A year ago I could not decide between MikroTik and pfSense for the homelab, so I did the unreasonable thing and ran both. A MikroTik hEX (RouterBOARD, RouterOS 6) handling the edge and inter-VLAN routing, and a pfSense box on an old Mini-ITX board doing firewalling, VPN and DNS. Twelve months on, I have opinions, and most of them are not the ones I expected to have.
The short version: MikroTik is the better router and the worse product, and pfSense is the better product and the heavier router. If that sounds like a cop-out, stay for the detail, because the detail is where you actually choose.
RouterOS: brilliant, and it hates you a little
RouterOS does an enormous amount in a tiny box. Routing, firewalling, NAT, VLANs, a proper queue tree for QoS, BGP and OSPF if you want them, all on hardware that costs less than a nice meal out. The hardware offloading on the hEX means it routes between VLANs at line rate while sipping power, and the box has been up for the whole year without a reboot I did not cause myself.
The cost is the learning curve, which is less a curve than a wall with occasional handholds. The config model is precise and unforgiving. Firewall rules live in chains you assemble by hand, and the order matters, and there is no friendly wizard quietly putting the default deny in the right place for you. The first time I set up a VLAN I did it three times before traffic flowed, because the bridge, the VLAN filtering and the interface tagging all have to agree and RouterOS will let you get two of the three right and say nothing.
Once it clicks, though, the CLI is a joy. It is consistent, scriptable, and the same commands you type interactively are the ones you paste into a config. A trimmed example of the inter-VLAN setup:
/interface bridge
add name=bridge vlan-filtering=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=10
add bridge=bridge tagged=bridge,ether1 vlan-ids=20
/ip address
add address=10.0.10.1/24 interface=bridge
That is readable a year later, which is more than I can say for some of my own scripts. Winbox, the management tool, is genuinely good once you accept it is a Windows app you run under Wine or in a VM. The web UI exists and I never use it.
pfSense: the product that does the thinking for you
pfSense is the opposite temperament. It is FreeBSD with a polished web UI bolted on, and the UI is where it shines. Setting up an OpenVPN server was a wizard and ten minutes, where on the MikroTik it would have been an afternoon of reading. The package system gives you pfBlockerNG, the dashboard tells you what is going on at a glance, and the firewall rules read top to bottom in a way a human being can audit.
It is also heavier in every sense. It wants real hardware, ideally with AES-NI, and my Mini-ITX board draws noticeably more power than the hEX for a household that does not need a fraction of pfSense's throughput. The box has needed two reboots this year for updates that did not take cleanly, and one memorable evening where a package update broke the dashboard until I rolled it back. Nothing fatal, but the MikroTik has simply never done that.
The thing pfSense gets right and MikroTik does not is that it has opinions about defaults. Out of the box it is a sensible firewall. You can be productive before you understand it, which for most people is the whole game. RouterOS demands understanding as the price of entry, and that is a tax not everyone should pay.
Where each one actually won
For raw routing and switching, MikroTik. The price-to-capability ratio is absurd, the power draw is tiny, and once configured it has been invisible, which is the highest compliment you can pay infrastructure. Every VLAN, every queue, every static route has just worked.
For services that face a human, pfSense. The VPN, the DNS filtering, the at-a-glance dashboard, the rules I can hand to someone else and have them understand. When I wanted to actually do something rather than route packets, I reached for the pfSense box.
If you held me down and made me pick one, it depends entirely on who you are. If you enjoy networking and want to learn it to the bone, MikroTik will teach you more in a month than pfSense will in a year, because it makes you do the work. If you want a firewall that is correct by default and pleasant to manage, and you do not want networking to become a hobby, pfSense.
I have kept both, because I am exactly the sort of person who runs two routers at home and writes about it. But the split has settled into something stable: MikroTik moves the packets, pfSense guards the door and runs the services. A year ago that division of labour would have sounded like indecision. Now it just looks like using each tool for the thing it is best at, which is all I was ever trying to work out.