I recently bought a RB952Ui-5ac2nD (HAP AC lite) to connect the cottage to my home lab with a VPN. The home lab is running a 3011UiAS.
The cottage has a 100Mbps down and 15Mbps up link. The home lab has a 300/300Mbps link. I have around 100ms latency between the sites.
I was not expecting the HAP to be able to pass the whole 100Mbps in the VPN. But I was still expecting more than 4-5Mbps. Somewhere around 15-20 would have been perfect. CPU of the HAC never goes over 20%. The RB3011 doesn’t even feel it.
So it means that you will get terrible performance. I would also suggest bypassing fasttrack (either by using “notrack” or “allowing” traffic before fastrack rule) and tuning MSS size might be required (which I believe is not).
I know that the HAP ac lite doesn’t have hardware acceleration for encryption. Which is why I was expecting much slower performance on encryption.
Still, with no dedicated ASIC for encryption, I was expecting the CPU to max out doing the encryption, but I’m still stuck at 5Mbps but with only 20-30% CPU usage.
I played with fast path, fasttrack and fast forward, couldn’t see any impact on any change.
No matter what, I’ll stay unencrypted for now. Most of the traffic going through that link will be encrypted anyway (ex.: https).
Just an additional note, I tried using low encryption (md5, des and modp768). I got as far as 7Mbps and 30% CPU usage. I don’t know if these are the lowest encryption available on the Mikrotik though.
With IPSec and the hap lite I would max out at 8 mbps, but packets would drop so bad that users who’s traffic was not using the IPSec tunnel would complain. So I had to limit my IPSec throughput to 3 to prevent dropped packets.
I upgraded to Hex and ran some tests, I can max out my internet speed over the IPSec tunnel now.
Worth noting, when I did have to transfer a lot of data over the hap lite IPSec VPN, I would set encryption to null to temporarily increase speeds.
