I maybe made a mistake utilizing hEX poe for a tunnel…
I thought it has IP sec acceleration like it hEX sibling, but I am not sure.
Does anyone know what throughput can I get over L2TP/IPsec with AES128 tunnel (basic)?
I am currently saturating 20/20 link, getting some 14-15 usable Mbps throughput. The rest is overhead as it seems.
Would be very happy if I could push say 40-50 full duplex? Fingers crossed?
(The host is 1100AHx4)
@sindy is pro for your topic,but how usually i’m doing if i’m getting speed issues with l2tp/ipsec.
Maka a test separate first only with l2tp, without ipsec , once u happy with that, than u can go further
Well, they are “siblings” in the same sense like children from previous marriages - they just bear a similar name. hEX (in its current reincarnation, RB750Gr3) is built around MT7621A which does support encryption in hardware, hEX PoE (RB960PGS) is built around QCA9557 (MIPSBE) with no such support.
To squeeze as much throughput as possible, do not use encryption at L2TP level if you eventually do, but it won’t change the game substantially.
Check the product pages for the test results. IPsec results are currently only provided fro devices that do support hardware encryption.
@nichky Thanks. That is what I did. L2TP worked fine, and in essence I am saturating 20/20 link, even with IPsec.
However, MikroTik support told me that I can expect the hEX PoE to top out at about 20-something mbps, so that’s that, I suppose.
@sindy I think hEX PoE is not supposed for this purpose. If need be, I will add an additional hEX to the installation as a dedicated L2TP/IPsec VPN server. I would need to port forward L2TP ports, config hEX as a VPN server and add some routes on main router and VPN server. On Main office server nothing should change.
That said, I found today that Android doesn’t support L2TP/IPsec with PSK… Nosense, but we have what we have.
I’d really suggest hAP ac² rather than hEX Gr3 for this purpose. The price is about the same, and the throughput is better. So unless you need the microSD slot, it is a better value for money. You can keep the WiFi disabled if that’s a concern.
Which version? All of mine do support it, but I admit my newest one is 10.
since android 12 there is no support for pptp and L2tp
The issue with hAP is that it doesn’t look professional. If I get to install something that looks like home equipment in an office environment, that wouldn’t be good. People mostly don’t understand how IT works, but when they see industrially designed MikroTik boxes, they instantly understand that they shouldn’t touch those.
try RB450Gx4 then
even more industrial
RB5009! you can’t get more industrial.
RB450Gx4 could actually work fine. 
5009 is an overkill tho… And you couldn’t get one if your life depended on it. I am waiting for mine for more than half a year.