I’m excited to join the Mikrotik family with this project. I do have a friend local to help with pointers on setup etc. But this post is more about general direction regarding which protocol best matches the capabilities of this hardware than anything else.

Long story short, this is going to be a distributed CCTV network being fed back to head end servers via fiber public internet links. Each spoke will serve anywhere from 4-16 IP cameras (20-80mbps continuous) and one access control panel. Currently the head end server is receiving 120-140mbps from the current CCTV setup. But, we expect to bring significantly more online shortly and continue to centralize the the network in the coming year(s). My theory is that we may be pushing 450-500mbps over these tunnels soon. I don’t expect either the hub or spoke devices to have any issue with the initial throughput. However, I really don't want to have to re roll the vpn setup if things get taxing later.

So I suppose my real question is what protocol best suits the hEXr3 and CCR1009-7G-1C-1S+ In this configuration? There will be nearly zero overhead related to complicated firewall rules, queuing, or excessive routing loads. Are there any gotchas in setup that I need to watch out for that could bring it all to a grinding halt?

I’m thinking of IPSEC or Wireguard. I assume tried and true IPSEC will be the most foolproof as long as the hardware acceleration will cope with the encode/decode at those speeds.

I would not necessarily choose the hex for this operation, considering the throughput required.

Thank you for your reply Anav! I thought the Hex would be okay based on the website statement:

"IPsec hardware encryption (~470 Mbps) and The Dude server package is supported, microSD slot on it provides improved r/w speed for file storage and Dude."

I don't think the individual hexes will ever be required to transfer more than 10-15 cameras over their part of the tunnel. So that should be 90 mbps or less. I am totally new to MT so I may be reading that statement on the site wrong. Currently I would only have any hex transferring less than 5 cameras over their link which would be less than 30 mbps. The 90mbps link would be future case if needed.

Ipsec can be handled in hw by hex.
Wireguard is in general faster though.

Not an easy call...

Ipsec can be handled in hw by hex.
Wireguard is in general faster though.

Not an easy call...

Thank you also! When you say in general do you mean all things being equal wireguard is usually faster(certainly true in almost every case I have seen) or do you mean on MT hardware?

Well, I would use IPSec, since it will take advantage of the hardware encryption support. Wireguard does not.

Personally I prefer real tunnels, like IP-IP or GRE. But you can use policy based tunnels as well.

Not sure how multiple ipsec stream will be handled by ccr.

Wireguard allows multi threading. I don't think it will happen with ipsec acceleration on the hub.

Test and see.