IP addresses in /ip arp list
7|MTCTCE

2. Consider the following network. You need to permit the users on the 192.168.0.0/24
network access to webserver (TCP/80) at IP Address 192.168.1.99. You do not want them to
access any other service or device on the 192.168.1.0/24 network. Which of the following
rulesets whould accomplish this task:

A. /ip firewall filter add chain=output dst-address=192.168.1.99 protocol=tcp dst-port=80

action=accept add chain=output dst-address=192.168.1.0/24 action=drop
B. /ip firewall filter add chain=forward dst-address=192.168.1.99 protocol=tcp dst-port=80
action=accept add chain=forward dst-address=192.168.1.0/24 action=drop
C. /ip firewall filter add chain=forward dst-address=192.168.1.99 protocol=tcp dst-port=80
action=accept add chain=forward dst-address=192.168.1.0/24 action=drop
D. /ip firewall filter add chain=output dst-address=192.168.1.99 action=accept add
chain=output dst-address=192.168.1.0/24 action=drop
E. /ip firewall filter add chain=forward protocol=tcp dst-port=80 action=accept add
chain=forward dst-address=192.168.1.0/24 action=drop

3. Change to the TTL (Time To Live) of a packet can not be adjusted, it is hard coded
in RouterOS.
False

8. Which interface can be specified in a simple queue rule?

A. Incoming interface (facing the target address)
B. Outgoing interface (from your network to the dst-address)
C. Any participating interface (regardless of traffic flow)

47. Router has Wireless and Ethernet client interfaces, all client interfaces are
bridged. To create a DHCP service for all clients you must configure DHCP server on
a. every bridge port
b. only on bridge interface
c. Ethernet and wireless interfaces
d. DHCP service is not possible in this setup

13. You set your clients simple queue:

0 name=”Your Client” target-address=1.1.1.1/32 dst-address=0.0.0.0/0
Interface=all parent=none direction=booth priority=8
Queue=default-small/default-small limit-at=0/0 max-limit=0/0
Burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s
Total-queue=default-small total-max-limit=10M
The client starts downloading from a website that give him a download speed of 7meg, then
starts uploading a file to a hosted server. This server can transfer at 5 meg bandwidth:
Which upload speed is allowed for the client:
A. 3 Meg
B. 2 Meg
C. 4 Meg
8|MTCTCE

D. 5 Meg

17. How could you limit the impact of a DDos (Distribute Deniel of service) attack:
A. Create a tarpit rule to reject all “connection-state=invalid” packet
B. use the firewall limit function to limit number of connections from clients
C. Set the TCP Syncookie option in ip firewall connection tracking
D. use the firewall limit function to limit number of connections to servers

6. How can mangle rules be applied to dynamically created PPTP client interface ( select all
that apply):
A. By enabling the ‘PPTP use firewall’ setting in the associated PPP profil
B. By using the address list feature in the associated PPP profil
C. it is possible to do this
D. by directly using the dynamic PPTP interface as a mangle ‘in interface’

16. MikroTik RouterOS commands can be run once a day by:

a. /system watchdog
b. /system scheduler
c. /system cron

25. You need to change default web-proxy error page. Would page should you edit?
A. /webproxy/issue.html
B. /error.html
C. /webproxy/error.html
D. /file
E. /hotspot.html

7. An IP packet has matched all the conditions of afirewall rule and the action reject and the
option icmp-network-unreacheble what initiated for that packet. What will happen with the
contents of the packet?
A. The packet header will receive a flag of ‘icmp-network-unreacheble’
B. The packet will be rejected only if the destination network is unreachable
C. The whole packet will be forwarded back to the sender regardless of its contents
D. The packet will be discarded regardless of its content

1. To make all DNS requests coming from your network to resolve on your router (regardless
of the clients\' configuration………you specify for the DST-NAT rule?
A. you can\'t use DST-NAT to achieve this
B. dst-nat
C. masquerade
D. redirect

2. To be able to do NAT the connection tracking does not need to be enabled.

true

6. How many DHCP servers could you run on one interface?

A. 255
9|MTCTCE

B. 4
C. 1024
D. 1

7. What does the firewall action "log" do?

A. It blocks and logs the packet
B. It logs the packet
C. It logs and blocks the packet
D. It adds a prefix to the packet and passes it through

11. You have a DHCP server on your MikroTik router. The IP addresses 10.1.2.2-10.2.2.20
are distributed in the DHCP network. Additionally, 3 static IP address are defined for your
servers: 10.1.2.31-10.1.2.33. After a while 20 more IP addresses need to be distributed in
the network. Is it possible to distribute the ext ra IP address without adding another DHCP
Server?
true

12. RouterOS router can act as a radius client and authenticate through a radius server
different services.
Which of the following can authenticate using this method?
A. RouterOS users
B. IPSEC users
C. PPTP users
D. PPPoE users
E. Wireless clients

14. We have a src-nat rule

/ip filter nat chain=src-nat src-address=192.168.10.0/24 action=src-nat to-
address=203.115.1.4
We need to block client traffic to IP 115.14.3.110. The necessary rule is :
A. /ip firewall filter add chain=forward src-address=203.115.1.4/32 dst-
address=115.14.3.110 action=drop
B. /ip firewall filter add chain=postrouting src-address=203.115.1.4/32 dst-
address=115.14.3.110 action=drop
C. /ip firewall filter add chain=input src-address=192.168.10.0/24 dst-address=115.14.3.110
action=drop
D. /ip firewall filter add chain=forward src-address=192.168.10.0/24 dst-
address=115.14.3.110 action=drop

15. A MikroTik Router has the following configuration

/ip address
add address=1.1.1.2/30 interface=ether1
add address=2.2.2.2/30 interface=ether2
add address=192.168.10.1/24 interface=ether3
/ip firewall mangle
add action=mark-connection chain=prerouting
dst-port=80 new-connection-mark=web_c passthrough=yes protocol=tcp
add action=mark-routing chain=prerouting
10 | M T C T C E

connection-mark=web_c new-routing-mark=web passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat
out-interface=ether3
/ip route
add gateway=1.1.1.1
add gateway=2.2.2.2 routing-mark=web
What can be said about the Web Access (port 80) by a customer connected at ether3
interface with IP 192.168.10.2/24, gateway 192.168.10.1 ?
A. The Customer is unable to access the Web.
B. The customer will access the Web using the gateway 2.2.2.2
C. The Customer will access the Web by ECMP, by using both gateways 1.1.1.1 and 2.2.2.2
D. The customer will access the Web using the gateway 1.1.1.1

16. Is it possible for a client to get an IP address but no gateway after a successful DHCP
request?
false

18. You have default configuration, the firewall filter configuration is

/ip firewall filter add chain=input src-address=192.168.0.1 action=accept
/ip firewall filter add chain=input action=log
/ip firewall filter add chain=input action=drop
Which host is allowed to access the router?
A. IP address 192.168.0.2, MAC-address 00:0C:42:01:01:02
B. IP address 5.8.8.8, MAC-address 00:0C:42:01:02:03
C. IP address 192.168.0.1, MAC-address 00:0C:42:01:01:02
D. IP address 192.168.0.1, MAC-address 00:0C:42:05:05:01

21. Select types of Load Balancing methods

A. PCQ
B. NTH
C. ECMP
D. PCC

22. You have a queue structure:

queue "GP" max-limit=10M
- queue "M" parent="GP" limit-at=4M max-limit=6M
- - queue "C1" parent="M" limit-at=1M max-limit=7M priority=4
- - queue "C2" parent="M" limit-at=1M max-limit=4M priority=1
- - queue "C3" parent="M" limit-at=3M max-limit=7M priority=8
- queue "F" parent="GP" limit-at=5M max-limit=8M
- - queue "D1" parent="F" limit-at=3M max-limit=4M priority=5
- - queue "D2" parent="F" limit-at=2M max-limit=5M priority=2
In the case where all child queues require 2Mbps each all at the same time, they are going
to get it.
false

25. In RouterOS queue configurations the word "total" usually represents

11 | M T C T C E

A. upload + download
B. upload
C. download
D. download - upload

1. What does this simple queue do (check the image)?

A. Queue limits host 192.168.1.10 download data rate to one megabit per second.
B. Queue guarantees upload data rate of one megabit per second for host 192.168.1.10
C. Queue limits host 192.168.1.10 upload data rate to one megabit per second.
D. Queue guarantees download data rate of one megabit per second for host 192.168.1.10

2. Router has Wireless and Ethernet client interfaces, all client interfaces are bridged.
To create a DHCP service for all clients you must configure DHCP server on
A. DHCP service is not possible in this setup
B. Ethernet and wireless interfaces
C. every bridge port
D. only on bridge interface

3. Mark the queue types that are available in RouterOS

A. PCQ – Per Connection Queuing
B. DRR - Deficit Round Robin
C. FIFO - First In First Out (for Bytes or for Packets)
D. RED – Random Early Detect (or Drop)
E. SFQ – Stochastic Fairness Queuing
F. LIFO - Last In First Out

5. What RouterOS feature should be used to redirect user HTTP requests as result opening
completely different page?
A. web-proxy access-list
B. web-proxy cache-list
C. firewall nat action redirect
D. web-proxy direct-list
12 | M T C T C E

8. Someone has installed an illegal DHCP server on your broadcast domain. While
organizing everything for removal of the server, you want to minimize the problems caused
on your network. On your DHCP server, you should
A. specify "Src. Address"
B. enable authoritative mode
C. enable "Always Broadcast"
D. increase "delay-threshold" value

9. Firewall NAT rules process only the first packet of each connection.
true

10. DST-NAT can process traffic sent from and through the router.
false

11. Which action do you need to use with an NAT rule, to NAT a private address range to
public address range?
A. Netmap
B. Src-nat
C. Same
D. Masquerade

16. In normal Network Conditions which types of addresses will never be a source
address in an IP packet in your physical network.
A. loopback address
B. multicast address
C. public address
D. broadcast address
E. unicast address
F. private address

24. Same IP address can be included in multiple address-lists, and these lists can be
used separate from one another.
true

4. An IP address pool can contain addresses from more than one subnet.
False

8. DHCP server is configured on a router’s ether1 interface. IP address

192.168.0.100/24 is assigned to the interface. Possible IP pools, that can be used by
this DHCP server, are:
A. 192.168.0.1-192.168.0.99,192.168.0.101-192.168.0.254
B. 192.169.0.1-192.169.0.254
C. 192.168.0.1-192.168.0.255
D. 192.168.0.1-192.168.0.14

10. According to the picture, if both laptops have same priority, how much bandwidth will be
available for every laptop ?
13 | M T C T C E

A. 2
B. 4
C. 3
D. 1

11. By default HTBs have no way of knowing what amount of bandwidth is available, this
information can be provided by specifying max-limit on main parent queue in HTB.
True

12. Which of the following is true for mangle facility in RouterOS?

A. Marks packet can be used by other router facilities like routing and bandwidth
management
B. Mangle facility can be used to modify some fields in the IP header and TTL fields
C. Mangle facility is used to mark IP packets with special marks for future processing
D. The mangle mark can be transmitted across the network, and used by other routers

21. You can apply input firewall rules based on prerouting or forward mangle marks
true

22. It is required to make a web server on a private LAN visible on the Public Internet. Only
the web server port should be visible to the public. Which of the following configuration steps
must be met. (select all that apply)
A. Connection Tracking must be enabled on NAT router
B. LAN address of the webserver should be routable on the internet
C. Public IP address of the webserver must be installed on the NAT Router
D. in ip firewall NAT there should be a dst-nat between the public ip of the router and the
private ip of the webserver
E. A route between the NAT Router and the webserver must exist

23. In Ip Firewall NAT, you can Classify Traffic in SRC Nat Chain based on " in-interface".
False

24. Consider the following network diagram. In R1, you have the following configuration:
/ip route
add dst-address=192.168.1.0/24 gateway=192.168.99.2
/ip firewall nat
add chain=srcnat out-interface=Ether1 action=masquerade
On R2, if you wish to prevent all access to a server located at 192.168.1.10 from LAN1
devices,
which of the following rules would be needed?
A. /ip firewall filter add chain=forward src-address=192.168.0.0/24 dst-
address=192.168.1.10 action=drop
B. /ip firewall filter add chain=input src-address=192.168.99.1 dst-address=192.168.1.10
action=drop
C. /ip firewall filter add chain=forward src-address=192.168.99.1 dst-address=192.168.1.10
action=drop
14 | M T C T C E

D. /ip firewall nat add chain=dstnat src-address=192.168.99.1 dst-address=192.168.1.10

action=drop

25. Two mangle rules defining different mangle packet marks for the same traffic type,
will make it have both mangle marks.
False

1. When queue simple is placed in the same HTB (Hierarchical Token Bucket),
it will take all the traffic away from the Queue Tree queue.
False

4. To customise the look of the hotspot login page, you can edit
A. login.html
B. template.html
C. redirect.html
D. alogin.html

5. If a packet comes to a router and starts a new, previously unseen connection,

which connection state would be applied to it?
A. invalid
B. unknown
C. no connection state would be applied to such packet
D. established
E. new

6. You are about to configure DNS Cache and make a static DNS rule.
Your router should resolve any domain name. Which are the minimum settings you
will need?
A. Configure both Primary and Secondary DNS servers
B. Set cache size to 4096
C. Configure Primary DNS server
D. Enable "Allow Remote Requests"
E. Add a new static DNS entry

9. What is marked by connection-state=established matcher?

A. Packet belongs to an existing connection,for example a reply packet or a
packet which belongs to already replied connection
B. Packet does not corre spond to any known connection
C. Packet begins a new TCP connection
D. Packet is related to, but not part of an existing connection

14. You have masqueraded network 192.168.1.0/24.

To place upload/download limitations for each client you can
15 | M T C T C E

A. mark traffic in mangle chain "prero uting", and place limitations in interface HTB
B. mark traffic in mangle chain "postrouting", and place limitations in "global-out" HTB
C. mark traffic in mangle chain "forward", and place limitations in "global-out" HTB
D. mark traffic in mangle chain "forward", and place limitations in "global-in" HTB
E. mark traffic in mangle c hain "postrouting", and place limitations in interface HTB

15. What does the firewall action "Redirect" do?

A. Redirects a packet to the router
B. Redirects a packet to a specified IP
C. Redirects a packet to a specified port on a host in the network
D. Redirects a packet to a specified port on the router

22. When "Cache On Disk" is not checked under the web proxy settings, where does
the data get stored?
A. It does not get stored
B. System Disk
C. RAM (Memory)
D. USB Disk

23. What RouterOS feature should be used to redirect user WEB browsing?
A. web-proxy direct-list
B. firewall nat action redirect
C. web-proxy access-list
D. web-proxy cache-list

24. Which of the following are reported by MikroTik Discovery Protocol:

A. Mac Address of reachable interface
B. Routing Protocol available
C. All layer 3 addresses from all interfaces
D. Remote router identity
E. Remote router software version
F. Remote Router routing Table

25. To block access to web proxies running on TCP port 8080,

you have to create a firewall rule and specify:
A. "chain", "action", "port"
B. "chain", "action", "protocol"
C. "chain", "action", "protocol", "limit"
D. "chain", "action", "protocol", "port"

3. DHCP-server configuration,
/ip dhcp-server set 0 address-pool=static-only
/ip dhcp-server lease add mac-address=00:0C:42:01:02:03 address=192.168.0.1
/ip dhcp-server lease add mac-address=00:0C:42:01:02:02 address=192.168.0.2
/ip dhcp-server lease add mac-address=00:0C:42:01:02:04 address=192.168.0.3
Which IP addresses will be handed out to client?
A. Any host from 192.168.0.0/24 network except 192.168.0.254
16 | M T C T C E

B. 192.168.0.1
C. 192.168.0.1, 192.168.0.2, 192.168.0.3
D. 192.168.0.1, 192.168.0.2

6. You created PCC mangle rules. You are splitting between three connections,
what are the proper PCC settings.
A. action=accept c hain=prerouting disabled=no per-connection-classifier=both-
addresses:3/1
B. action=accept chain=prerouting disabled=no per-connection-classifier=both-
addresses:3/0
C. action=accept chain=prerouting disabled=no per-connection-classifier=both-
addresses:1/1
D. action=accept chain=prerouting disabled=no per-connection-classifier=both-
addresses:3/3
E. action=accept chain=prerouting disabled=no per-connection-classifier=both-
addresses:0/0
F. action=accept c hain=prerouting disabled=no per-connection-classifier=both-
addresses:3/2

7. Interface HTB can be specified as a parent for a simple queue,

this way applying simple queue only for traffic that is leaving through that interface
True

10. Possible actions of ip firewall filter are:

A. tarp
B. add-to-address-list
C. tarpit
D. log
E. accept
F. bounce

12. Action Tarpit can be applied to

A. ICMP Protocol
B. UDP Protocol
C. TCP Protocol
D. Any Protocol

17. The DHCP client - server communication steps are

A. client request, server offer, client discovery, server ack
B. client discovery, server offer, client request, server ack
C. client discovery, client request, client ack, server offer
D. client discovery, server ack, client request, server offer
17 | M T C T C E

20. It is required to make a web server o n a private LAN visible on the Public Internet.
Only the web server port should be visible to the public.
Which of the following configuration steps must be met. (select all that apply)
A. A route between the NAT Router and the webserver must exist
B. Public IP address of the webserver must be installed on the NAT Router
C. Connection Tracking must be enabled on NAT router
D. in ip firewall NAT there should be a dst-nat between the public ip of the router
and the private ip of the webserver
E. LAN address of the webserver should be routable on the internet

22. What feature of MikroTik firewall can help you in case of synflood attack?
A. TCP syn deny
B. TCP syn drop
C. TCP syn Cookie
D. TCP syn Jump
E. TCP syn reject

23. In IP firewall filter, "dst-limit" option is used to limit the number of hops a packet is
allowed to take
False

2. Packet sniffer can stream results to

A. Neighbor MAC address
B. IP address
C. Local file
D. MAC address

6. Packet marks can be set by ip firewall mangle in different chains. To use packet
marks in Global-in Queue (Queue trees), you have to mark your packets in chain:
A. input
B. postrouting
C. output
D. prerouting
E. forward
18 | M T C T C E

15. There are two mangle rules:

0 chain=forward action=mark-routing new-routing-mark="aaa" passthrough=yes
1 chain=forward action=mark-routing new-routing-mark="bbb" passthrough=yes
What routing mark will the packet have after passing the forward chain?
A. "bbb"
B. "aaa"
C. "aaabbb"
D. "aaa" and "bbb"

19. Mangle allows you to mark IP packets with special marks, that can be used for
routing and bandwidth management. The mangle facility can also be used to modify
some fields in the IP header, like TOS (DSCP) and TTL fields. These mangle marks can
then be used across multiple routers in the network.
False

23. Is it possible to have 2 working DHCP servers on the same interface?

A. Yes, as long as 1 is set to Always Broadcast
B. Yes, as long as only 1 is Authoritative
C. No it is not possible
D. Yes, as long as 1 has a relay specified

PAK ANDRI KOMANDO

1. While troubleshooting a network from inside the network you discover that you can ping
the gateway reliably, but you can not browser the internet, skype, however , work flawless,
what the is the most likely issue ?
A. DNS isnot available
B. Masquerading rule is not applied
C. The computer did not get an IP address
D. Network card/or cable isnot working

2. You can set ANY “DHCP Option” form 1 to 254, including private use DHCP option (224-
254) on mikrotik routeros DHCP server
True

3. Mark the queue types can do actual traffic limitation (independently from queue
limit)
A. PCQ
B. DRR
C. FIFO
D. RED
E. SFQ
F. LIFO

4. sort queue type by processor work-load first in less consumptive

A. PFIFO, PCQ, RED
B. PFIFO, RED, PCQ
19 | M T C T C E

C. PCQ, RED, PFIFO

D. PCQ, PFIFO, RED

9. You have the following queue structure:

queue "A" max-limit=8M
-queue "B" parent="A" limit-at=2M max-limit=5M priority=1
--queue "C" parent="A" limit-at=3M max-limit=6M
---queue "C1" parent="C" limit-at=1M max-limit=2M priority=2
---queue "C2" parent="C" limit-at=2M max-limit=4M priority=3
If all queueare ultilizing the maximum, what will be the traffic distribution?
A. B-2M, C1-2M, C2- 4M
B. B-4M, C1-2M, C2- 2M
C. B-5M, C1-1M, C2- 4M
D. B-4M, C1-2M, C2- 4M
E. B-5M, C1-2M, C2- 1M

10. Client has download a queue with limit-at=2Mbps max-limit=4Mbps

Burst-limit=5Mbps burst-threshold=3Mbit burst-time=30s. What is the maximum possible
time client can have 4,5Mbps download speed?
A. 37.5s
B. 10s
C. 20s
D. 45s
E. 60s

"