If you use CAPSMAN and do NOT use local-forwarding, ALL traffic will need to be encrypted over a tunnel from the AP to the CAP.
This wil hav huge impact on performance !!!
If you use the hAP AC in stand-alone mode it will perform as designed.
if you use ANY AP with CAPSMAN without local-forwarding you need a CAP device with lots of cpu power ... a CRS125 does NOT have a powerfull cpu .. it is a switch !!!
Use a more powerfull MT and you will see better performance
Running 6.44.3 (stable) on :
CCR1009-8G-1S (2x ipsec/l2tp site-to-site, ipsec/l2tp roadwarrior, dhcpd, dns), CRS125-24G-1S, RB1100, RB962UiGS-5HacT2HnT (10pc),
RB951, RB750GL ,RB2011UAS-RM, CHR running dude (CHR running in VirtualBox on OSX)