Documente Academic
Documente Profesional
Documente Cultură
Soal MTCTCE
1. You have 10Mbps download link available to be used by your clients on the LAN. You
want to use PCQ and allow 512k maximum download for each client. The correct argument
values for the required queue type are:
A. kind=pcq pcq-limit=10000000 pcq-classifier=src-address
B. kind=pcq pcq-rate=512000 pcq-classifier=src-address
C. kind=pcq pcq-limit=10000000 pcq-classifier=dst-address
D. kind=pcq pcq-rate=512000 pcq-classifier=dst-address
2. How is the DHCP server able to track lease association with a particular client? The
identification can be achieved:
A. Based on "system identity" option
B. Based on “hostname” option
C. Based on “caller-id” option (dhcp-client-identifier from RFC2132)
D. Based on MAC address, if “caller-id” option is not specified.
3. The cache hit DSCP (TOS) number under the Web Proxy Settings is used
A. To identify data coming from the cached data to the client
B. To Identify data the proxy system has stored and returned to clients
C. To identify data received by the web proxy from the internet
D. To Identify data coming from the internet to the web proxy clients
4. You need to redirect a browser page from a search of "xxx" in google to another
website such as www.mikrotik.com
Choose correct proxy access rule.
A. /ip proxy access add dst-host=*xxx* action=deny redirect-to=www.mikrotik.com
B. /ip proxy access add dst-host=*.google.* path=*xxx* action=deny redirect-
to=www.mikrotik.com
C. /ip proxy access add path=*xxx* action=allow redirect-to=www.mikrotik.com
D. /ip proxy access add dst-host=*xxx* action=allow redirect-to=www.mikrotik.com
6. You want to offer a static route to your DHCP clients (besides the default-route).
What is the best way to do that?
A. Set DHCP options 121
B. Set DHCP options 3
C. Set a static IP into /ip route and it will automatically be sent to clients
D. There is no way to send a static-route to DHCP clients
2|MTCTCE
7. To mangle all traffic going to the router itself on chain=prerouting, we can use parameter:
A. dst-address-type=local
B. dst-address-type=unicast
C. dst-address=127.0.0.1
D. dst-address=localhost
10. Is it possible to use the serial port of MikroTik to communicate with an external device
connected by null-modem cable?
A. Yes, when other is a MikroTik router.
B. Yes, if port is not being used
C. Yes, it is always possible by /system serial-terminal command.
11. You want to use PCQ and allow 256k maximum download and upload for each
client. Choose correct argument values for the required queue.
A. kind=pcq pcq-limit=5000000 pcq-classifier=dst-address
B. kind=pcq pcq-limit=256000 pcq-classifier=dst-address
C. kind=pcq pcq-limit=256000 pcq-classifier=src-address
D. kind=pcq pcq-limit=5000000 pcq-classifier=src-address
E. kind=pcq pcq-limit=1256000 pcq-classifier=dst-address
3|MTCTCE
12. An IP packet has matched all the conditions of a firewall rule and the action reject
and the option icmp-network-unreachable was initiated for that packet. What will
happen with the packet content ?
A. The packet will be discarded regardless of its content
B. The whole packet will be forwarded back to the sender regardless of its contents
C. The packet header will receive a flag of \\\"icmp-network-unreacheble\\\"
D. The packet will be rejected only if the destination network is unreachable
14. What is the correct action for a NAT rule on a router that should intercept SMTP traffic
and send it over to a specified mail server?
A. dst-nat
B. tarpit
C. passthrough
D. redirect
15. A firewall rule is used to redirect all incoming DNS requests. What is the source IP
address generated in the response by the router?
A. Source IP address of the response is broadcast to indicate the response was generated
by proxy
B. Source IP address of the response is IP address of router's out interface
C. Source IP address of the response is the highest active loopback bridge interface of the
router
D. Source IP address of the response is the same as destination IP address of the original
request
17. What is the recommended sequence for traffic marking by mangle for QoS?
A. Add only mark-connection
B. Add action=passtrough
C. Add mark-connection then mark-packet
D. Add only mark-packet
18. after putting this rule: /ip firewall add chain=input action=drop, you will still be
able to access the Router using the mac-address.
True
20. Which of these techniques equalizes the flow between connections when the link
is completely full:
A. SFQ
B. PCQ
C. FIFO
D. PFIFO
E. RED
24. You are using Port Scan Detection feature in MikroTik Firewall. What ports are
considered as Low Ports?
A. 20-1024
B. 1-80
C. 1-1000
D. 1024-10000
E. 1-1024
12. which of the following chains are not available to mangle rules:
A. out-put
B. scr-nat
C. dst-nat
D. prerouting
17. It is required to make a web server residing on a private subnet in a LAN visible on the
public internet. Only the web server port should be visible to the public. Which of the
following configuration steps must be met (select all that).
A. A route between the NAT router and the web server must exist
B. LAN address of the web server should be routable on the internet
C. In IP firewall NAT there should be a dst-nat between the public address of the router and
the private IP of the web server
D. Public IP address of the web server must be installed on the NAT Router
E. Connection tracking must be enable on the NAT router
6|MTCTCE
18. You wish to secure your routerOS system. You do want the routerOS to be discoverable
using MNDP or CDP, you also want to deny management via the MAC Address on all
interfaces, select the correct actions to accomplish this:
A. Place a proper input firewall rule to block mac discovery
B. Add a deny all input firewall rule
C. Remove/disable all discovery interfaces
D. Remove/disable all interface under mac-server telnet
E. Place a proper forward firewall rule to block mac discovery
F. Remove/disable all interfaces under mac-server winbox
21. Simple queue number 0 defines 2M for upload and download for target 10.10.10.33
Simple queue number 1 defines 4M for upload and download for target 10.10.10.33
The maximum bandwidth that the client 10.10.10.33 is the able to obtain is :
A. 0M upload/download
B. 6M upload/download
C. 4M upload/download
D. 2M upload/download
25. An ISP running a transparent proxy on the router. You want to restrict certain
clients from accessing the proxy. Which firewall chain would you create the rule in:
A. Forward
B. Output
C. Input
D. Prerouting
E. Postrouting
2. Consider the following network. You need to permit the users on the 192.168.0.0/24
network access to webserver (TCP/80) at IP Address 192.168.1.99. You do not want them to
access any other service or device on the 192.168.1.0/24 network. Which of the following
rulesets whould accomplish this task:
3. Change to the TTL (Time To Live) of a packet can not be adjusted, it is hard coded
in RouterOS.
False
47. Router has Wireless and Ethernet client interfaces, all client interfaces are
bridged. To create a DHCP service for all clients you must configure DHCP server on
a. every bridge port
b. only on bridge interface
c. Ethernet and wireless interfaces
d. DHCP service is not possible in this setup
D. 5 Meg
17. How could you limit the impact of a DDos (Distribute Deniel of service) attack:
A. Create a tarpit rule to reject all “connection-state=invalid” packet
B. use the firewall limit function to limit number of connections from clients
C. Set the TCP Syncookie option in ip firewall connection tracking
D. use the firewall limit function to limit number of connections to servers
6. How can mangle rules be applied to dynamically created PPTP client interface ( select all
that apply):
A. By enabling the ‘PPTP use firewall’ setting in the associated PPP profil
B. By using the address list feature in the associated PPP profil
C. it is possible to do this
D. by directly using the dynamic PPTP interface as a mangle ‘in interface’
25. You need to change default web-proxy error page. Would page should you edit?
A. /webproxy/issue.html
B. /error.html
C. /webproxy/error.html
D. /file
E. /hotspot.html
7. An IP packet has matched all the conditions of afirewall rule and the action reject and the
option icmp-network-unreacheble what initiated for that packet. What will happen with the
contents of the packet?
A. The packet header will receive a flag of ‘icmp-network-unreacheble’
B. The packet will be rejected only if the destination network is unreachable
C. The whole packet will be forwarded back to the sender regardless of its contents
D. The packet will be discarded regardless of its content
1. To make all DNS requests coming from your network to resolve on your router (regardless
of the clients\' configuration………you specify for the DST-NAT rule?
A. you can\'t use DST-NAT to achieve this
B. dst-nat
C. masquerade
D. redirect
B. 4
C. 1024
D. 1
11. You have a DHCP server on your MikroTik router. The IP addresses 10.1.2.2-10.2.2.20
are distributed in the DHCP network. Additionally, 3 static IP address are defined for your
servers: 10.1.2.31-10.1.2.33. After a while 20 more IP addresses need to be distributed in
the network. Is it possible to distribute the ext ra IP address without adding another DHCP
Server?
true
12. RouterOS router can act as a radius client and authenticate through a radius server
different services.
Which of the following can authenticate using this method?
A. RouterOS users
B. IPSEC users
C. PPTP users
D. PPPoE users
E. Wireless clients
16. Is it possible for a client to get an IP address but no gateway after a successful DHCP
request?
false
A. upload + download
B. upload
C. download
D. download - upload
A. Queue limits host 192.168.1.10 download data rate to one megabit per second.
B. Queue guarantees upload data rate of one megabit per second for host 192.168.1.10
C. Queue limits host 192.168.1.10 upload data rate to one megabit per second.
D. Queue guarantees download data rate of one megabit per second for host 192.168.1.10
2. Router has Wireless and Ethernet client interfaces, all client interfaces are bridged.
To create a DHCP service for all clients you must configure DHCP server on
A. DHCP service is not possible in this setup
B. Ethernet and wireless interfaces
C. every bridge port
D. only on bridge interface
5. What RouterOS feature should be used to redirect user HTTP requests as result opening
completely different page?
A. web-proxy access-list
B. web-proxy cache-list
C. firewall nat action redirect
D. web-proxy direct-list
12 | M T C T C E
8. Someone has installed an illegal DHCP server on your broadcast domain. While
organizing everything for removal of the server, you want to minimize the problems caused
on your network. On your DHCP server, you should
A. specify "Src. Address"
B. enable authoritative mode
C. enable "Always Broadcast"
D. increase "delay-threshold" value
9. Firewall NAT rules process only the first packet of each connection.
true
10. DST-NAT can process traffic sent from and through the router.
false
11. Which action do you need to use with an NAT rule, to NAT a private address range to
public address range?
A. Netmap
B. Src-nat
C. Same
D. Masquerade
16. In normal Network Conditions which types of addresses will never be a source
address in an IP packet in your physical network.
A. loopback address
B. multicast address
C. public address
D. broadcast address
E. unicast address
F. private address
24. Same IP address can be included in multiple address-lists, and these lists can be
used separate from one another.
true
4. An IP address pool can contain addresses from more than one subnet.
False
10. According to the picture, if both laptops have same priority, how much bandwidth will be
available for every laptop ?
13 | M T C T C E
A. 2
B. 4
C. 3
D. 1
11. By default HTBs have no way of knowing what amount of bandwidth is available, this
information can be provided by specifying max-limit on main parent queue in HTB.
True
21. You can apply input firewall rules based on prerouting or forward mangle marks
true
22. It is required to make a web server on a private LAN visible on the Public Internet. Only
the web server port should be visible to the public. Which of the following configuration steps
must be met. (select all that apply)
A. Connection Tracking must be enabled on NAT router
B. LAN address of the webserver should be routable on the internet
C. Public IP address of the webserver must be installed on the NAT Router
D. in ip firewall NAT there should be a dst-nat between the public ip of the router and the
private ip of the webserver
E. A route between the NAT Router and the webserver must exist
23. In Ip Firewall NAT, you can Classify Traffic in SRC Nat Chain based on " in-interface".
False
24. Consider the following network diagram. In R1, you have the following configuration:
/ip route
add dst-address=192.168.1.0/24 gateway=192.168.99.2
/ip firewall nat
add chain=srcnat out-interface=Ether1 action=masquerade
On R2, if you wish to prevent all access to a server located at 192.168.1.10 from LAN1
devices,
which of the following rules would be needed?
A. /ip firewall filter add chain=forward src-address=192.168.0.0/24 dst-
address=192.168.1.10 action=drop
B. /ip firewall filter add chain=input src-address=192.168.99.1 dst-address=192.168.1.10
action=drop
C. /ip firewall filter add chain=forward src-address=192.168.99.1 dst-address=192.168.1.10
action=drop
14 | M T C T C E
25. Two mangle rules defining different mangle packet marks for the same traffic type,
will make it have both mangle marks.
False
1. When queue simple is placed in the same HTB (Hierarchical Token Bucket),
it will take all the traffic away from the Queue Tree queue.
False
4. To customise the look of the hotspot login page, you can edit
A. login.html
B. template.html
C. redirect.html
D. alogin.html
6. You are about to configure DNS Cache and make a static DNS rule.
Your router should resolve any domain name. Which are the minimum settings you
will need?
A. Configure both Primary and Secondary DNS servers
B. Set cache size to 4096
C. Configure Primary DNS server
D. Enable "Allow Remote Requests"
E. Add a new static DNS entry
A. mark traffic in mangle chain "prero uting", and place limitations in interface HTB
B. mark traffic in mangle chain "postrouting", and place limitations in "global-out" HTB
C. mark traffic in mangle chain "forward", and place limitations in "global-out" HTB
D. mark traffic in mangle chain "forward", and place limitations in "global-in" HTB
E. mark traffic in mangle c hain "postrouting", and place limitations in interface HTB
22. When "Cache On Disk" is not checked under the web proxy settings, where does
the data get stored?
A. It does not get stored
B. System Disk
C. RAM (Memory)
D. USB Disk
23. What RouterOS feature should be used to redirect user WEB browsing?
A. web-proxy direct-list
B. firewall nat action redirect
C. web-proxy access-list
D. web-proxy cache-list
3. DHCP-server configuration,
/ip dhcp-server set 0 address-pool=static-only
/ip dhcp-server lease add mac-address=00:0C:42:01:02:03 address=192.168.0.1
/ip dhcp-server lease add mac-address=00:0C:42:01:02:02 address=192.168.0.2
/ip dhcp-server lease add mac-address=00:0C:42:01:02:04 address=192.168.0.3
Which IP addresses will be handed out to client?
A. Any host from 192.168.0.0/24 network except 192.168.0.254
16 | M T C T C E
B. 192.168.0.1
C. 192.168.0.1, 192.168.0.2, 192.168.0.3
D. 192.168.0.1, 192.168.0.2
6. You created PCC mangle rules. You are splitting between three connections,
what are the proper PCC settings.
A. action=accept c hain=prerouting disabled=no per-connection-classifier=both-
addresses:3/1
B. action=accept chain=prerouting disabled=no per-connection-classifier=both-
addresses:3/0
C. action=accept chain=prerouting disabled=no per-connection-classifier=both-
addresses:1/1
D. action=accept chain=prerouting disabled=no per-connection-classifier=both-
addresses:3/3
E. action=accept chain=prerouting disabled=no per-connection-classifier=both-
addresses:0/0
F. action=accept c hain=prerouting disabled=no per-connection-classifier=both-
addresses:3/2
20. It is required to make a web server o n a private LAN visible on the Public Internet.
Only the web server port should be visible to the public.
Which of the following configuration steps must be met. (select all that apply)
A. A route between the NAT Router and the webserver must exist
B. Public IP address of the webserver must be installed on the NAT Router
C. Connection Tracking must be enabled on NAT router
D. in ip firewall NAT there should be a dst-nat between the public ip of the router
and the private ip of the webserver
E. LAN address of the webserver should be routable on the internet
22. What feature of MikroTik firewall can help you in case of synflood attack?
A. TCP syn deny
B. TCP syn drop
C. TCP syn Cookie
D. TCP syn Jump
E. TCP syn reject
23. In IP firewall filter, "dst-limit" option is used to limit the number of hops a packet is
allowed to take
False
6. Packet marks can be set by ip firewall mangle in different chains. To use packet
marks in Global-in Queue (Queue trees), you have to mark your packets in chain:
A. input
B. postrouting
C. output
D. prerouting
E. forward
18 | M T C T C E
19. Mangle allows you to mark IP packets with special marks, that can be used for
routing and bandwidth management. The mangle facility can also be used to modify
some fields in the IP header, like TOS (DSCP) and TTL fields. These mangle marks can
then be used across multiple routers in the network.
False
1. While troubleshooting a network from inside the network you discover that you can ping
the gateway reliably, but you can not browser the internet, skype, however , work flawless,
what the is the most likely issue ?
A. DNS isnot available
B. Masquerading rule is not applied
C. The computer did not get an IP address
D. Network card/or cable isnot working
2. You can set ANY “DHCP Option” form 1 to 254, including private use DHCP option (224-
254) on mikrotik routeros DHCP server
True
3. Mark the queue types can do actual traffic limitation (independently from queue
limit)
A. PCQ
B. DRR
C. FIFO
D. RED
E. SFQ
F. LIFO
"