Hi the problem in the 3011 is... I don't find a way for the l2pt vpn clients to go out from each internet line.... I try l2pt with ipsec.... with the 2 lines with same speed... down I have only 10m for each line... but upload I have the max of the lines. The 941 cpu is max 60%... the chr cpu the same... and the 3011 cpu 3-4%.
This requires policy routing and maybe some extra voodoo to work but can be done. Did you manage to have all 5 PPPoEs up directly from the 3011? Do all the PPPoEs get public addresses? Is each of them on another ISP or some of them are from the same ISP?
With Mikrotik at both ends, you can use L2TP in bridge mode, but you cannot bond bridges together so better to use EoIP over IPsec than L2TP over IPsec. What bothers me more is the CPU load on the CHR, hopefully the physical CPU does have hardware acceleration for encryption and the virtualization environment allows to use it, otherwise it will be the bottleneck (in case of all-software encryption, there isn't a big difference between SSTP and IPsec on the same encryption algorithm). Encryption lowers the throughput seriously, especially with small packets, so without hardware acceleration 40 Mbit/s is just a dream and even with hardware acceleration it may be much less than you expect, the 3011 is not extra good in it (yet there should still be space for improvement in software versions to come, they've just started enabling it).
And what @joegoldman says is of course true, I completely forgot about it as I don't use
balance-rr.