Better get a arm processor based model for more function like container for ad-block or something else. (And more cpu power for more stability when using higher speed plan and function at the same time)

hap ax2

what is your budget range? 

if like that better just get hap ax3, with those antenna it can help you with your wifi range and coverage 

Welcome to the club.
You can upgrade the RouterOS whenever you want. But keep in mind that they only enable fasttrack by default in like version 7.18.
So just download the npk file from Mikrotik and drop it into the router. Then reboot it to make sure it is upgraded.

Go to System > RouterBoard.
Click Upgrade to upgrade the firmware.

Reboot again. Make sure RouterOS and firmware are both equal in version.
Hard reset the router and start your setup.

Passive PoE is a non-standard way for Mikrotik switch to provide power to their WiFi product. You cannot actually disable it as it is hardwired inside. Just use the port as is.

For TM's MTU problem, you need to use at least version 7.20 beta. You can jump straight to the beta version if you want. I am on this version from beta2 till beta7 now and it has been good for basic usage.

Mikrotik user has also been living with lousy IPv6 performance until recently.

You join the club at the right time when all these long known annoyance is finally ironed out.

This is Mikrotik specific.
In every router, there is a packet flow graph, which dictates what happens to the packet at each stage of a routing decision.

As part of optimization, many router manufacturer will have their own method to shortcut this process. Cisco Express Forwarding, Mikrotik FastTrack, VyOS Flowtable Offload...

In Mikrotik, this shortcut didn't exist in IPv6 until recently.
Now that it exist, there are still a lot of limitation, edge cases and gotcha when using it.

Common ones:
If you use Queue, packet won't get fasttrack.
If you use IPSec, it will chew packet aka they randomly go missing.

With L3HW Offload, you cannot use it with PPPoE. But your router don't support L3HW so this won't affect you.

Mikrotik FastPath is a totally different thing. It is just a name that says packet skip connection tracking and firewall. There is no way you can operate in this mode unless you treat it like a core router.
But then as a core router, they also have problem FastPath MPLS or VPLS, so it is still kind of the same unless your core router is really barebone.

Just enable UPnP. They have a dedicated page for this setting. Make sure you correctly annotate your Inside / Outside interface or you might open yourself to UPnP attack from the Internet.

Some people absolutely want QoS because it is the only way to get A+ in bufferbloat test. What is you current Internet speed? You might be able to make it if you predominantly do big packet.
But then again no gamer will leave their torrent running while they game, so this render the whole bufferbloat test moot as it only matter when your pipe is saturated.

The rated MTBF is 100,000 hours at 25C. Honestly it is very low in enterprise gear space where 300,000+ hours at 40C is normal for hardware with fans; 500,000 - 700,000+ hours at 40C for model without fan.

Let say you never aircond your place and MTBF is down to 50,000 hours. That still gives you 5+ years so it is not too bad.

I don't know if Mikrotik has a standard way to do this but at least on tiny router the "Internet" port is not part of the bridge in the default setting. You then just create VLAN 500 and that's it.
If you have IPTV then you need to bridge them together with a port.

DO NOT enable vlan filtering without a backup. On unsupported switch chip it will stop traffic and you officially lock yourself out.
Tips: Use Safe Mode when enabling it. If you lock yourself out, just reboot and all changes you made in Safe Mode will be reverted.
Once done, disable Safe Mode and you changes will be permanent.

YOU MUST STILL BACKUP.

500Mbps is slow enough for QoS to work properly for your router. Using pcq instead of cake or fq-codel should give you more headroom as it is less CPU intensive. Test it to find out.

Assuming you start with the default config and the "Internet" port is not part of the bridge.
Go to Interface > VLAN
Add VLAN:
MTU: Set to max
VLAN ID: 500
Interface: <name of Internet port>

That's it. VLAN is done.

Go to PPP.
Add PPPoE client.
MRU: 1500
MTU: 1500
Interface: <name of VLAN you just created>
Fill in username and password.

You should have internet by now but no IPv6..

Maybe check the PON stick thread for IPv6 setup. I posted one there recently.

IP > UPnP > interface
Set your PPPoE name to external. "bridge" to internal. Then enable.

I think that's it. Left QoS.

It still works because VLAN 600 just get dropped without affecting VLAN500. There's other VLAN like 400 and 209 on TM network as well.

For NAT-PMP, the step is same as UPnP, just annotate the interface.

I need to test the QoS before I post it since I don't use it. But should be very straightforward as well.

blackbox14
After you add the PPPoE client, remember:
Go to Interface > Interface List tab
Add your pppoe interface to WAN


This will simplify a lot of things, including NAT configuration.

QoS setup:
Go to Queues > Queue Types tab
Add:
Type Name: <anything you like>
Kind: cake -or- fq-codel

Go to Queue Tree tab
Add:
Name: Download-500M
Parent: bridge
Packet Marks: no-mark
Queue Type: <the name you chose above>
Max Limit: 500M

Add:
Name: Upload-200M
Parent: <pppoe interface>
Packet Marks: no-mark
Queue Type: <the name you chose above>
Max Limit: 200M

That's all.

Now you need to compare your bufferbloat with both rules enabled and disabled.
If the latency is poorer with the rules enabled, it means your CPU is not powerful enough. To verify if it is CPU problem, lower the download speed to something like 100M and upload speed to 50M.

I tried pcq but the result is not as good as fq-codel and cake.
Keep in mind RouterOS doesn't use DPDK or any form of ASIC for QoS hence performance seriously sucks donkey ball.

You must also remember QoS works by forcing packet to buffer so they can be selectively discarded. The more headroom you reserve (hence lower throughput) the better they perform.
You cannot try to tune for max throughput while still having low queuing delay. By doing that, you actually lower the chance that it will perform accordingly.

Example with arbitrary value:
By adhering to 500M max limit, the chance of it working according to spec might be 90%.
However if you increase it to 550M just to get more throughput, the chance of it working according to spec might drop to 50%.

Assuming you start with the default config and the "Internet" port is not part of the bridge.
Go to Interface > VLAN
Add VLAN:
MTU: Set to max
VLAN ID: 500
Interface: <name of Internet port>

That's it. VLAN is done.

Go to PPP.
Add PPPoE client.
MRU: 1500
MTU: 1500
Interface: <name of VLAN you just created>
Fill in username and password.

You should have internet by now but no IPv6..

Maybe check the PON stick thread for IPv6 setup. I posted one there recently.

IP > UPnP > interface
Set your PPPoE name to external. "bridge" to internal. Then enable.

I think that's it. Left QoS.

You can just delete the DHCP Client on the "Internet" port

In reality as long as the fasttrack is above the "accept forward" rule it will work.
I just tell people to move it to the top as it's the easiest to understand and won't miss when checking.

I did move mine to the top to make it stand out from all the rules. One less precedency to worry about when diagnosting ACL.

Now that I explained this, it's entirely up to you.

Go to IPv6 > ND.
Add new.
Interface: bridge1
MTU: 1480
DNS Server: 2001:4860:4860::8888

Delete the ND. There should never be an ND for "all" interface. It is a security mess. ND must only be used strictly on trusted segment of the network.
It basically means if suddenly TM or your neighbor were to listen on your eth1.500, they will get an IPv6 from your router, connect to it and use the main routing table to walk around your network. Imagine that.