Hello every one i was using mikrotik rb2011 uiasm it was fine so far. Now my network requirement is to use one-to-one NAT so i brought /25 pool of public ip from isp and configured it on ONE-TO-ONE NAT per private IP with per public IP i know my router was not that compatible for such configuration and it starts hang and cpu goes to 100%.
I just want to ask should i go with RB 4011 would 4011 can handle it easily 200 users with ONE-TO-ONE NAT and in total 400 mbps of internet. would really appreciate community help

If one takes official test results with a pinch of salt, then RB4011 should be able of routing at roughly 2.5Gbps give or take. The number is approximately 10-times larger than the one of RB2011. I guess that your particular use case (200 1-to-1 NAT mappings) does mean somehow more complicated setup than the one used in tests (and which should yield 2.5Gbps of routed traffic real life), but I'm guessing that RB4011 should be able to do at least what you expect it to do (400 Mbps).

However, I'd rather look at RB5009, its performance is a bit higher than RB4011 performance, it's a generation newer device and comes with comparable price tag. There are a few differences in offered interfaces, but if that doesn't bother you, then RB5009 would be overall a better choice IMO.

Adding:
RB4011 also has the added (possible) complexity of 2 switch chips.

My advise would also be to move to RB5009.

My RB4011 has cores at 100% at less than 1 Gbps without FastTrack on v7 - which is the reason I reverted to the previous branch where the cores reach 60% under the same conditions. You cannot compare it to the RB5009 with MT official numbers, since they didn't use the same kernel. The latter is a much more powerful device for the same price...

200 users with ONE-TO-ONE NAT and in total 400 mbps of internet

We have RB4011 and RB5009 in production and in our experience both will be able to handle this with reasonable CPU load.
For pure NAT/routing, we see both of them maxing out at 1.5-2.5GBit/s. It will be less depending on amount of additional firewalling and queuing in place, but stay above 400MBit/s. All of this is for our use cases, your mileage may vary.

The main difference is the internal structure as visible in the block diagrams RB4011 / RB5009. The RB5009 is a newer design and has a better switch chip providing much more flexibility for port usage and configuration. It also has a 2.5GB port.

My RB4011 has cores at 100% at less than 1 Gbps without FastTrack on v7 ...

I have the opposite experience: my hAP ac2 was at 15-20% under v6 when doing 30Mbps (at the time I was using 30/5 VDSL), the same unit now is at 10% when doing 980Mbps (I have FO 1Gbps/100Mbps) on v7. Alas: I did netinstall the hAP ac2 and I configured it from scratch ... with similar functionality (but not identical, I did take into account changed defaults when doing configuration anew). The proof that v7 does use fasttrack is that if I run speedtest against IPv6 host, CPU load on hAP ac2 goes above 50% while measured throughput drops to around 400Mbps.
Hell, even RB951G, running v7, was able to route at around 850Mbps (with slightly less than 100% CPU load) - I was using it while I was doing hAP ac2 config anew.

So I'd say that your config is somehow hosed due to frequent upgrades, downgrades and config changes ... and it's time to start anew from netinstall and new config (only use old one as a reminder of what functionality you need, but try to stick to default config philosophy, it's a good one unless you know much better.

@mkx, I think you missed what I meant by without FastTrack. I never implied that FastTrack wasn't available in v7, but if you need queues, FT is more or less out. The performance loss on single uploads/downloads has been documented since the cache was removed in 3.6 (more than a decade ago !).

Netinstall can't restore the cache, because it was removed from Linux. Broadcom seems to have their own closed-source route cache for their SoCs, but that's not what MT is using. Regardless, it's a moot point, because there's no way for a client to really get more than 1 Gbps from WAN on this device.

In any case, my comment was made to a prospective buyer looking to purchase a router today - the RB5009 is a much better device that can handle close to 2.5 Gbps internet service to a single client (better SoC, better ASIC, better design).

@mkx, I think you missed what I meant by without FastTrack.

Indeed I missed the fact you intentionally disabled fasttrack.

BTW, if you only need to apply queues to a portion of traffic, then you can craft fasttrack rule so that it doesn't fasttrack traffic which has to be subject to queues (or add appropriate non-fasttrack accept rules higher than fasttrack rule on rule list). But that's only effective if that portion of traffic is small compared to total traffic.