A year ago I pulled the pfSense box out of the rack and put a small MikroTik in its place, and people keep asking whether I regret it. Short answer: no, but it's a closer call than the MikroTik enthusiasts would have you believe, and which one is right for you depends almost entirely on what you actually want to do at 11pm on a Tuesday.
The pfSense box had been faithful for years. It was an Atom mini-ITX build running FreeBSD, doing the usual home-router-plus job: NAT, a handful of VLANs, OpenVPN back home, some traffic shaping. It never let me down. It was also a whole PC sat in the rack drawing 30-odd watts to push a couple of hundred megabits, and that started to feel silly.
what I swapped to and why
I replaced it with a MikroTik hEX, the little wired RB750Gr3. It's a fanless box the size of a paperback, draws a few watts, and routes wire-speed gigabit because the forwarding happens in hardware rather than in a general-purpose CPU. The whole point of the switch was efficiency and silence: a real router doing router things, instead of a small server pretending to be one.
A year in, here's how it has actually shaken out.
what got better
The power and the noise, immediately and obviously. The rack is quieter, the UPS lasts longer, and I stopped feeling vaguely guilty about a desktop CPU idling all day to do a job a dedicated chip does for a fraction of the watts.
The throughput is honest. pfSense on that Atom would start to sweat once you turned on enough services; the hEX just routes at line rate and doesn't care. For the VLAN-tagged, inter-subnet traffic I push around the house, it never breaks a sweat.
And once you get past the initial shock, RouterOS is genuinely powerful. The config model is consistent: everything is an object in a tree, everything is scriptable, and the CLI maps one-to-one onto what the WinBox GUI shows you. When I want to add a firewall rule I can read exactly what's there:
/ip firewall filter print
/ip firewall filter add chain=forward action=accept \
connection-state=established,related comment="allow established"
There's a real elegance to it once it clicks. The same command works in the GUI, the CLI, over the API, and in a config export. Nothing is hidden behind a web form that generates config you can't see.
That export, by the way, turned out to be the feature I lean on most. /export dumps the entire running config as a plain-text list of the exact commands that would recreate it. I check that into git after every change, which means I have a real history of what the router looked like over time and a one-command path back to any of it. pfSense backs up to an XML blob, which works, but reading a diff of two XML config files to see what you changed is nobody's idea of fun. A diff of two RouterOS exports reads like a changelog. That alone nudged me towards keeping the MikroTik.
what I miss
pfSense's web UI is, frankly, friendlier. It is built around the idea that you might not do this every day, with sensible defaults and a layout that explains itself. RouterOS assumes you know networking and will hand you all the rope you ask for, which is wonderful until you fat-finger a firewall rule and lock yourself out of the box you're configuring remotely. I have done this. Once. The Safe Mode toggle (the one that auto-reverts your changes if you lose the session) exists precisely because everyone does this, and I now use it religiously.
The package ecosystem is the bigger gap. pfSense gives you pfBlockerNG, a clean OpenVPN export wizard, Suricata, all a few clicks away. On RouterOS those things are either roll-it-yourself with scripts and address lists, or they live on another box entirely. The MikroTik does fewer things, and expects you to bring your own for the rest. That's a feature if you want a router that's just a router, and a chore if you'd grown used to pfSense being a Swiss Army appliance.
I also miss the diagnostics a little. pfSense's state table views and traffic graphs were comfortable. RouterOS has all the equivalent data, but you assemble the view yourself, and the defaults are sparser.
The other thing worth flagging for anyone considering the jump is the VPN story. pfSense hands you an OpenVPN export wizard that spits out ready-made client configs; it's genuinely lovely, and getting a phone or a laptop connected back home is a five-minute job. On RouterOS I set up an IPsec tunnel by hand, working through the phases and proposals and policies myself, and it took an evening and a fair amount of reading the wiki. It works flawlessly now and I understand every line of it, which I value, but I won't pretend it was quick or that the documentation held my hand. If "easy remote access for non-technical family" is high on your list, that's a real point in pfSense's favour, and I'd weigh it honestly rather than wave it away.
who each one is for
Here's the honest split, after a year of living with both in turn.
- If you want an appliance that does a lot out of the box, has a forgiving UI, and you don't mind it being a small PC in the rack, pfSense is still excellent. It hasn't got worse; I just wanted less of a computer.
- If you want a dedicated, efficient, line-rate router and you're comfortable thinking in terms of objects, chains, and the occasional script, MikroTik is brilliant value and genuinely a joy once it clicks. The learning curve is real and front-loaded.
I landed on MikroTik because I wanted the rack quieter and I enjoy the config model enough that the learning curve was a feature, not a cost. A year on, the hEX has been rock solid, the power bill is lower, and I've not missed pfSense badly enough to switch back. But I'd not blink if a less hands-on friend stayed on pfSense, and I'd not pretend RouterOS is the friendlier tool. It's the deeper one, and depth has a price you pay up front.