Hi guys.
My company have some factories which 5 km away from the main office, because there is no way for wired so we plan running point to point wireless to connect each site to the main office. But there are some questions we need to clear before we can star, hope you guys will give some advice.
1. How to secure Wireless point to point connection.(Ex: Some bad guy will stand in the middle, catch all the data from the both site, how to prevent it?)
2. All most data is CCTV so we need at lease 30Mbps bandwidth for each site, which Mikrotik product can we choose ?
Thanks you guys!

What Country and have you clear line of side to the Second Point?

Of course you should enable WPA2 security on your link, and when you are paranoid you could always use another layer of security on top of that, e.g. an IPsec tunnel.
Make sure you make a separate point-to-point link for each connection, do not be tempted to put an omnidirectional station and one point and have others connect to that.
This will reduce your cost but it also affects performance. Point-to-point connections with directional antenna (dish) at each end always works best.

To get this kind of performance you need an AC type of product on 5 GHz. For that you need clear sight, no buildings and trees in the way.
When you also have closer distances (up to 2km) you can consider 60 GHz which offers superior performance at short distance.

And of course you can also look what others offer.

Thank you guys for your advice.
At first we also think about Ipsec tunnel, but I know it will cause bandwidth slow, Is there anyway to measure how slow they are when using Ipsec compare without using Ipsec?
The factories locate on the hill surrounding by tree so I think there is no effect on point to point connection.
For the Mikrotik device, do you have any recommend, which product should I use?

Thank you guys for your advice.
At first we also think about Ipsec tunnel, but I know it will cause bandwidth slow, Is there anyway to measure how slow they are when using Ipsec compare without using Ipsec?
The factories locate on the hill surrounding by tree so I think there is no effect on point to point connection.
For the Mikrotik device, do you have any recommend, which product should I use?

You need absolute free line of sight, a tree will kill your bandwith needs

We will set APs on the roof so there will be clear line between 2 site.
For the Mikrotik product, we consider to use QRT 5 ac. How do you think about QRT 5 ac?

I have no experience with those. I normally use dish-type APs like LHG 5 ac or LHG XL 5 ac or more often the competitor's product UBNT Powerbeam 5AC 400 ISO.
Of course the QRT devices look very slick, but those panel type antennas tend to have more sidelobes so they pick up more interference from other users of the band.
However they will probably work fine when you do not have that much local use of 5 GHz.

An extra IPsec layer could slow down your link when the CPU cannot handle it, probably these devices have no IPsec acceleration.
You could consider making a setup that encrypts sensitive office data but not the CCTV streams.
Everything is already encrypted at the WiFi WPA2 layer anyway, but should it be cracked in the future you would have extra protection.

Also i will suggest using for each site different VLAN\subnet, than you can have fine tuned firewall between sites. Also use on wireless PtP strong password and hide SSID on receiving side it will help you from passers by, but not from directed attacks.

We will set APs on the roof so there will be clear line between 2 site.
For the Mikrotik product, we consider to use QRT 5 ac. How do you think about QRT 5 ac?

The Solution we Use is RF Elements Dish 550 at this distance, you can Use it Mikrotik / Mimosa or UBNt, just choose the right Adapter, for repair or Upgrade you’ll never need to change Antenna and alignment

Strong WPA2 password, hide SSID and one not mentioned yet, if you use MT then use NV2, if using UBNT then use Airmax. This makes using "any old 802.11" kit nigh on impossible as well.

And of course on a point-to-point link, only allow the MAC address of your own client.
All measures that can be defeated by the determined hacker, but they will protect you from wardrivers in general.
60 GHz also has the advantage of the very limited range (so you cannot connect from far away), but of course that means you cannot cover links over the distance you request.