The Router Wars
Update January 2026: I eventually virtualized OPNsense on Proxmox. All that research, all those spreadsheets, all that hand-wringing—and I ended up running it on hardware I already owned. Sometimes the best solution is the one you weren’t considering.
The Problem
It’s February 2024. My home network looks like this:
- Router: ASUS RT-AX88U. Consumer-grade. Stock firmware.
- Topology: Flat. Everything on 192.168.1.0/24.
- Segmentation: None.
- Security: Hope.
My IoT lightbulbs can ping my NAS. My daughter’s gaming PC shares a broadcast domain with my development workstation. If any device gets compromised, everything is reachable.
I need a real router. Something with VLANs. Something with proper firewall rules. Something that doesn’t make security professionals wince when I describe it.
And so began the research spiral.
The Contenders
I narrowed it down to two serious options, plus the ghost of a third.
OPNsense (The Firewall King)
What it is: FreeBSD-based firewall/router OS. Fork of pfSense after some drama in 2015. Open source, actively developed.
Hardware requirements: x86 system. Mini-PCs from Protectli, Topton, or any old desktop with multiple NICs.
Strengths:
- Web GUI that doesn’t look like it was designed in 2003
- Suricata IDS/IPS built in
- Plugin ecosystem (WireGuard, Unbound, HAProxy)
pffirewall syntax if you want CLI- Regular security updates
Weaknesses:
- Power hungry. Even an efficient N100 mini-PC idles at 15-25W
- Hardware cost. A decent Protectli box is $300+
- x86 means more potential attack surface than purpose-built MIPS/ARM
MikroTik (The Routing Wizard)
What it is: Purpose-built networking hardware running RouterOS. The choice of WISPs and network nerds.
Hardware: RB5009, hEX series, CCR routers.
Strengths:
- Insane routing flexibility. BGP, OSPF, MPLS if you’re feeling adventurous
- Incredibly efficient. RB5009 idles at 6W
- Cheap. Full-featured router for $100-200
- Swiss Army Knife of networking
Weaknesses:
- The learning curve is vertical. Not steep. Vertical.
- WinBox UI looks like Windows 98 had a baby with a spreadsheet
- Documentation assumes you already know networking
- One wrong command and you’re locked out of your own router
pfSense (The Ghost)
I also considered pfSense, but the licensing changes and corporate drama made me nervous. OPNsense felt like the safer long-term bet. Same underlying tech, less baggage.
The Deep Dive
I spent February analyzing these options like I was choosing a spouse.
VLAN Configuration
This was the whole point. Could I actually segment my network?
MikroTik approach:
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether2 vlan-ids=10
add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=20
/interface bridge port
add bridge=bridge1 interface=ether1 pvid=1
add bridge=bridge1 interface=ether2 pvid=10
add bridge=bridge1 interface=ether3 pvid=20That’s the simple version. With MikroTik, VLANs involve bridges, port assignments, PVID settings, and a conceptual model that makes perfect sense once you understand it and makes zero sense before that.
OPNsense approach:
- Go to Interfaces → Assignments
- Click the + button next to your parent interface
- Select VLAN tag 10
- Save
Done.
Winner: OPNsense for anyone who values their sanity. MikroTik for anyone who wants to really understand VLANs by being forced to configure every detail manually.
Power Consumption
I ran the numbers obsessively.
| Device | Idle Power | Annual Cost (@ $0.12/kWh) |
|---|---|---|
| MikroTik RB5009 | 6W | $6.30 |
| Topton N100 (OPNsense) | 15W | $15.77 |
| Protectli VP2420 | 12W | $12.61 |
| Old Dell Optiplex (OPNsense) | 35W | $36.79 |
Over 5 years, the MikroTik costs about $31 in electricity. The Topton N100 costs about $79. The difference: $48.
I spent more than $48 worth of time making this spreadsheet.
Winner: MikroTik, but the margin matters less than I thought.
The “Wife Acceptance Factor”
Critical question: If the internet goes down while I’m at work, can my partner fix it?
OPNsense: “Okay, open a browser, go to 192.168.1.1, log in with these credentials, click Diagnostics, click Reboot, click Yes.”
MikroTik: “Okay, download WinBox from mikrotik.com, no the other download link, run it, click the MAC Address tab, select the router, log in, navigate to System, then Reboot, but don’t click Reset Configuration, that’s different, and make sure you don’t…”
ASUS Router: “Unplug it, wait 10 seconds, plug it back in.”
Winner: The ASUS router I already have. Sometimes “good enough” is actually good enough.
Firewall Capabilities
OPNsense: Stateful firewall with aliases, rule scheduling, GeoIP blocking, Suricata IDS/IPS. The works.
MikroTik: Stateful firewall with connection tracking, mangle rules, raw tables. Technically powerful. Practically confusing.
The reality check: 90% of my traffic is HTTPS. IDS/IPS can’t see inside encrypted connections anyway. The main threat model is “don’t let my IoT crap reach the internet without permission,” not “detect advanced persistent threats in real-time.”
The Research Spiral
Here’s where I went off the rails.
I spent 40+ hours in February asking AI assistants hypothetical configuration questions:
- “If I have OPNsense and want to run Suricata, how much RAM do I need?”
- “Can MikroTik do policy-based routing with WireGuard?”
- “What’s the migration path from pfSense to OPNsense if I change my mind later?”
- “Should I run the firewall as a VM or on dedicated hardware?”
I made spreadsheets comparing:
- Hardware costs
- Power consumption over 1, 3, and 5 years
- Feature matrices
- Reddit sentiment analysis (I’m not proud of this)
I watched YouTube reviews. I read forum threads from 2019. I asked the same question three different ways to see if I’d get a different answer.
And then March happened. And April. And May.
I never bought anything.
The Paralysis
Somewhere around April, I realized I’d fallen into a classic trap: researching the solution had become a substitute for implementing it.
Every week, I’d find a new consideration:
- “But what about IPv6 support?”
- “What if my ISP changes to CGNAT?”
- “Should I wait for the next MikroTik hardware revision?”
Meanwhile, my IoT lightbulbs were still on the same VLAN as my NAS. The problem I was trying to solve? Still unsolved.
The ASUS router kept working. Not elegantly, not securely, but working. And every day it worked was another day I could postpone the decision.
The Realization
By October, I’d accepted some uncomfortable truths:
I don’t actually have a problem.
My 1Gbps connection is saturated by the ASUS. My speeds are fine. Nobody has compromised my network (that I know of). The flat topology is lazy, but it’s not causing active harm.
I was researching to avoid doing.
The spreadsheets felt productive. The forum threads felt like learning. But none of it moved me toward a working solution.
I was optimizing for scenarios that don’t exist.
BGP peering? I have one ISP. 10Gbps throughput? I have 1Gbps service. Multi-WAN failover? I don’t have a backup connection.
I was buying features for a network I might have someday, not the network I have now.
The Actual Solution (Late 2025)
Eleven months after the “Router Wars” began, I finally made a decision.
I didn’t buy a MikroTik. I didn’t buy a Protectli box.
I virtualized OPNsense on my existing Proxmox server.
Why this worked:
-
Zero new hardware. My Proxmox box was already running 24/7. Adding a VM cost nothing.
-
Snapshots. Before breaking the config, I snapshot the VM. If I screw up, I rollback. No bricking expensive hardware.
-
Resources on demand. Started with 2 cores and 2GB RAM. Found out Suricata needs more? Added it with two clicks.
-
It’s still real OPNsense. Not “OPNsense lite” or some gimped version. Full-featured, fully functional.
The setup:
Proxmox Host
├── vmbr0 (LAN bridge) → OPNsense VM (LAN interface)
├── vmbr1 (WAN bridge) → OPNsense VM (WAN interface)
└── Other VMs using OPNsense as gatewayWAN interface passes through to the VM. LAN interface is a bridge that other VMs connect to. The ASUS router became a dumb access point.
Did I finally implement VLANs?
Yes. It took about 20 minutes once I stopped researching and started clicking.
What I Learned
Analysis paralysis is procrastination in a lab coat. It feels like work. It looks like diligence. But if you’ve been “researching” for 6 months without implementing anything, you’re not being thorough—you’re being avoidant.
Perfect is the enemy of done. The MikroTik would have been fine. The Protectli would have been fine. The VM solution was fine. They’re all fine. Pick one.
Your constraints matter more than features. I don’t need 10Gbps routing. I don’t need BGP. I need VLANs and basic firewall rules. Anything beyond that is a hobby, not a requirement.
Virtualization changes the calculus. If you already have a hypervisor running, the “dedicated hardware vs VM” debate is less relevant. The VM is free and easily backed up.
The best time to start was 11 months ago. The second best time is now.
The Current Setup (2026)
- Router: OPNsense VM on Proxmox
- VLANs: Finally implemented (IoT, trusted devices, guest)
- Firewall: Rules that actually make sense
- Power: 0W additional (VM on existing hardware)
- Regrets: Those 11 months of spreadsheets
The network finally works the way I wanted it to in February 2024. It just took me until late 2025 to stop researching and start doing.
February 2024 - November 2025. Eleven months of research. Twenty minutes of implementation. Perfect.