There are quite a few things that prevent you from having HW offload properly:
- Only single bridge per switch port group can have HW offload. Your RM2011iL has two switch chips, one spanning ether1-ether5 and the other spanning ether6-ether10.
- VLANs, handled by bridges, can't be HW offloaded
- high CPU load while you're downloading is not due to lack of HW offload for VLAN 101, but due to lack of HW offload overall
- high CPU load might be due to setting /interface bridge settings set use-ip-firewall=yes ... are you really sure you want to force all LAN traffic and IPTV through IP firewall?
I guess LAN traffic can be trusted while you might not want to care about IPTV (it's just the set-top box that might get hit by hackers which would hack IPTV provider's network beforehand). Internet traffic if being firewalled without this setting as that's L3 traffic which doesn't pass just through bridge, it's shuffled across IP interfaces.
In addition to that, you should be aware that ether6-ether10 are only 100Mbps. If your internet link is up to 100Mbps, you might want to connect it to one of ether6-ether10 ports and free ether1 for LAN connection with high-speed switching.
In any case, RB2011 is not a beast when it comes to routing speed, I doubt it could handle much more than 200Mbps with all those firewall filter rules.
For this post to be complete: there's nothing wrong with the way you're dealing with IPTV VLAN. However, since RouterOS version 6.42 the idea is to have single bridge per device and configure VLAN stuff on bridge.
However, on most devices (but CRS3xx and CCR?) HW offload is lost when VLANs are configured on bridge. This particular case I'd advise to stick to 2-bridge scenario.
I suggest you to make the following changes to your setup:
- move WAN connection to ether10. Move specific config (i.e. vlan interfaces) with it.
- don't set hw=no to ports members of bridge-local (in /interface bridge port.
- don't set /interface bridge settings set use-ip-firewall=yes
- router's IP config should go to bridge, not to ether2 (that's in /ip address
- use interface-list in firewall filter rules (instead of interface). And firewall nat rules as well. E.g. use in-interface-list=WAN instead of in-interface=ether1. Makes firewall filter rules more readable and easier to make topology changes (i.e. change WAN interface from ether1 to ether10 ... firewall filter rules would stay unchanged, only change in /interface list member would be necessary).
- reconsider firewall filter rules allowing all UDP traffic in any direction (comment=IGMP protocol=udp) as they might be a tad too liberal. Try to make it more specific by adding some more checks (e.g. in-interface=ether6 or ports=xxxx-yyyy).
- the second-to-last and third-to-last filter rules are exactly the same ... either one can be removed (according to suggestion #5 above I'd remove third-to-last rule).
- why do you have second src-nat rule? If it's to allow SSTP connected clients to access internet, then already the first rule (more general one) does the trick. If it's to masquerade SSTP clients when accessing normal LAN, then ... well, I wouldn't do it, this should be already possible without it. In any case, reconsider this rule to assess security implications.