Hi
I would appreciate some product recommendations for a router that can NAT roughly 1gbit normal traffic and have the power to do some traffic shaping so that one apartment can't use all the bandwidth and slow down internet for all the others. (I guess routeros has some functionality for doing this?)

The hardware I'm thinking of is either a hEX/hEX S and use bridge VLANs for each apartment to a switch that can split up the 12 VLANs to 12 ports. I think they need different subnets to use traffic shaping and isolation so they don't discover each other's devices. Or I'm thinking if the bridge VLAN functionality will be a bottleneck so I'm better of with something like RB1100AHx4 with all ports built in? (Need 12+1 WAN). This device also have much more powerful CPU then the hEX but do I need it? Slightly more pricey solution but I do need a L2 switch also with the hEX solution so that evens it out a bit.

What would you suggest here? Or maybe a completely different solution?

A hEX is not powerful enough for that.
I would suggest a RB1100AHx4 which is enough to do everything as it has 13 ports, assuming you get your internet on 1Gbit/s TP Ethernet.
When you want more headroom you can use a CCR1009 but it will require an additional switch for some of the ports.
However, that could save some cabling depending on the layout of the appartment (run a single cable to some floor and have an 8-port VLAN switch there)

CCR1009 is cool but price is a bit too high
Found RB450Gx4, maybe a faster alternative to hEX.

Cat6 cables are already installed from each apartment to one central location. Apartment are small and on only two different floors so cabling was not a problem.
RB1100AHx4 is nice, the only thing I have against it is that the port number is just enough, no spare for example a future common wifi AP

I think I'll have to buy the hardware and experiment a bit

A CCR1009 is like $500 so with 12 apartments it is like $42 per apartment. RB1100 is $300 or
$25 per apartment.

When that is too much as a one-time investment for 1 Gbps internet I recommend you to get out
of this project as soon as possible! Don't try it with less than RB1100 especially when people are
going to test it and complain they did not get what they paid for.

Well it's not a professional ISP project, it more like a collective that wants to save money and use a single fiber as incoming. And they are not going to promise any higher speed for each apartment but of course they still wants as fast as possible...

Yes I think maybe I can get them to buy the CCR1009 but a switch is needed for this too so like 500+150. Still curious about the performance of the new rb450gx4 so I might buy one myself just to experiment with A bit sad that NAT performance is not shown in the product page speed tests

A small gigabit switch with basic VLAN functionality (trunk on one port, individual ports untagged on a single VLAN) is not expensive anymore.
In fact, when you get your internet delivered including NAT routing and your only requirement in fact is isolation of the clients, you could
consider buying a switch that can do client isolation. I think (but I am not sure, so check it) that SwOS switches like the CSS326-24G-2S+RM
can do that.

what type of connection is in every room? wired or wireless??

1.
if it is wireless why dont you setup RB1100AHx4 as CAPSMAN and set different bridge/subnet per CAP.
this implies you install mikrotik ap in every room.

2.
i have similar setup (with 50mbps internet line) with rb951ui-2hnd as main router and 12 hap lite total 1 per apartment. setup done with routings. so every room different subnet. no need for vlan.
the good thing about hap lite or similar hardware is that it is switch and wireless so there is wired and wireless access per apartment.

viewtopic.php?f=2&t=126578

In fact, when you get your internet delivered including NAT routing and your only requirement in fact is isolation of the clients, you could
consider buying a switch that can do client isolation. I think (but I am not sure, so check it) that SwOS switches like the CSS326-24G-2S+RM
can do that.

Client isolation on a switch? Never heard that before, only on wifi. It would fast and easy but then there would be no way of controlling fair use of the bandwidth I guess. These are younger people and they will start downloading movies and stuff so I think that will be a big issue if I do not add some kind of control over this...

what type of connection is in every room? wired or wireless??

1.
if it is wireless why dont you setup RB1100AHx4 as CAPSMAN and set different bridge/subnet per CAP.
this implies you install mikrotik ap in every room.

2.
i have similar setup (with 50mbps internet line) with rb951ui-2hnd as main router and 12 hap lite total 1 per apartment. setup done with routings. so every room different subnet. no need for vlan.
the good thing about hap lite or similar hardware is that it is switch and wireless so there is wired and wireless access per apartment.

viewtopic.php?f=2&t=126578

Wired. Thanks for the link But I don't think they want to provide wireless service, just a RJ45 outlet and then it's up to the tenant but I will check this since it's not very expensive to provide a hAP lite either but if they decide to go that way I think I would use a hAP ac lite and a poe switch

I think those switches even have rate limits, but that will not be as flexible as what you can do with queues on a router.
So you can give everyone 100 Mbit/s or a little more (overbooking) so nobody will be starved, but then nobody would get
the max rate either. Client isolation is quite usual on advanced switches, you can define which port can talk to which
port so you make all ports able to talk to the port the ISP router is connected but not to eachother.

With queing in the router there are different solutions, I usually use queue trees but it is mainly for priority. However,
I think you can use it in this situation as well. You assign everyone a guaranteed bitrate that you can surely provide
(e.g. 90 Mbit/s) and a max bitrate that they can use when capacity is available (e.g. 900 Mbit/s). The queue will
guarantee that everyone at least gets an equal share when everyone is downloading at the same time, but unused
capacity can be used by someone else. It is best to limit slightly below the ISP rates because that will avoid increase
of the pingtime when the line is fully loaded.

There also are "simple queues" and "PCQ" options but they tend to focus on dividing bandwith between IP addresses
so a user with two PCs downloading could get twice the share when it is not carefully configured.

Make sure your ISP provides IPv6 (at least a /60 network) and configure it, that will mean less and less NAT handling
in the future when more services migrate to IPv6. This is another reason to use queue trees rather than simple queues,
those are for IPv4 only.

W.r.t. using an AP: when your users want to connect only WiFi you could consider getting a PoE switch and use that for
those users so they can connect just their AP and have it powered.

Thanks for your long and good answers.
I think I'm more comfortable with the more flexible router solution then having to come back later saying they have to buy more stuff to fix my bad decisions

Your first suggestion sounds good, everyone Will get at least minimum speed but more is available if there is unused bandwidth. It doesn't have to be absolutely fair (I guess this wont be) since they don't know how much the others use.

Sure, I understand I should leave some headroom to max speed so latency isn't ruined.

PCQ was suggested in the other thread I started before your post. I guess the packets can be marked on subnet and not only on single IPs? People will probably use only one computer anyway so it might not be a huge problem. None of these is a computer expert anyway I guess as they asked me to help them

Yes IPv6 vill be a blessing hehe, no more resource hungry NAT I guess they will use one of the most IPv6 friendly ISP here in Sweden

Yes I already thought about your poe suggestion and using hAP ac lite (switch/bridge mode). Depends on what they want but I will tell them that double NAT which they will get if they go out buying home wifi routers themselves is not great...

if they start to buy their own routers then you will have to fight for DHCP ROGUE SERVERS (if you dont have vlans).
thats why i moved on and ask owner to install our own hap lites in every apartment with routing setup. of course you can install RB951UI, HAP AC LITE or HAP AC2. it depends your budget.

with that setup every apartment can connect to his hap lite whatever equipment wants without interrupting others. even they can install their own routers and i dont have to care for rogue dhcp. everybody is living in their own subnet.

i wanted to do that installation with capsman but capsman does not include in config the ethernet ports of the hap lite. so i did it with routing way.

if they start to buy their own routers then you will have to fight for DHCP ROGUE SERVERS (if you dont have vlans).

In this config it is easy to give everyone a separate LAN network either on separate port on the router or on a switchport that
is untagged on a VLAN (with a trunk port connecting these VLANs to the router). So the user sees no VLAN but they are all
on separate networks. The MikroTik router can have 12 separate DHCP servers that each serve a /24 (for example) network
for one house. And on those 12 separate networks you also give a /64 IPV6 network (hence you need a /60 or better from ISP)
so all users remain separate and no DHCP or port scanning issues should occur.

When a user wants WiFi it is best to put the AP in bridge mode, any WiFi AP should be able to do that. Then there is only
one NAT level, of course assuming there is no ISP router involved that does NAT as well. When the ISP can provide an IPv4 /28
network it is even possible to give every apartment an own external IP. But that will probably cost extra.

Yes, VLANs as client isolation is what I'm most comfortable with

The only thing that worries me about that is that maybe the CCR1009 is not built for handling VLANs because there is no switch cipset and what it is best for is real CPU intense routing? Handling VLANs in bridge/software might be a big bottleneck?

Oh, btw, I will probably have to offer hAP ac for the apartmenta and not hAP ac lite as the lite isn't gbit hAP ac is a bit expensive but seems to be the cheapest with poe in and gbit...

Oh and there is a hAP ac2 that is even cheaper

The only thing that worries me about that is that maybe the CCR1009 is not built for handling VLANs because there is no switch cipset and what it is best for is real CPU intense routing? Handling VLANs in bridge/software might be a big bottleneck?

You would use 1 port as a tagged-VLAN trunk to your switch. The other remaining ports can be used to directly wire to apartments (without PoE).
On that single port you add VLAN subinterfaces for each tag to be used, and on those VLAN subinterfaces you define the subnets to be used for each apartment.
The VLAN subinterface isn't really CPU intensive, it just adds the 4-byte tag to each packet and moves it on.
You should not define a bridge for this configuration. It is only required when you want more than one port to be member of the same network.
(in the AP you use a bridge to make the ethernet and the WiFi interfaces part of the same network)