For those looking for hap ac2, you can get it from sublime for 299. I had mine for a couple weeks now (bought from oversea) for use at hometown. The 5GHz performance kinda low probably due to interference, not sure the root cause though (there were couple of dual band routers and other devices next to it). It had 233MB RAM, more than the advertised spec of hap ac2.

edit: I just checked mikrotik forum and plenty of ppl complaining about the hap ac2 wifi performance issue. I only use it with Digi LTE which had shitty speed at my hometown. And I thought interference & LTE congestion the cause for the shittier speed. Well, avoid hap ac2 for now.

This post has been edited by jio: Apr 12 2018, 01:24 AM

My hap ac2 is running on 6.43rc5 since last week but yet to retest the speed. Some user still experience poor performance on 2.4GHz band according to mikrotik forum postings.


You can block the manual IP assignment by setting the interface ARP option to reply-only and also enable Add ARP for Leases in DHCP server option. It won't prevent the device from accessing other IP on the same subnet though.

1. I've tested before RB951G-2HnD could achieve total routing throughput of 880mbit (upload + download concurrently) with fasttrack+PPPoE (no PPPoE encryption), so those with similar MIPSBE but faster clock can do slightly better. So it will be good for 300Mbit symmetric line, but 500Mbit symmetric line will be pushing it during heavy load & especially if you queues/filters use a lot of CPU resources.

Still I will recommend getting a router with hardware IPsec acceleration if your line UL is 100Mbit or more. If I need to dl something via torrent with my digi infinite 150 or if a some site somehow too slow, I'll just vpn to my family/friend TIME/Unifi lines


2. I've tested before Hex RB750Gr3 total routing throughput can achieve of around 1600mbit (upload + download concurrently) with fasttrack+PPPoE (no PPPoE encryption), but it really fluctuate a lot with the CPU load. So don't bother using it for 800Mbit symmetric. You can consider it for 800Mbit asymmetric with 100/200Mbit UL if your queues/filters is not too taxing on the CPU.

3. I never test hAP ac2 PPPoE routing throughput, but the 2 additional core should help. This is currently my recommended budget Mikrotik router for home user due to the hw crypto engine & ac wifi (coupled with the ISP provided ac router as additional access point) is good for 500Mbit symmetric line. But routeros support for the chipset (also used in cAP ac) in the beginning is really shitty with issues such as wifi performance issues.

4. It will be hard to fully utilise the CCR processing power without SFP+, so don't cheapoff on models without it if you plan to get one.

5. Don't waste your time with SFP GPON ONU unless you have enterprise internet subscription. SFP GPON ONU modules (that I aware of) are meant to be configured with configuration pushed from the OLT. You can't change the serial number from your side unlike the standalone GPON ONU provided by your ISP. You will need your ISP to do the provisioning on the OLT side in order for the SFP GPON ONU module to be used. I had 1 such SFP GPON ONU module laying around collecting dust. Your ISP won't entertain you if you're just a home or basic 'business' line subscriber.

If you're getting CCR1036 then of course only the 2 SFP+ models should be considered (unless if you need more SFP but not SFP+).For CCR1009, even if you don't have 10Gb clients, it will be much better than relying on link aggregation. You will waste so much ports with 4 port link aggregation, not to mention potential bottleneck.

This post has been edited by jio: Jul 16 2018, 06:23 AM

I was referring to using the ccr for internal network routing/firewall. Forget what I said then since you only intend to use it for internet routing.

edit: my reply was only about the SFP+

This post has been edited by jio: Jul 17 2018, 11:44 AM

If you haven't update the firmware, please do so asap. The initial firmware has severe wifi performance issue.

If you are on 6.42.7, then could be setting or compatibility issue. If you using 6.40.9, I don't think it had the wifi throughput fix.

If the CPU load is that low, that probably means something else is the bottleneck. What device you use to test over the LAN & is it connected directly to the hEX? My friend's old X79 PC struggle to even hit 350mbps with the spectre microcode update & antivirus enabled. Make sure you are connected to the correct LAN port (go check the block diagram) as well, though it shouldn't be that low.

If you config the rules from scratch & not sure if you did it correctly, I suggest you temporarily use 1 of your mikrotik device as the guinea pig as a reference.

You cannot simply use that figure. It is simply useless as it doesn't include the PPPoE overhead. For broadband 500mbps & above*, it is hard to recommend RB750Gr3 over hAP ac2 that just cost a little more. Yes, you can get over 1600mbps on PPPoE with fasttrack, but the moment you tax the cpu with VPN etc, the throughput will tank. So I hope nobody will assume RB750Gr3 can handle that 1G PPPoE routing while making use of VPN/Queue at the same time. I only recommend RB750Gr3 for broadband 300mbps symmetric & below, unless you're ok with using it for routing and some some firewall rules. hAP ac2 is much better performance than RB750Gr3. Above that will be the new RB4011 (probably just under 1K for RM version). I never recommended RB3011 as it was poorly supported with missing hw ipsec support (they finally added it recently) and other issues.

Alternatively you can use the cloud functionality to update the time, which I recommend for home user that don't know how to manage their mikrotik device.



The wifi performance is fixed & had acceptable performance although it is abit lower than a similar dual stream ac wifi. Still it is the best value mikrotik router imo currently. Better performance than RB750Gr3 as well. hAP ac2 plus the ac1200 router provided by your ISP will provide a very good bang for the buck with good enough wifi performance & coverage for most people with 500mbps broadband.

I recommend those with less experience planning to setup multiple APs with mikrotik to watch this video to avoid the common mistakes.

You will need to enable fasttrack in order to achive higher speed on your RB750Gr3. If you need to use your queues and other fancy filters, then you can't use it. If you need your queues & filters, then you didn't make sufficient research before choosing this router. Although I do know hap ac2 without fasttrack will do fine with 500mbps symmetric, I'm not sure with 800/200 unifi. I've seen test result from a ukraine site that shows single connection on hap ac2 with pppoe will only yield 500mbps and will require additional connections to reach the max throughput. This results is without the use of queue though.

My advise if you don't know what you're doing, factory reset & use the default firewall rules as the starting point and recreate the other rules that u need. I doubt anyone willing to help you fixing the messed up firewall rules & configurations that were made following outdated guides.

How old the cpu in the computer you using? Older gen cpus are affected badly by the spectre cpu microcode update. I've seen x79 system having problem getting even 400mbps throughput with antivirus enabled. It is even worse if the gbe adapter is on USB. Check the cpu load of the router and your computer when you fully load the internet connection. If 1 of your computer cpu core fully loaded then it is likely due to the spectre bugfix. If it is the router cpu being heavy loaded, then it should be your configuration issue causing the FastTrack rules not working or it could be some functionality that has been enabled and interfere with it. Check the FastTrack counters. And also don't use ipv6 if you need performance improvement of fastpath/FastTrack, which I'm not sure if it still the case as I don't keep track of their new development.

If you have under-powered hardware with faster internet speed the router can handle without relying on fasttrack (and don't want to upgrade), then I suggest you only use queues to limit subset of the traffic that you want to control (e.g. kids or guest network). It is up to you how/when to decide when a connection should be fasttracked. Once it is fasttracked, it will bypass any subsequent queue & firewall rules processing for that particular connection. For example, you may want to examine tls-host SNI name before deciding to fasttrack the connection or not. Using IP range is a bad approach. Modify the fasttrack rule to match/exclude connection mark etc. instead. You most likely already using connection/packet marking for firewall rules anyway.

If you're sharing the internet subscription cost with your neighbour, I strongly suggest you to upgrade the router to something better (hap ac2 or RB4011, RB750Gr3 not recommended you need its lower power consumption or it is to be placed hidden in a distribution box commonly found in the newer apartment/condo).