About a year ago I had a router decision to make and, being unable to choose, I bought both. A MikroTik hEX for the edge and a small box running pfSense behind it for everything clever. I told myself it was a fair test. Really it was indecision dressed up as methodology. A year on, both are still running, and I've formed opinions firm enough to write down. Neither is the winner. They're good at different things, and the interesting part is the seam where they meet.
MikroTik: the router that thinks it's a Cisco
The MikroTik runs RouterOS, which is dense, fast, and built by people who clearly love networking and have no patience for hand-holding. The hardware is absurd value. A device the size of a paperback that routes at gigabit, runs BGP if you ask it to, and costs less than a meal out.
The learning curve is a cliff. WinBox, the configuration tool, looks like it escaped from 2006, and the first time you open it you're confronted with every networking concept at once, laid bare, with no opinions about what you probably want. There's no friendly wizard quietly setting sane defaults. That's a feature once you're over the hump, because nothing is hidden, but the hump is real and I bounced off it twice before it clicked.
What MikroTik does brilliantly is the boring fast stuff. Routing, VLANs, firewall rules at line rate. The config is scriptable and exportable to plain text, which means my whole router lives in a git repo as a readable file:
/ip firewall filter
add chain=forward action=accept connection-state=established,related
add chain=forward action=drop connection-state=invalid
add chain=forward action=accept in-interface=lan out-interface=wan
add chain=forward action=drop
That's the actual config. No XML, no clicking, just commands I can read and replay. Rebuilding the router from scratch is a paste operation.
pfSense: the appliance that wants to help
pfSense is FreeBSD with a polished web UI and a packages system, and it sits at the other end of the personality spectrum. Where MikroTik assumes you know what you're doing, pfSense gently steers you toward the right thing. The setup wizard is genuinely good. The dashboard tells you things. The packages, an IDS here, a reporting tool there, a VPN server there, install in a few clicks and mostly just work.
It's the box I reach for when I want a service rather than a routing primitive. The OpenVPN setup on pfSense took me ten minutes including generating certificates, where the equivalent on MikroTik had me reading forum threads and arguing with the IPsec policy database. pfSense's strength is that it bundles the fiddly bits into something coherent and walks you through them.
The cost of that polish is weight. pfSense wants a proper amd64 box with a decent chunk of RAM, where the MikroTik does its job on a low-power ARM chip that sips electricity. Running pfSense as my edge router would mean a louder, hungrier machine doing work the little MikroTik does in its sleep.
Where they meet, and where each wins
So I kept both, and after a year the division of labour has settled naturally.
The MikroTik is the edge. It takes the WAN connection, does the fast routing and the basic firewalling, and never breaks a sweat. It's been up for the better part of the year without a reboot, and because its config is a text file, I stopped being nervous about touching it. If I break it, I paste the known-good config back and I'm done.
pfSense sits behind it and does the services. VPN endpoints, some traffic inspection, the things that benefit from a rich package ecosystem and a friendly UI. It's where I experiment, because the web interface makes experimenting quick and the rollback is a config-history click rather than a careful undo.
If you can only pick one
Most people don't want two routers in series, and fair enough. So, plainly:
Pick MikroTik if you want maximum capability per pound, you're willing to climb the learning curve, and you value a config you can read and version. It will route anything you throw at it on tiny, silent hardware, and once you understand it you'll find it hard to go back to anything that hides its workings.
Pick pfSense if you want a capable firewall and a stack of services with the rough edges sanded off, and you don't mind feeding it a real machine. The UI is a genuine pleasure and the package ecosystem saves you real time on VPNs and the like.
A year in, I don't regret buying both, though I'll admit that's the kind of thing only a person who enjoys this stuff for its own sake would say. They've taught me more about networking sitting side by side than either would have alone, mostly by making the differences in philosophy impossible to ignore. The MikroTik made me a better network engineer. The pfSense box just quietly does its job. I'm fond of both, for entirely opposite reasons.