Ramblings of an aging IT geek
← Ramblings of an aging IT geek
networking

mikrotik or pfsense? a year on, the verdict is "it depends" and i mean it

After a year running both MikroTik RouterOS and pfSense in my homelab, an honest comparison of where each one earns its place and where each one annoyed me.

John Mylchreest
John Mylchreest
2025-08-12 · 4 min read

Network cables in a patch panel

A year ago I had a MikroTik on the edge and pfSense doing the serious routing behind it, partly by design and partly because I couldn't decide. Twelve months of actually living with both has given me a verdict, and the verdict is genuinely "it depends", which I know is the most annoying answer. Let me at least make it a specific one.

MikroTik: ferocious value, sharp edges

The RouterOS box does things at a price point that still feels like a mistake in my favour. Hardware offloading, VLANs everywhere, BGP if I want it, a proper queueing system, all on a unit that cost less than a decent meal out. When it's configured, it's rock solid and it sips power.

The catch is that "when it's configured" is doing heavy lifting. RouterOS does not hold your hand. The defaults are not safe; a fresh box is wide open and it's on you to lock it down. The terminology is its own little world, and the WebFig interface is functional in the way a filing cabinet is functional. I've locked myself out twice, both times my own fault, both times fixed only because I had a serial console to hand. If you don't enjoy networking as a subject, this thing will make you miserable.

A datacenter aisle

pfSense: comprehensible, heavier, calmer

pfSense is the opposite trade. The web interface is genuinely good: you can reason about the firewall rules, the state table is right there, the package system gives you things like a sensible dashboard and decent reporting without much fuss. When I want to understand why a packet did or didn't go somewhere, pfSense answers that question faster than RouterOS ever has.

The cost is that it wants a real machine. It runs on a small x86 box that draws more power than the MikroTik and takes up more room than it has any right to for a home connection. It's overkill for "route my house to the internet", and I knew that going in. What I get for the overkill is that I'm never frightened of it. I can hand a screenshot of the rules to someone and they'll understand it.

A year later, who does what

I ended up keeping both, and not out of indecision this time:

  • pfSense sits where I want clarity and where the rules change often: the main firewall, the VLAN segmentation, the VPN. The thing I touch and need to reason about.
  • MikroTik does the jobs that are set-and-forget and benefit from cheap, low-power, capable hardware: a remote site link, switching with VLAN offload, the bits that just need to work and stay out of the way.

If you forced me to pick one for a friend who isn't a networking enthusiast, it's pfSense without hesitation, because the failure mode is "confused" rather than "locked out and offline". If you forced me to pick one for myself, knowing I'll happily spend a Sunday on routing tables, it's the MikroTik, because the capability-per-pound is absurd and I rather enjoy the sharp edges.

So: it depends. But now you know what it depends on, which is the most I could honestly promise.