XDP BNG · CGNAT · Anti-Spoof · DDoS · NOC2 — vs MikroTik RouterOS
Competitive Brief · BNGSOFT XDP BNG vs MikroTik RouterOS

Same Job, Different Engine: an XDP Data Plane vs a CPU-Forwarding Router

MikroTik is an excellent, affordable router for the access edge — but for a large PPPoE/IPoE BNG with CGNAT, per-subscriber QoS and DDoS protection, RouterOS forwards every packet in the CPU and its PPPoE path doesn't scale across cores. BNGSOFT runs the same workload in an in-kernel XDP/eBPF data plane — more subscribers per box, fewer boxes, lower latency.
The question isn't "is MikroTik good?" — it is. The question is what happens at 20k, 50k, 100k subscribers with CGNAT and QoS turned on. That's where CPU/PPS forwarding hits a wall and an XDP data plane keeps going.
~64k
BNGSOFT / 2×100G box
NIC-limited (200G ÷ ~3 Mbps) vs
~4–5k stable PPPoE on a CCR2216
~1–2
servers for 50k
vs ~16 × CCR2216 NAS
+ a separate CGNAT cluster
Line
RATE
XDP in the NIC path
vs every packet through
the CPU (PPS-bound)
ALL-IN-1
one data plane
BNG+CGNAT+QoS+security;
no FastTrack trade-off
Fair framing. MikroTik RouterOS is a mature, low-cost platform with first-class routing (BGP/OSPF/MPLS), a huge community, and it is a great fit for access/edge routing and small-to-mid PPPoE deployments (a few thousand users per box). This brief is specifically about large-scale subscriber BNG + CGNAT + QoS, where the architectures diverge. Figures for MikroTik are from MikroTik's own documentation and widely-reported operator/community real-world numbers (sources listed); they vary with configuration and traffic.

1 · The core difference — where packets are processed

RouterOS is a Linux-based router that forwards in the CPU. Its fast path (FastTrack) speeds simple routed/NAT flows, but FastTrack bypasses connection tracking, simple queues and queue trees — exactly the features a BNG needs. So per-subscriber shaping and CGNAT accounting force traffic onto the slow CPU path. BNGSOFT runs forwarding, CGNAT, source-validation and shaping together in one XDP/eBPF program in the NIC driver path — at line rate, with all features on.

MikroTik RouterOS — CPU forwarding NIC rx CPU — every packet conntrack NAT/CGNAT simple queues PPPoE (1 core) firewall NICtx FastTrack skips queues + CT — so BNG can't use it BNGSOFT — XDP data plane NICrx XDP / eBPF — in the NIC driver path, line rate forward+QoS CGNAT anti-spoof DDoS + L4S/AQM NICtx control plane writes pinned maps (off hot path)
RouterOS processes every BNG packet in the CPU (FastTrack can't be used with per-subscriber queues or CGNAT accounting). BNGSOFT runs all data-plane functions in one XDP program in the NIC driver path; the control plane only writes pinned maps and never touches the hot path.
The single-thread ceiling. Operators widely report that RouterOS PPPoE is not fully multi-thread scalable — one CPU core saturates while total CPU still looks low. That's why a 16-core CCR2216 tops out around 4–5k stable PPPoE users with QoS, not "16× a single core."

2 · Scale — subscribers per box, and boxes per network

Stable PPPoE subscribers per box (with per-subscriber QoS)

MikroTik figures: MikroTik forum / operator real-world reports. BNGSOFT: BNGSOFT deployment data. Indicative — varies by traffic mix.
MikroTik CCR1036
1–2k
~1–2k
MikroTik CCR2216 (16-core)
4–5k
~4–5k
MikroTik x86 (high-end)
6–10k
~6–10k*
BNGSOFT (2×100G server)
~64k all-features (NIC-limited)
~64k

*Community-reported; many operators see instability beyond ~5k–8k PPPoE on RouterOS even on strong x86, and split load across more NAS boxes.

What 50,000 FTTH subscribers (with CGNAT) actually take

A common carrier design pattern vs the BNGSOFT equivalent.
MikroTik
~16 × CCR2216 NAS + separate CGNAT cluster
17+ boxes
BNGSOFT
~4–5 servers
4–5 boxes
"Add another NAS, not optimize harder." The standard MikroTik large-FTTH design distributes ~5k users per node across many CCR2216 routers and runs CGNAT on a dedicated cluster (e.g. ~12.8M NAT sessions for 80k subs at 80% NAT) — because PPPoE termination and CGNAT can't both scale on the same box. BNGSOFT runs termination + CGNAT + QoS + security on the same server.

3 · Cost-effectiveness — fewer boxes, less of everything

Hardware is only the start. Each additional NAS multiplies rack units, power, SFP optics, spares, RADIUS/monitoring endpoints and operational surface. Consolidating ~16 NAS + a CGNAT cluster into a handful of commodity servers compounds savings across CapEx and OpEx.

Relative box count to serve 50k FTTH + CGNAT (directional)

CCR2216 ≈ US$2,200–2,800 each (retail, June 2026). BNGSOFT runs on standard x86 servers you already procure; software-licensed. Exact TCO depends on your hardware and rates.
MikroTik — NAS fleet
16 × CCR2216
≈ $37–45k HW
MikroTik — CGNAT tier
+ cluster
extra
BNGSOFT — all-in-one
~4–5 servers
+ license
Consolidation is the saving. Fewer physical boxes → less rack/power/cooling, fewer optics and spares, one software image to manage, and one place (NOC2) to operate the fleet. You also avoid a second hardware tier just for CGNAT.

4 · Latency & subscriber experience

RouterOS can do modern AQM (CAKE / FQ-CoDel in RouterOS v7), but there's a catch: those queues run in the CPU and bypass FastTrack, so on a busy BNG you trade throughput for latency, and at 5k–10k per-subscriber queues the scheduler overhead itself becomes the bottleneck. BNGSOFT does per-subscriber AQM in XDP at line rate — and adds L4S and per-subscriber QoE telemetry — with no FastTrack/queue trade-off.

MIKROTIK Software queues, CPU-bound
  • FastTrack vs AQM trade-off: CAKE/FQ-CoDel bypass the fast path — you pick speed or low latency.
  • Scheduler overhead: 5k–10k simple/PCQ/queue-tree entries cost CPU and cap scale.
  • No L4S; QoE/latency visibility is manual.
  • Per-core saturation means latency rises as the PPPoE core fills.
BNGSOFT AQM in XDP, line rate
  • No trade-off: per-subscriber shaping + AQM run in the same fast path as forwarding.
  • L4S + AQM low-latency queue management built in.
  • Per-subscriber QoE telemetry and interactive-flow protection.
  • Latency stays flat as subscriber count scales on the box.

5 · Feature & architecture comparison

DimensionMikroTik RouterOSBNGSOFT XDP BNG
Forwarding engineCPU / PPS-bound; FastTrack fast path bypasses CT & queuesXDP/eBPF in NIC driver path — all features at line rate
PPPoE scalingSingle-core bound; ~4–5k (CCR2216), instability often >5–8k~64k/2×100G server (NIC-limited) with QoS + CGNAT on
CGNATConntrack-based; large scale needs a separate clusterPort-block CGNAT on the same box; full-cone/symmetric/FCFS, deterministic + IPFIX
Per-subscriber QoSSoftware queues; scheduler overhead at scale; bypassed by FastTrackIn XDP at line rate; L4S/AQM + QoE telemetry
Anti-spoof (BCP38)RPF / firewall rules in CPU pathPer-subscriber source validation in XDP, IPv4 + IPv6, drop at ingress
DDoS protectionFirewall/raw rules (CPU); no built-in outbound-abuse quarantineIn-data-plane upload self-protect + outbound-abuse quarantine
UpgradesReboot / failover for RouterOS upgradesZero-downtime restart; CGNAT state preserved
50k FTTH footprint~16 NAS + CGNAT cluster (17+ boxes)~4–5 commodity servers
Routing (BGP/OSPF/MPLS)Mature, full-featured — a RouterOS strengthPairs with your routers/route reflectors; BNG-focused
Cost per box / entryLow — strong for small/edgeCommodity x86 + license; lowest cost per subscriber at scale
Where MikroTik wins: price-per-box at the small end, integrated BGP/OSPF/MPLS routing, and ecosystem maturity. Many operators correctly start on MikroTik. The case for BNGSOFT is the scale-out inflection — when per-box session ceilings, the CGNAT tier, and per-subscriber QoS start forcing you to buy and operate ever more boxes.

6 · When to choose BNGSOFT

BNGSOFT vs MikroTik · the decision
You're past the single-box ceilingSubscribers per node keep capping at a few thousand and you're adding NAS boxes to keep up.
You run a separate CGNAT tierCollapse PPPoE/IPoE + CGNAT + QoS + security onto one data plane and drop the extra cluster.
Latency/QoE matters under loadLine-rate L4S/AQM per subscriber with no FastTrack-vs-queues trade-off.
$
TCO per subscriber is the metricFewer boxes = less rack, power, optics, spares and operational surface at scale.
🛡
You need edge security inlineBCP38 anti-spoof + DDoS protection in the data plane, not bolt-on firewall rules.
Maintenance can't be an outageZero-downtime upgrades across the fleet, CGNAT sessions preserved.

7 · Operations & management — NOC2 vs MikroTik tooling

Performance is only half the job; the other half is running the fleet day to day. MikroTik gives you Winbox/WebFig per device, The Dude for SNMP/ping monitoring, and the RouterOS API to script the rest yourself — all per-box, with no subscriber-centric operations out of the box. BNGSOFT ships NOC2: one web console for the whole BNG fleet, with ISP operations built in — included with the platform, nothing extra to assemble or license.

Operations taskMikroTik (Winbox / The Dude / API)BNGSOFT NOC2
Management modelPer-device Winbox/WebFig; one window per NASSingle web console for every BNG at once
MonitoringThe Dude (separate app) — SNMP/ping/up-downBuilt-in live metrics + AQM/L4S/IFP, CGNAT pool, anomaly & capacity
Find one subscriberLog into the right NAS, hunt the session by handOne search box — username / IPv4 / IPv6 / MAC → live session + 24 h history; public-IP:port → subscriber (CGNAT lookup)
Bulk actionsScript per device via the APIFilter-based bulk disconnect, preview → typed-confirm → audit log
Customer-facingNone — you build itBranded status page, outage email, "is my line up?" self-check
Config & changePer-device config, manual rollbackLive config editor + templates + drift detection + server-side snapshots
Alerting & healingThe Dude / Netwatch scriptsPer-customer/region alerts, license-expiry watchdog, self-healing rules
Access & auditPer-device usersRBAC + 2FA, region scoping, SSH PIN, full audit trail
Standards / northboundSNMP, RouterOS APIgNMI / OpenConfig read-only telemetry for any NMS
CostThe Dude is free, but per-box and you assemble the restIncluded with the BNG license — no extra ops product
What NOC2 gives your NOC & your customers: a single pane for the whole fleet instead of one Winbox per box; three-second subscriber triage instead of SSH-and-hunt; and a branded status page + outage email + self-service line check that deflects support calls — none of which RouterOS provides on its own. Fewer minutes-to-resolution, fewer tickets, and an operator experience that scales with the box count.

The bottom line

MikroTik is a great router that also does BNG. BNGSOFT is a purpose-built BNG/CGNAT data plane: because it forwards in XDP instead of the CPU, it carries ~64k subscribers on a 2×100G server with CGNAT, QoS and security all on (NIC-limited at ~3 Mbps busy-hour) — so 50k FTTH is ~1–2 servers, not ~16 NAS plus a CGNAT cluster.

Same job. A faster engine, fewer boxes, lower latency, lower cost per subscriber.

Sources & honest framing: MikroTik® and RouterOS® are trademarks of Mikrotīkls SIA; BNGSOFT is not affiliated with MikroTik. This is a competitive technical brief comparing architectural approaches for large-scale subscriber BNG with CGNAT and per-subscriber QoS; it is not a benchmark report. MikroTik figures are drawn from MikroTik's own documentation and from widely-reported operator/community real-world results, and vary substantially with configuration, traffic profile and RouterOS version. Key references: large-FTTH NAS/BNG design and per-platform stable-user figures (CCR1036 ~1–2k, CCR2216 ~4–5k, x86 ~6–10k; "PPPoE not fully multi-thread scalable / one core saturates"; "~16×CCR2216 @5k + dedicated CGNAT cluster for 50k+"; "add another NAS, not optimize harder") — aacable.wordpress.com (Syed Jahanzaib) and forum.mikrotik.com; FastTrack bypasses connection tracking, simple queues and queue trees — help.mikrotik.com (Packet Flow / FastTrack); L3 hardware offloading scope and CPU fallback — help.mikrotik.com (L3 HW Offloading); CAKE/FQ-CoDel CPU trade-offs — help.mikrotik.com (CAKE); CCR2216/CCR2004 specifications and pricing (~US$2,200–2,800, June 2026) — mikrotik.com, retail listings. BNGSOFT figures are throughput-driven: per-server subscriber capacity ≈ NIC usable line rate ÷ busy-hour per-subscriber rate (e.g. 2×100G ÷ ~3 Mbps ≈ ~64k), capped by a ~131,000-subscriber per-node map ceiling; the data plane forwards in XDP at ~one core per ~55 Gbps with CGNAT+QoS on. These are from BNGSOFT deployment data and are indicative; exact results depend on hardware, NIC, traffic mix and enabled features and should be validated per deployment. Cost figures are directional, hardware-only, and exclude software licensing, servers, optics and operational costs on both sides. Prepared as a management overview for operators evaluating BNG/CGNAT platforms.