Cluster of errors: does this point to HW failure?

Device: LHGG LTE6 kit (1st edition), up and stable since july 2021… until now.
ROS 7.19.1 (also downgraded to 7.18.2)
Modem firmware 038.

Symptoms:

• ROS 7.19.1 device went offline. When I arrived at location, it was up but LTE was down. Tried to disable LTE interface, got error: “could not set MTU”. It was impossible to disable LTE. After rebooting, device stayed up 3-4 hrs then the same error repeated. When the erro hadn’t occured yet, it was possible to disable / enable lte interface from Winbox. With error present, got the same error and no change in interface state.

• after ROS 7.18.2 downgrade: thought that the issue was 7.19-related, the device stayed online and then suddenly admin password was reset to (admin/[empty]). Internet worked still. Next reboot: device appeared with IP 0.0.0.0 in Winbox. Tried to restore from downloaded backups: no go. After reboot everything was the same, restore did not succeed (tried with different backup files).

This cluster of errors makes me think if this can be HW/internal storage related issue. Will probably need to get a new LHGG LTE6 2024 edition, I am prepared for that.

Did you try a clean netinstall as part of your process… (and ensure different username and passwords etc…)
Also post config in case there are obvious issues
/export file=anynameyouwish ( minus device serial number, any public WANIP information, keys )

LHGG LTE6 kit is s device with 16MB storage … and thus prone to starvation and random problems. The likelyhood of happening it is increasing with rising version number as ROS gets some belly fat with each release.

I don’t have the required hardware for netinstall, sadly. I had Firewall off on my Macbook pro and device connected directly to TB4 dock’s ethernet port. Netinstall running under WINE and IP setting + Netinstall server configured according to instructions. LHGG starts to search for netinstall and after some time boots up with regular lan ip. Darn.

# 2025-06-01 14:44:51 by RouterOS 7.19.1
# software id = 8ZAY-W17U
#
# model = RBLHGGR
# serial number = XXX
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=Ce name=2.4
add band=5ghz-onlyac control-channel-width=20mhz extension-channel=Ceee name=\
    5
/interface bridge
add name=bridge port-cost-mode=short
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" network-mode=lte
/interface wireguard
add listen-port=8088 mtu=1420 name=WGClientWLehtpuu
/caps-man datapath
add bridge=bridge name=datapath1
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=defsec
/caps-man configuration
add channel=2.4 country=estonia datapath=datapath1 distance=indoors \
    installation=indoor mode=ap name=2.4 security=defsec ssid=SAVI2
add channel=5 country=estonia datapath=datapath1 distance=indoors \
    installation=indoor mode=ap name=5 security=defsec ssid=SAVI5
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=yksteist ranges=10.1.11.100-10.1.11.200
/ip dhcp-server
add address-pool=yksteist interface=bridge lease-time=10m name=DHCP_SAVI
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/ppp profile
set *0 use-ipv6=no
set *FFFFFFFE change-tcp-mss=no use-compression=yes use-mpls=yes use-upnp=no
/interface l2tp-client
add add-default-route=yes connect-to=xxx.xxx.xx name=lpuu profile=\
    default use-ipsec=yes user=music
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    2.4 name-format=prefix-identity name-prefix=2.4
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
    5 name-format=prefix-identity name-prefix=5
/interface bridge port
add bridge=bridge interface=ether1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all lldp-med-net-policy-vlan=1
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
    forward=no max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=ether1 list=LAN
add comment=defconf interface=lte1 list=WAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=XX:XX:XX:XX:XX:XX name=ovpn-server1
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=pap,chap,mschap1,mschap2 default-profile=default
/interface wireguard peers
add allowed-address=10.1.10.0/24,10.1.1.0/24,10.10.10.0/24 endpoint-address=\
    xxx.xxx.xx endpoint-port=8088 interface=WGClientWLehtpuu name=\
    peer1 persistent-keepalive=10s public-key=\
    "XXX"
/ip address
add address=10.1.11.1/24 interface=bridge network=10.1.11.0
add address=10.1.10.2/24 interface=WGClientWLehtpuu network=10.1.10.0
/ip dhcp-server lease
add address=10.1.11.101 client-id=XX:XX:XX:XX:XX:XX comment="dahhujjaa c35" \
    mac-address=XX:XX:XX:XX:XX:XX server=DHCP_SAVI
add address=10.1.11.100 client-id=XX:XX:XX:XX:XX:XX comment="aqara g2h" \
    mac-address=XX:XX:XX:XX:XX:XX server=DHCP_SAVI
add address=10.1.11.111 client-id=XX:XX:XX:XX:XX:XX comment=\
    "Dahhujjaa videosalvesti" mac-address=XX:XX:XX:XX:XX:XX server=DHCP_SAVI
add address=10.1.11.102 comment="ADAX heater 1400W" mac-address=\
    XX:XX:XX:XX:XX:XX server=DHCP_SAVI
add address=10.1.11.2 client-id=XX:XX:XX:XX:XX:XX comment=HapAC3 \
    mac-address=XX:XX:XX:XX:XX:XX server=DHCP_SAVI
add address=10.1.11.22 client-id=XX:XX:XX:XX:XX:XX comment=750GL \
    mac-address=XX:XX:XX:XX:XX:XX server=DHCP_SAVI
add address=10.1.11.16 client-id=XX:XX:XX:XX:XX:XX comment=Zenon mac-address=\
    XX:XX:XX:XX:XX:XX server=DHCP_SAVI
add address=10.1.11.12 client-id=XX:XX:XX:XX:XX:XX comment=CalDigit \
    mac-address=XX:XX:XX:XX:XX:XX server=DHCP_SAVI
add address=10.1.11.108 client-id=XX:XX:XX:XX:XX:XX:4a:2b comment=pump \
    mac-address=XX:XX:XX:XX:XX:XX server=DHCP_SAVI
add address=10.1.11.10 client-id=XX:XX:XX:XX:XX:XX comment="HASS PI" \
    mac-address=XX:XX:XX:XX:XX:XX server=DHCP_SAVI
add address=10.1.11.3 client-id=XX:XX:XX:XX:XX:XX mac-address=\
    XX:XX:XX:XX:XX:XX server=DHCP_SAVI
/ip dhcp-server network
add address=10.1.11.0/24 comment=defconf dns-server=10.1.11.1 gateway=\
    10.1.11.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input in-interface=bridge
add action=accept chain=input in-interface=WGClientWLehtpuu
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes
add action=accept chain=forward in-interface=bridge
add action=accept chain=forward in-interface=WGClientWLehtpuu
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-ttl chain=postrouting new-ttl=set:65 out-interface=lte1 \
    passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip kid-control
add disabled=yes name=night
/ip route
add disabled=no dst-address=10.1.1.0/24 gateway=WGClientWLehtpuu \
    routing-table=main suppress-hw-offload=no
add disabled=no dst-address=10.10.10.0/24 gateway=WGClientWLehtpuu \
    routing-table=main suppress-hw-offload=no
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/snmp
set trap-generators=temp-exception,temp-exception
/system clock
set time-zone-name=Europe/Tallinn
/system identity
set name=LHGGsavi
/system leds
# using RSRP, modem-signal-threshold ignored
set 0 type=modem-signal
/system leds settings
set all-leds-off=after-1min
/system logging
set 3 action=disk
add topics=lte,!raw
add topics=critical
add action=disk topics=error
add action=disk topics=lte,!raw
add action=disk topics=warning
/system ntp client
set enabled=yes
/system ntp client servers
add address=193.40.133.134
/system routerboard settings
set auto-upgrade=yes silent-boot=yes
/system scheduler
add interval=5m13s name=LTEwatch on-event=":global ipPing (\"8.8.\
    4.4\")\
    \n:global testpingip\
    \n:set testpingip [/ping \$ipPing interval=1 count=10]\
    \n:if (\$testpingip = 0) do={\
    \n:log info (\"lost\")\
    \n:log warning \"Disabling the interface\";\
    \n/interface lte disable lte1\
    \ndelay 7s;\
    \n:log warning \"Interface enabled again\";\
    \n/interface lte enable lte1} else={\
    \n:log warning \"ALL is OK Nothing to do\"\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2023-05-05 start-time=22:06:32
add interval=11m11s name=WGWatch on-event=":foreach i in=[/interface/wireguard\
    /peers/find where disabled=no endpoint-address~\"[a-z]\\\$\"] do={\r\
    \n  :local LastHandshake [/interface/wireguard/peers/get \$i last-handshak\
    e]\r\
    \n  :if (([:tostr \$LastHandshake] = \"\") or (\$LastHandshake > [:totime \
    \"5m\"])) do={\r\
    \n    /interface/wireguard/peers/set \$i endpoint-address=[/interface/wire\
    guard/peers/get \$i endpoint-address]\r\
    \n  }\r\
    \n}\r\
    \n" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2023-05-23 start-time=14:54:31
/tool e-mail
set from="" server=127.0.0.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Anyway, thanks for reminding me about this. I managed to find a windows laptop with ethernet port and ran Netinstall with ROS 7.19.1.
Testing now if LHGG will stay up.
As before the Netinstall, the storage says 14.8 of 16.06 MiB used, 7% free. No change there.

Just to clarify: this LHGG is behind ISP’s firewall and has no public IP address, therefore it needs to initiate WireGuard connection to a RB1100 in another location that has public ip. This has worked like a charm, I can access both LANs from either LAN and also from another WireGuard connection when I am no the road.

It looks like Netinstall solved the issue.
Thanks for the lesson!
For future-proofing I will try to prepare a virtual Linux on my Mac that can see RouterOS devices that try to access Netinstall server via UDP port 67 (if I have understood this correctly.

Also do monitor disk usage on those 16MB flash devices. If free space drops below 100kB (or something like that, depends on complexity of configuration), then there’s danger of getting device into a no-change state (because running config can no longer be written to flash before the old one gets erased). Which can cause all kind of problems.