A year ago I pulled the pfSense box out of the rack and replaced it with MikroTik. I'd run pfSense for the better part of a decade, it had never let me down, and I swapped it out anyway, partly for the hardware and partly because I wanted to know a different system properly rather than keep coasting on the one I already knew. Twelve months in, I have opinions, and they're more mixed than either camp's evangelists would like.
The short version: MikroTik is the more capable router and the less friendly firewall, pfSense is the friendlier firewall and the less interesting router, and which of those sentences matters more depends entirely on what you're actually doing with the box. Neither is wrong. They're aimed at different people, and I happen to sit awkwardly between them.
the firewall: pfSense still wins on clarity
pfSense's firewall rules are the thing I miss most. The web UI lays them out as an ordered list per interface, top to bottom, first match wins, and you can read the whole policy in one screen and understand it. When something's blocked you don't expect, you find the rule, you see it, you fix it. It's boring in the best possible way, and boring is exactly what you want from the thing standing between your network and everyone else.
RouterOS has a firewall too, of course, and it's genuinely more powerful. But the power comes with rope. The rules live in chains, the chains have a processing order you need to hold in your head, and the default-allow-versus-default-drop posture is yours to construct rather than something handed to you. The first month, I locked myself out twice. Not because RouterOS is bad, but because it assumes you know what you're doing and will faithfully do exactly the wrong thing you told it to.
# RouterOS: drop everything inbound except established/related and a few allows
/ip firewall filter
add chain=input connection-state=established,related action=accept
add chain=input connection-state=invalid action=drop
add chain=input in-interface=lan action=accept
add chain=input protocol=icmp action=accept
add chain=input action=drop
That's clean once it's written. But you have to know that the final action=drop is what makes the whole thing safe, and that leaving it off means everything above it is decoration. pfSense's UI nudges you toward a sane default. RouterOS hands you a loaded firewall and trusts you to point it the right way.
the router: this is where MikroTik runs away with it
Where MikroTik earns its place is everything that isn't the firewall. The routing, the VLANs, the bonding, the tunnelling, the sheer amount of real networking the cheap boxes will do. I'm doing things on a small RB-series box that I'd have needed proper kit for, or a stack of pfSense packages of varying quality, in the old world.
VLANs are a first-class citizen handled in hardware on the switch chip, so the throughput doesn't fall off a cliff the way software bridging can. Policy routing, multiple WANs, route marks, mangle rules for sending specific traffic out specific paths: all native, all fast, all the sort of thing that on pfSense felt like fighting the abstraction rather than using it. And the CLI is consistent enough that once you've learnt the grammar of one section you can mostly guess the next, which is more than I can say for a lot of network gear.
The other quiet win is that the config is just text. The whole router exports to a script you can read, diff, and version-control, and import onto a fresh box to rebuild it in seconds. After a year I have my entire config in git, and standing up a replacement is a paste rather than a project. pfSense has config backup too, but it's an XML blob you restore wholesale; RouterOS gives you readable lines you can cherry-pick and reason about.
the things nobody mentions
A couple of honest annoyances on each side.
RouterOS releases. The update cadence is brisk and the changelogs occasionally hide behaviour changes that bite. I now read release notes properly before upgrading the router, which I never bothered to do with pfSense because pfSense updates were sleepy and predictable. With MikroTik I keep a known-good config export and I upgrade when I have time to roll back, not when I'm in a hurry.
The learning curve is real and front-loaded. The first fortnight with RouterOS I was slower at everything, including things I could do in my sleep on pfSense. If you need the box working tonight and you've never touched RouterOS, this is not the week to switch. The payoff comes later, once the grammar clicks, and it does click, but it asks for patience first.
On the pfSense side, the thing I don't miss is the feeling that the interesting capabilities were always one slightly-unmaintained package away. The base firewall is rock solid. The ecosystem around it varied wildly, and a few times I built something important on a package that later went quiet.
who should switch, and who shouldn't
If your box is mostly a firewall, you want to read your whole policy on one screen, and you value boring over capable, stay on pfSense. It is genuinely excellent at being a clear, dependable, web-managed firewall, and there's no shame in wanting exactly that. A year of MikroTik hasn't convinced me pfSense was wrong. It's convinced me it was aimed at a slightly different job than the one I want done now.
If you actually want to do networking, if VLANs and policy routing and multiple WANs and version-controlled config are the point rather than an afterthought, and you'll invest the fortnight it takes to stop locking yourself out, MikroTik is the more rewarding machine and I'm not going back. I just keep a very, very careful eye on that final drop rule, and I never upgrade the router in a hurry. Both of those habits I learnt the hard way, which is, as ever, the only way anything sticks.