We have 2 RB2011UiAS-RM that we plan to use as active/standby (or active/active if this is possible) to replace an old ISA 2006 server. Our company is 300+ users strong and we would use the Mikrotiks to serve as Firewall and Proxy Router (adding more space for proxy via the USB port). Some remote-access VPN (5 -10 users at any one time maximum) would be needed to be handled as well. Is this possible considering the number of users and VPN access, or would these devices be maxed out and we should consider CCR?
How much traffic will you be having?
How many connections?
How many pps?
Will you be doing NAT or is this a routed environment?
How many and what firewall rules will you be using?
Will you be doing QoS?
Will the VPNs use encryption?
In my experience without using Fasttrack and without any forwarding firewall filter and mangle rules, a RB2011 can handle roughly 130-150mbit of NATed traffic before the CPU maxes out.
That number may be even lower depending on your rules, number of concurrent connections, vpn encryption etc.
If you need to be on the safe side about performance I would suggest to get a CCR.