A year ago I had pfSense doing everything at the edge and a vague itch to learn RouterOS, so I bought a MikroTik, wired it in alongside, and gave myself an excuse to run both in anger rather than reading forum arguments about them. A year later I have opinions earned the hard way, and the short version is that they're good at different things and I kept both, which isn't the tidy verdict a comparison post is supposed to end on, but it's the true one.
what each is for
pfSense, for me, is the firewall and the brains. It's a FreeBSD box with a coherent web UI, a sane rule model, and a package ecosystem that covers the things I actually want: a clean VPN setup, decent reporting, pfBlocker for the inevitable ad and tracker filtering. When I'm reasoning about policy, this is the device I'd rather be looking at. The rules read like rules.
MikroTik is the network plumbing and the fast switching. The hardware is absurdly cheap for what it does, RouterOS will do things at line rate that pfSense on my modest hardware sweats over, and the feature list is frankly silly: VLANs, bonding, fancy queues, MPLS if you're feeling unwell. It's the device that does the moving of packets without complaint.
the learning curves are different curves
This is the heart of it. pfSense is approachable and then occasionally fiddly. MikroTik is brutal and then, abruptly, wonderful.
RouterOS does not hold your hand. The web UI (WinBox, really) exposes everything, which means it exposes everything, and the conceptual model assumes you already understand how a router works at a level pfSense lets you skate over. The famous trap is the firewall: an out-of-the-box MikroTik with a misjudged rule will happily lock you out, or worse, leave you wide open, and it will not warn you with a friendly dialog. I locked myself out twice in the first month. The second time I deserved it.
But once RouterOS clicks, the CLI is a genuine pleasure, and it's scriptable in a way pfSense isn't really built for. A change that's six clicks in the pfSense UI is one line here:
/ip firewall filter add chain=forward action=drop \
connection-state=invalid comment="drop invalid"
And because the config is just text, I can keep it in git, diff it, and rebuild a device from a script. That alone changed how I think about the network. It stopped being a set of boxes I'd configured and became a thing I'd described.
reliability and updates
Both have been rock solid in uptime terms. Neither has fallen over on me in a year that wasn't my own fault.
Updates are where they diverge. pfSense updates are occasional, chunky, and I read the release notes with a cup of tea because a major version bump has bitten people before. MikroTik pushes RouterOS updates more often, in smaller increments, and the upgrade path is usually undramatic, though you do want to stay on a stable channel and not get tempted by the bleeding-edge releases. I had one MikroTik update change a default that I hadn't pinned, which is on me for not pinning it.
A practical note worth more than the rest of this post: keep a serial console cable for the MikroTik in the same drawer as the kit. The day you need it is the day you've firewalled yourself out remotely, and a console cable turns a panic into an inconvenience.
so which one
If I could only own one and I were doing it again, it would depend entirely on what I valued. If I wanted the gentlest path to a capable, well-documented firewall with good reporting and didn't want to learn a new mental model, pfSense, no hesitation. If I wanted maximum capability per pound, line-rate everything, and a config I could version-control, and I was willing to bleed a little learning it, MikroTik.
But I don't have to choose, and that's the actual recommendation. They cost little enough that running pfSense as the policy brain at the edge and MikroTik as the fast L2/L3 plumbing behind it gives me the best of both, and it taught me more about networking in twelve months than either would have alone. The MikroTik forced me to understand things pfSense had been politely doing on my behalf for years, and I'm a better operator for the discomfort.
A year on, both are still racked, both are still on. The only thing I'd change is buying the MikroTik sooner, and keeping that console cable handy from day one.