Good evening,

I need to buy a Mikrotik Firewall in a company with 5 PCs and 1 Server, which can connect via IPSec VPN to another Mikrotik RB951g-2hnd and necessarily have Wireless.
Any suggestion on the routerboard with the best price-performance ratio?

Thanks to everyone in advance

uplink bandwidth? or throughput needed?

I do not have any particular requirements.

There will be low traffic sent between the two routers.

RB750Gr3 (hEX r3) is the best price/performance small router.
It has 5 ports so you need a switch, probably already there.
When you need wireless at this location too (not clear to me) get another RB951g-2hnd or the newer hAP ac.

RB750Gr3 (hEX r3) is the best price/performance small router.
It has 5 ports so you need a switch, probably already there.
When you need wireless at this location too (not clear to me) get another RB951g-2hnd or the newer hAP ac.

I would suggest a hAP AC^2 here rather than hEX Gr3 even if wireless is not necessary, can you share your reasons to prefer the latter (I don't seek a fight, I'm just curious)?

Ok it is a new type, I don't have experience with that one yet.

I need wireless in the office with the new routerboard.

The hAP AC^2 is more or less powerfull than the RB951g-2hnd?

I want to install a more powerfull router.

The RB2011UiAS-2HnD-IN is a good solution or maybe to much powerfull?

The RB2011 is an old type, the RB750Gr3 is much more powerful and the hAP ac^2 probably as well.
The newer types like RB750Gr3 and hAP ac^2 have hardware for IPsec which the RB2011 and RB951 do not have.

The newer types like RB750Gr3 and hAP ac^2 have hardware for IPsec which the RB2011 and RB951 do not have.

Where "hardware for IPsec" means hardware support for encryption. As a rough example, encrypting and decrypting some 3 Mbit/s per direction of relatively small UDP packets (about 250 bytes, and smaller packet mean more work to do) makes hAP AC lite reach its limits (networking 50% CPU without any NAT and/or firewall rules, encryption 20% CPU), while the hAP AC^2 on the opposite end of that connection is bored (networking and encryption something like up to 1 % total CPU each).

Thank you.

There is a possibility to need the wireless in a different zone where the router will be installed.
If I want to split the router with the wireless funcionality (ethernet router + AP) what are the best models to choose?

There is a possibility to need the wireless in a different zone where the router will be installed.
If I want to split the router with the wireless funcionality (ethernet router + AP) what are the best models to choose?

Currently (March 2018) people on this forum complain about the wireless throughput of hAP ac², but I assume it is a temporary issue associated to the use of a new wireless hardware in that model. So depending on how quickly you have to decide, I would go for hAP ac² for the edge router and VPN part already now, and choose betwen hAP ac lite and cAP ac for the wireless AP depending on how the complaints on throughput get resolved with the hAP ac² which uses the same CPU chip with integrated wireless as cAP ac. So if the AP must go live "yesterday" and you're fine with up to 400 Mbit/s summary throughput of the AP, I'd go for the hAP ac lite (which only has 100 Mbit/s Ethernet ports); if you can test the wireless capability of the hAP ac² as new sofware versions come during next couple of weeks and months, I would wait for a version resolving the throughput issues and use the cAP ac as the AP (or another hAP ac² to be able to run all tasks on one of the boxes if a dog eats the other one).

Thank you sindy.

Why not choose one of the ethernet routers in https://mikrotik.com/products/group/ethernet-routers plus the AP (like the hAP AC Lite)?

There is a possibility to need the wireless in a different zone where the router will be installed.
If I want to split the router with the wireless funcionality (ethernet router + AP) what are the best models to choose?

Currently (March 2018) people on this forum complain about the wireless throughput of hAP ac², but I assume it is a temporary issue associated to the use of a new wireless hardware in that model. So depending on how quickly you have to decide, I would go for hAP ac² for the edge router and VPN part already now, and choose betwen hAP ac lite and cAP ac for the wireless AP depending on how the complaints on throughput get resolved with the hAP ac² which uses the same CPU chip with integrated wireless as cAP ac. So if the AP must go live "yesterday" and you're fine with up to 400 Mbit/s summary throughput of the AP, I'd go for the hAP ac lite (which only has 100 Mbit/s Ethernet ports); if you can test the wireless capability of the hAP ac² as new sofware versions come during next couple of weeks and months, I would wait for a version resolving the throughput issues and use the cAP ac as the AP (or another hAP ac² to be able to run all tasks on one of the boxes if a dog eats the other one).

I have been testing the hAP ac2 [firmware 6.42rc52] and can confirm that wired performance is excellent while wireless 2 stream performance needs significant improvement. My tests show that on 2 stream wireless 2.4G throughput is maximum 70 Mbps Down while for 5G the max is 170 Mbps .... via wired for IPsec on a synchronous link I can easily get 400 Mbps D/U .... I have not tested IPsec under wireless just yet .. another observation is the hAP ac2 runs very warm after 2 hours of use under my tests condition in my lab.

Why not choose one of the ethernet routers in https://mikrotik.com/products/group/ethernet-routers plus the AP (like the hAP AC Lite)?

You've said in the title you wanted a VPN, haven't you? Software encryption requires a lot of CPU power, look at the encryption throughput of different models (in fact, it is so bad for software encrypton that it even not published in the data sheets of the models without hardware encryption). Also bear in mind that the CPU power you don't waste for encryption remains available for routing etc.

Out of the plastic boxes, only hEX (Gr3, I hope no older revisions are delivered any more) and hAP ac² have CPUs with hardware-supported encryption, and it has a tremendous impact on the overall throughput. The number of ports is the same for both, none has PoE-out (grrr). As compared to the hEX, hAP ac² has slightly better encryption throughput at AES-256, it has a quad-core CPU while hEX has a dual-core one. It has the wireless part for $10 add-on to the list price, and it does not have a micro-SD slot as compared to hEX.

Anything else with hardware encryption is much more expensive, excluded the cAP ac which, for the same list price as hAP ac², has the same CPU/wireless chip but only two Ethernet ports.

So yes, you can also take a cAP ac, hang it to the ceiling where wireless coverage is needed, and bring to it one uplink cable and bring back one cable to a dumb switch in the location where you need to connect the PCs and the server which you'll have there anyway (5 PCs and a server need 6 ports while both hAP ac² and hEX have only 4 ports left once you connect the uplink). The overall cost depends how much a meter of cable including installation costs in your part of the world.

The idea to use a cAP ac as the only machine has limitations of course, namely you cannot place the PCs and the server into different subnets with a firewall between them, which is what you should do to protect the server from an eventually infected PC.