Ramblings of an aging IT geek
← Ramblings of an aging IT geek
networking

a year on the mikrotik, and what i still miss from pfsense

A year after swapping pfSense for a MikroTik router at the edge of the homelab, an honest comparison of throughput, the learning curve, and which one I'd actually recommend.

John Mylchreest
John Mylchreest
2018-07-16 · 4 min read

A rack of network gear, cables run with more hope than discipline

A year ago I pulled the pfSense box off the edge of the homelab and put a MikroTik in its place. I'd been running pfSense on a small fanless x86 machine for ages and it was, frankly, fine. The swap wasn't because pfSense had failed me. It was because the MikroTik was a fraction of the power draw, did hardware-accelerated routing, and I wanted to actually learn RouterOS rather than just admiring it from a distance. A year is long enough to have opinions, so here they are.

the good

The throughput is the headline. The MikroTik routes at line rate without breaking a sweat or warming the room, because the forwarding happens in hardware rather than chewing CPU the way a software firewall does. My pfSense box was perfectly capable, but it earned its keep in watts and heat, and the MikroTik simply doesn't. For a device that runs 24/7, that difference compounds.

RouterOS, once it clicks, is genuinely powerful. Everything is scriptable, the CLI is consistent, and the same concepts compose all the way up. I have a small script that watches the WAN and fails over to a backup connection, and writing it felt like writing against a real API rather than poking a web form.

/ip firewall filter
add chain=forward connection-state=established,related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface=ether1-wan action=drop \
  comment="default deny inbound from WAN"

That reads cleanly and it's the same shape whether you type it or script it.

A datacentre aisle, the tidy ideal none of us live up to at home

the bad, or at least the harder

RouterOS is not forgiving, and it does not hold your hand. The learning curve is real and occasionally steep. Concepts have MikroTik-specific names and behaviours, the firewall ordering matters in ways that will bite you, and "I locked myself out of the router and had to drive home" is a rite of passage I went through more than once in the first month. There is a reason /system reset-configuration exists and a reason I now always set a safe-mode session before touching firewall rules remotely.

pfSense, by contrast, was approachable. The web UI is coherent, the defaults are sensible, and the package ecosystem meant things like a tidy VPN setup or a decent reporting dashboard were a few clicks away. I genuinely miss that. On the MikroTik, anything beyond core routing is either roll-it-yourself or do-without, and the graphing and reporting are spartan compared to what pfSense gave me for free.

what i'd recommend

It depends entirely on what you enjoy. If you want a firewall that's a solid appliance, has a friendly UI, and lets you get on with your life, pfSense is the easy recommendation and I'd hand it to anyone without hesitation. If you want to learn networking properly, you don't mind a manual that assumes you already know things, and you value low power and hardware forwarding, the MikroTik is brilliant and I'm glad I switched.

A year in, I've kept the MikroTik. Not because it's strictly better, but because it taught me more, and the things I miss from pfSense (the UI, the painless add-ons, the reporting) are things I've slowly rebuilt or learned to live without. If your idea of a good evening is reading a router manual, you'll love it. If it isn't, stay on pfSense and don't let anyone make you feel bad about it.