About a year ago I got fed up with the consumer router my ISP foisted on me and decided to do the thing properly. Rather than pick a side in the eternal homelab argument, I bought a MikroTik and built a pfSense box at roughly the same time, ran them both, and let actual use decide. A year on I have opinions, and unusually for the internet they're not "the thing I chose is perfect and the other thing is for fools".
the short version
If you want raw routing throughput and per-packet control in a box the size of a paperback, MikroTik. If you want a firewall that you and a future version of you can both understand at 2am, pfSense. I've ended up keeping both, which I'll explain, but if you forced me onto one it would depend entirely on who else has to touch it.
what mikrotik gets right
RouterOS is genuinely powerful. The hAP I started with does line-rate routing on my connection without breaking a sweat, the hardware is absurdly cheap for what it does, and once you learn the CLI you can do almost anything: policy routing, fancy queues, VLANs, bandwidth shaping that actually works. The CHR and the hardware share the same OS, so what I learn on a cheap box transfers straight up the range.
The catch, and it's a real one, is that the learning curve is a cliff with a slightly slippery rope hanging off it. RouterOS has its own model of the world. Interfaces, bridges, the way firewall rules and NAT interact, the order things evaluate in: none of it is wrong, but none of it matches the mental model you've built from anything else. I bricked my own remote access twice in the first month by reordering firewall rules and locking myself out, which is a rite of passage I could have done without. Winbox helps, the documentation is decent if you already half-know the answer, and the community wiki has saved me more than once. But you do not casually administer a MikroTik. You commit to it.
A smaller gripe: the security update cadence has had wobbles. There was a nasty Winbox vulnerability doing the rounds earlier this year and you really do need to stay on top of patching, keep the management interface off the WAN, and not assume the defaults are safe. None of that is unique to MikroTik, but the gap between "it works" and "it's hardened" is wider than I'd like. The defaults are aimed at "get a network up", not "lock it down", and the responsibility for closing that gap is entirely yours.
The other thing worth flagging is that documentation quality is wildly uneven. Some features are beautifully explained; others you piece together from a forum thread from 2014 and a half-remembered wiki edit. When it goes well, RouterOS feels like a network operating system that respects your intelligence. When it goes badly, you're guessing at which of three subtly different ways to configure a bridge is the one that won't fall over after a reboot. I've had both experiences in the same evening.
what pfsense gets right
pfSense is the opposite trade. It's a full FreeBSD box with a web UI that is, whisper it, actually pleasant. Firewall rules read like sentences. The state table, the logs, the traffic graphs, the package system for pulling in things like the Suricata IDS or a proper VPN setup: all of it is discoverable. When I want to reason about what my firewall is doing, I open pfSense and I can see it. When something breaks, the logs tell me a story rather than a hex code.
The cost is hardware. pfSense wants a real machine, or at least a real-ish appliance, where MikroTik gives you a competent router for the price of a nice dinner. My pfSense box is an old SFF PC with an Intel NIC, which is fine, but it draws more power and takes up more shelf than the MikroTik ever will. There's also a subtler cost: it's so comfortable that I add packages I don't strictly need, and a firewall with a dozen services bolted on is a firewall with a bigger attack surface. That's a discipline problem, not a pfSense problem, but the temptation is real.
why i kept both
Here's the arrangement I've settled into. The pfSense box sits at the edge doing what it's best at: it's the firewall, the VPN endpoint, the thing with the IDS and the readable rules, the box I'd happily hand to someone less networking-obsessed than me and trust them not to break. The MikroTik does the internal heavy lifting: inter-VLAN routing, the fiddly policy routing for a couple of subnets that need to egress differently, and the kind of granular queueing that pfSense can do but MikroTik does with less fuss.
The split also gives me a nice failure boundary. If I'm tinkering with the internal routing on the MikroTik and I lock myself out, the edge firewall and the WAN connection are untouched, so the rest of the household still has internet while I sort out my mess. Doing everything on one box means every experiment is an experiment on production, and production in this case is "can my partner watch iPlayer". Separating the roles turned a lot of nervous late-night changes into ordinary ones.
Is that overkill for a house? Comprehensively, yes. One box could do all of it. But running them side by side for a year taught me more about networking than any amount of reading, precisely because they make different choices and force you to understand why. MikroTik made me learn what's actually happening to a packet. pfSense made me appreciate how much a good interface is worth when you're tired and something's on fire.
the recommendation
If you're a single operator who enjoys the depth, or you need a lot of router in a small cheap box, MikroTik will reward the effort enormously. If you want a firewall you'll still understand in a year, or anyone else might have to touch, pfSense. And if you're like me and the homelab is partly the point, run both for a while. The comparison is worth more than the conclusion.