Chateau LTE6 Wireguard tunnel unstable

Hi,
I’ve recently got a Chateau LTE6 for testing before sending it out to site and I’m experiencing wireguard issues.
So most of out devices are being monitored through zabbix and part of that is pinging the host.
DDNS is setup so that the Tik is being pinged regularly on it’s public IP, great not issues there.

Then I also got a Wireguard tunnel with a local IP and that Tunnel doesn’t show me it’s dropping or anything, but I loose random packets

Screenshot 2025-11-25 0819091855×358 31.2 KB

while the public IP is steady

Screenshot 2025-11-25 0822001844×358 17.2 KB

I'm on 7.20.4 stable now, tried previous version 7.19.x
I left all settings default and only added the tunnel, same issue.

What would cause this? Any ideas or you reckon I have to contact mikrotik support?

Appreciate any ideas

Please export your configuration and post it here.

https://forum.mikrotik.com/t/forum-rules/173010/5

First thing which comes to mind:
config should show you have a keep-alive setting on the side of that Chateau so it can keep the tunnel "alive".

It's also not really recommended to base your "down" statement on 1 failed ping.
See if there are multiple failures within 10/30/60 seconds or so. If so, then it's really down.
If not, there might have been a "false" down.
Don't know how to do that with zabbix...

# 2025-11-25 15:41:10 by RouterOS 7.20.4
# software id = REDACTED
#
# model = S53UG+5HaxD2HaxD&FG621-EA
# serial number = REDACTED
/interface bridge
add admin-mac=REDACTED auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MikroTik-61809F \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-61809F \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .ft-over-ds=yes
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=""
/interface wireguard
add listen-port=44972 mtu=1440 name=wireguard_tunnel
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/queue type
add fq-codel-ecn=no kind=fq-codel name=fq-codel-ethernet-default
/queue interface
set ether1 queue=fq-codel-ethernet-default
set ether2 queue=fq-codel-ethernet-default
set ether3 queue=fq-codel-ethernet-default
set ether4 queue=fq-codel-ethernet-default
set ether5 queue=fq-codel-ethernet-default
/snmp community
set [ find default=yes ] addresses=REDACTED
/system logging action
add name=REDACTED target=remote
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set allow-fast-path=no disable-ipv6=yes forward=no
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
add interface=wireguard_tunnel list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=REDACTED endpoint-port=\
    13232 interface=wireguard_tunnel name=tik \
    persistent-keepalive=30s preshared-key=\
    "REDACTED" public-key=\
    "REDACTED"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=REDACTED_PUBLIC_IP interface=bridge network=REDACTED
add address=10.200.3.3/24 interface=wireguard_tunnel network=\
    10.200.3.0
add address=10.222.222.103 interface=lo network=10.222.222.103
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=10.0.0.0/8 comment="Private A" list=private_ip_range
add address=172.16.0.0/12 comment="Private B" list=private_ip_range
add address=192.168.0.0/16 comment="Private C" list=private_ip_range
add address=224.0.0.1 comment="All hosts" list=multicast.addresses
add address=224.0.0.2 comment="All routers" list=multicast.addresses
add address=224.0.0.5 comment="OSPF routers" list=multicast.addresses
add address=224.0.0.6 comment="OSPF DR/BDR" list=multicast.addresses
add address=224.0.0.18 comment=VRRP list=multicast.addresses
add address=REDACTED comment="Technician Public Network" list=\
    Trusted-IPs
add address=10.0.10.0/24 comment="Technician Internal Network" list=\
    Trusted-IPs_LAN
add address=REDACTED comment="Tech 1" list=TechHomeAccess
add address=REDACTED comment="Tech 2" list=\
    TechHomeAccess
add address=REDACTED comment="Tech 3" list=TechHomeAccess
add address=REDACTED_PUBLIC_RANGE comment="BIX Public" list=BIX-Range
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow Trusted" src-address-list=\
    Trusted-IPs
add action=accept chain=input comment="Allow Trusted_LAN" src-address-list=\
    Trusted-IPs_LAN
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=ping disabled=no dst-address=10.0.0.0/8 gateway=10.200.3.1 \
    routing-table=main suppress-hw-offload=no
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www disabled=yes
set api address=10.0.0.0/8
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/snmp
set enabled=yes trap-target=REDACTED_ZABBIX_SERVERS
/system clock
set time-zone-autodetect=no time-zone-name=Australia/Perth
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.cloudflare.com
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :foreach iface in=[/interface/wifi find where (configuration.mode=\"a\
    p\" && disabled=no)] do={\r\
    \n     /interface/wifi wps-push-button \$iface;}\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

thanks for the insight, my main concern is the continuous dropping of random packets. Other routers we have which are connected to Teltonika RUT955 for example don’t have any drops, only the new chateau lte6 keeps dropping random packets. Something feels off, I don’t know if it’s hardware or software related.

I’ve even taken the LTE6 home, to check if it’s not the local telecom tower doing something. Same outcome, random drops of packets, which might not be a massive issue, but I don’t like it.

EDIT:
Also I agree it’s not really down, but I don’t like the permanent loss, I would say it’s unstable.
If you check the first image I added, that’s not ping directly that’s icmp loss.