A year ago I pulled the pfSense box that had routed my home network for the better part of a decade and replaced it with a MikroTik. People asked me at the time whether I regretted it. I did not have an honest answer then, because a week into any migration everything is either thrilling or terrible and neither feeling tells you anything. A year is long enough. Here is the honest scorecard, the bits that genuinely changed how I run the network, and the one decision I would make differently.
The headline: I do not regret it, the MikroTik is a more capable machine for the money than the box it replaced, and I miss pfSense roughly once a month, usually for reasons that are about me rather than about either product.
Why I switched at all
The pfSense box was a small fanless appliance that had been faultless for years. I did not switch because anything was broken. I switched because I wanted hardware offloading for VLAN routing and proper L3 hardware switching at a price that did not require a second mortgage, and because I had started doing enough VLAN and routing work that the appliance's CPU was becoming the bottleneck on inter-VLAN traffic. A MikroTik with a switching chip that can do the L2 and L3 work in hardware, leaving the CPU for firewalling and the genuinely clever bits, is a lot of capability for not a lot of money.
That is the trade in one sentence. pfSense gives you a polished, well-documented x86 router with a BSD pedigree and a community that has answered every question you will ever have. MikroTik gives you a switching chip and a CLI and the expectation that you know what you are doing.
What MikroTik got right
The hardware offloading is the real thing, not a marketing word. Inter-VLAN routing that used to put a noticeable dent in the pfSense CPU now happens in the switch chip and the router barely notices. Throughput between VLANs is line rate and the CPU graph is flat. For the specific job I bought it for, it does exactly what it said.
RouterOS, once you stop fighting it, is genuinely coherent. Everything is the same object model whether you touch it through the CLI, the API, or Winbox, and the CLI is scriptable in a way pfSense's webUI never wanted to be. I now configure things I would previously have clicked.
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2,ether3 vlan-ids=20
/ip address
add address=10.20.0.1/24 interface=vlan20
/ip firewall filter
add chain=forward action=drop connection-state=invalid
The other quiet win is that the same OS runs across their whole range. The thing I learned on the router applies to their switches and their access points. That consistency is worth more than I expected.
Where I missed BSD
Now the other side, because a year in I have a clear-eyed list.
The firewall is the big one. pfSense's pf is, to my eyes, simply nicer to reason about than RouterOS's firewall. The rule ordering, the way state is handled, the readability of a ruleset you come back to after six months: pf wins. RouterOS firewall rules are powerful but the default chains and the interaction between connection tracking, the forward chain and the bridge filter took me genuinely longer to hold in my head correctly. I made one mistake early on where traffic I thought I was dropping was being accepted by an earlier rule, and it took me an evening to see it. That mistake was mine, but pf's clarity would have made it harder to make.
The documentation gap is real too. pfSense's docs, plus a decade of forum posts, mean that whatever obscure thing you are trying to do, someone has done it and written it up. MikroTik's documentation is improving but the official wiki still has the flavour of reference material written by people who already know the answer, and the community answers are scattered across forums in several languages and a lot of YouTube.
And I will admit to missing the appliance feel. pfSense was a thing I set up and then largely forgot about. RouterOS rewards tinkering, which is a polite way of saying it invites it, and there is a version of me that has spent evenings optimising a network that was already fine.
The one thing I would do differently
I would have read the RouterOS firewall documentation properly before I moved any real traffic, rather than porting my mental model of pf across and assuming it mapped cleanly. It does not map cleanly. The concepts are similar enough to be dangerous. An hour with the default firewall configuration that MikroTik ships, understanding exactly why each rule is there, would have saved me that evening of confusion and the brief period where my network was more open than I believed.
Who should switch
If your pfSense box works and you are not hitting a CPU or feature wall, stay. There is no prize for migrating and pfSense is genuinely excellent. If you are bumping into the limits of software routing, you want hardware L3 switching, you enjoy a real CLI, and you are willing to spend the first fortnight reading rather than clicking, the MikroTik is a lot of machine for the money and I have not regretted the move.
A year on, the network is faster where it needed to be, I understand my own routing better than I did, and I miss pfSense about once a month for an evening. That is a trade I would make again, with the firewall homework done first this time.