Ramblings of an aging IT geek
← Ramblings of an aging IT geek
networking

mikrotik or pfsense, twelve months in

A year of running both a MikroTik router and a pfSense box at home, and where each one actually earns its keep.

John Mylchreest
John Mylchreest
2016-10-24 · 3 min read

Patch cables behind a home rack

A year ago I could not decide between MikroTik and pfSense for the edge of my home network, so in true homelab fashion I bought both and ran them side by side until one annoyed me less. Twelve months on I have opinions, and they are not the tidy verdict I expected.

What each one is good at

The MikroTik (a hEX, the little RB750Gr3) is the one I keep coming back to for routing and switching. It is cheap, it sips power, and RouterOS will do almost anything if you are willing to learn its particular way of thinking. The hardware does the forwarding, so it does not break a sweat at line rate on my connection. That last point matters more than the spec sheet suggests.

pfSense, running on a small fanless box, wins on everything that touches a human. The web UI is coherent, the package ecosystem is real, and when I want a VPN, a captive portal for guests, or proper traffic graphs, it is already there or one click away. Doing the equivalent on RouterOS is possible but it is work.

The honest trade

The split comes down to this: RouterOS is a fantastic router with an indifferent attitude to people, and pfSense is a friendly platform that you have to feed slightly more electricity and patience.

  • MikroTik: lowest power, lowest cost, hardware offload, steep but rewarding config.
  • pfSense: best UI, best packages, easiest VPN and dashboards, hungrier box.

A small home rack in a cupboard

There is one operational thing in MikroTik's favour I did not appreciate until I needed it. The safe mode toggle in Winbox, or /system/reset-configuration from the console, has pulled me out of a self-inflicted lockout more than once. You make a change that would cut your own connection, and if you do not confirm within the timeout it rolls back. pfSense has nothing quite so forgiving when you fat-finger a firewall rule from the far side of it.

Where I landed

I left the MikroTik as the router and switch because it is reliable, frugal, and once configured it just sits there for months. I kept pfSense for the VPN endpoint and as the box I point at when I want graphs and a comfortable UI to reason about traffic.

So the answer to "which one" is the deeply unsatisfying "both, doing different jobs." If you forced me to pick one for a friend who wanted a quiet life, it would be pfSense. If you forced me to pick for myself, knowing I enjoy the fiddling, the little MikroTik wins on sheer value and stays put. A year was long enough to stop guessing and let each box show me what it was for.