@chechito
I am pretty confident he should achieve more unless he stuffs up.
I simulated it on RB951G(1*600MHz) instead of RB750Gr3 (2*880MHz) and I reached continuous 100Mbps with TCP iPerf. To be precise, the config was similar as the one you described (basic NAT and firewall, software bridge, no fast-track/fastpath and a simple queue high enough it will consume the CPU but won't limit the transfer itself)
I am sure that fasttrack would improve the result significantly but my idea was to avoid any features which might later interfere with something else and might need to be disabled.
I also couldn't spend much time on playing with it so I didn't try any optimizations and I didn't play with vlans. I guess it would perform better if the bridge was removed (for ISP-style config, bridge is not necessary anyway)
test config for reference:
[admin@MikroTik] > /export hide-sensitive
# feb/25/2019 07:04:54 by RouterOS 6.42.3
# software id
#
# model = 951G-2HnD
# serial number
/interface bridge
add fast-forward=no name=bridge1
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge1 name=defconf
/queue simple
add max-limit=200M/200M name=queue1 target=""
/interface bridge port
add bridge=bridge1 hw=no interface=ether2
/interface bridge settings
set allow-fast-path=no
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge1 network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
However, if its true that he want's the old HEX (second cheapest router in the range) for starting an ISP business and not for home purpose, I can just facepalm... The HW is not designed for such task and due to all extra requirements, it will barely support the current uplink speed. In the end, I am afraid it won't bring anything than complaining users which will spread bad word and destroy his reputation. On the other hand, if he is going to start with just few users and learn on it while growing the network, its probably safest choice. In the worst case, if he gives up in month or two, it won't hurt so much.