Using MikroTik Netinstall on Linux

If you’ve used MikroTik network gear long enough, you’ve likely run into devices bricking themselves after RouterOS software upgrades. Maybe you’ve set some configuration that has inadvertently made your device unusable. Or maybe you’ve inherited a device and want to start with a clean slate.

How do you re-install RouterOS, and maybe reset the device’s configuration too?

MikroTik provide the Netinstall tool to do network-based RouterOS installs. Until recently you could only run Netinstall on Windows, but Mikrotik recently released a Linux CLI version.

As of writing, it’s only been available for a few months, and it has quite a few rough edges, which I have attempted to document here.

The Linux version of Netinstall is janky in several ways:

  • It only works on a single network interface, that you cannot control the selection of.
  • It generally fails if you have multiple active network interfaces.
  • It fails with obscure messages if there is no default route on the interface it selects.
  • It often doesn’t serve up the images correctly the first time.

You need to set Linux networking up in a very particular way to make Netinstall work.

But before we start, a little background on Netinstall, and another less well-known RouterBOARD subsystem called Etherboot.

Netinstall is only one half of the solution. The other is Etherboot.

Netinstall is a binary that rolls a BOOTP/TFTP server into a single executable. The other half of the equation is Etherboot, which is a low-level system built into MikroTik devices for installing RouterOS onto the device’s flash memory.

Check the documentation for how to trigger Etherboot for your specific device, but it generally boils down to:

  • Power off the device
  • Hold the reset button
  • Power on the device

Then watch the output of Netinstall to see the device fetch an image and reboot.

I highly recommend running a packet sniffer like Wireshark or tcpdump when you’re doing this, to identify any configuration errors.

If everything is working correctly, you’ll see Netinstall and Etherboot do a standard BOOTP/TFTP dance.

In my particular case, I was doing this on a cAP ac that had bricked itself after an automated upgrade, and was stuck in an Etherboot reboot loop. I have also used this process to reinstall RouterOS on a hAP ac lite with corrupted configuration.

How to run netinstall on Linux

Before you start:

  • Fetch the latest netinstall binary for Linux. At time of writing, I was using netinstall 7.1.1.
  • Fetch the appropriate RouterOS image for your device. You can find the latest image linked from the product page of your device. Pay attention to whether the image is MIPS or ARM.

Once you’ve downloaded these, you need to set up a wired network, with a default route. The netinstall Linux binary will not work if you do not have a default route set, and will output FAILED TO REPLY which is an awesomely unhelpful error message.

To set up the network on Ubuntu, configure /etc/netplan/50-cloud-init.yaml:

  version: 2
        - to:

Then apply with:

sudo netplan generate
sudo netplan apply

If you have other interfaces (like wifi) shut them down with something like:

sudo ip link set dev wlp0s20f3 down

Then start the netinstall server:

sudo ./netinstall -a routeros-mipsbe-7.1.1.npk

Replace routeros-mipsbe-7.1.1.npk with your image name.

The -a flag says what IP address should be assigned to Etherboot clients when doing the Netinstall dance.

You should see output that looks something like this:

Using server IP:
Starting PXE server
Waiting for RouterBOARD...
PXE client: 01:23:45:67:89:10
Sending image: mips
Discovered RouterBOARD...
Sending package routeros-mipsbe-7.1.1.npk ...
Ready for reboot...
Sent reboot command

Remember that depending on what your device is, when the device comes back up after the RouterOS install, the default configuration may have a firewall on the ethernet interface, so you won’t be able to connect to it.

The default behaviour is to serve up a RouterOS image, but keep the existing configuration on the device.

If you have uploaded broken configuration to the device, or the configuration has become corrupted, a RouterOS install via Netinstall/Etherboot won’t be enough. You will need to wipe all config on the target device, by running the previous command with -r.

More detail about the Linux version of netinstall can be found on the MikroTik help site.

You can’t use non-MikroTik tools (like dnsmasq) to serve up the RouterOS images

You might be thinking “why use a proprietary tool like Netinstall when I can use open source tools like dnsmasq to serve up the RouterOS images?”

The short answer is: I’ve tried this and it doesn’t work.

The longer answer is: Netinstall isn’t serving up just the RouterOS image, it’s also repackaging it in a way that the RouterBOARD on the other end can use.

The hint the magic it’s doing is in these two lines of netinstall output:

Sending package routeros-mipsbe-6.48.1.npk ...

This suggests it’s not just sending an image. At the very least, it’s also packaging up configuration to run on first boot (the -s flag), or signalling to wipe existing configuration (the -r flag).

If you set up a dnsmasq instance and try serving up RouterOS images via TFTP, you’ll find that the device will not install that RouterOS image.

I have no interest in working out exactly what it’s doing, nor maintaining a working open source-based alternative.

If you don’t value your time and you want to investigate how to go full open source, I saw one creative solution to this problem on a forum that boiled down to:

  • Set up a legit Netinstall server,
  • Packet capture a valid Netinstall/Etherboot session
  • Extract the binary served by Netinstall from the pcap
  • Then serve it up from dnsmasq