The 2026 Homelab Firewall & Router Stack: pfSense vs OPNsense vs MikroTik vs UniFi — Honest Trade-offs
By LK Wood IV · 2026-05-08 · ~14 min read · St. Louis County, MO
The router is the boring box that decides whether the rest of your lab feels fast. I have run pfSense Plus, OPNsense 25.10, MikroTik RouterOS 7, and UniFi Network App 10.1 in the same rack on the same WAN over the past year. They are not interchangeable. Each one is honest about a different set of compromises and dishonest about a different set of numbers, and the goal of this piece is to label which is which.
If you already settled the storage question with Proxmox vs TrueNAS vs Unraid storage backends, the router decision is the next one that will outlast your hardware refreshes. Pick wrong and you will rebuild rules every two years. Pick right and the box quietly does its job until the PSU dies.
How I tested
Bench: St. Louis County home office, single 1 Gbps symmetric WAN (Spectrum business), 1500 MTU on the WAN handoff, no PPPoE. Internal LAN at 10 GbE on a MikroTik CRS305 leaf with the router under test as the edge. Iperf3 traffic generator was a Ryzen 7 7700X workstation; receiver was a Proxmox VE 8 host with a Mellanox ConnectX-4 Lx. Each device sat in the same 1U slot with the same SFP+ DAC, the same WAN cable, and the same client load profile.
Hardware actually on hand for this round:
- Netgate 4100 (pfSense Plus 25.10, 4-core Atom C3558R)
- Protectli VP2420 with the i3-N305 swap (OPNsense 25.10)
- An N100 mini-PC running OPNsense 25.10 as a sanity check on the cheap end
- MikroTik CCR2004-1G-12S+2XS (RouterOS 7.16) for the wire-rate test
- MikroTik RB5009UG+S+IN (RouterOS 7.16) for the small-lab test
- UniFi Dream Machine Pro on firmware 4.1 (Network Application 10.1.89)
- UniFi Cloud Gateway Max on the same Network App
- P3 P4400 Kill A Watt for power, taken at idle and at sustained 1 Gbps WAN load
Every throughput number below is a 5-minute iperf3 run, three trials, median reported. IDS-on numbers are with Suricata or RouterOS equivalent in inline mode against the rule set the vendor enables by default. I label vendor-lab numbers separately from what I measured because the two are almost never the same.
What changed in 2026
The router OS picture moved faster in the last twelve months than in the previous five. Three things matter for the homelab:
The biggest shift is that pfSense Plus and OPNsense both got real WireGuard kernel modules upstreamed and tuned, so site-to-site VPN throughput finally tracks the CPU instead of the user-space ceiling that haunted 2023 and 2024. On a Netgate 4100, WireGuard now hits roughly 940 Mbps WAN-to-WAN on a single tunnel, where the 2023 numbers were stuck around 380. OPNsense on the i3-N305 lands in the same neighborhood. (Netgate documentation, OPNsense docs)
MikroTik shipped RouterOS 7.16 with a real ZeroTier client, container support that does not feel like a science project, and meaningful improvements to the FastPath/Fasttrack interaction with WireGuard. The CCR2004 is still the wire-rate workhorse for anyone with symmetric multi-gig coming into the house. (MikroTik release notes)
UniFi Network App 10.1 finally exposes per-rule packet captures, traffic identification beyond the old DPI table, and a usable IDS pane on the Dream Machine Pro and the Cloud Gateway Max. The hardware story for UniFi is also healthier than 2024 — the Cloud Gateway Max is the box most homelabs should consider before reaching for an enterprise-tier UDM SE. (UniFi release notes)
Throughput on a 1 Gbps WAN
Numbers below are routed throughput, WAN-to-LAN, no firewall rules beyond default plus a single allow-out rule. Trial median, my bench, my LAN.
| Device | NAT only | NAT + IDS on default ruleset | WireGuard 1 tunnel | Idle power |
|---|---|---|---|---|
| Netgate 4100 (pfSense Plus 25.10) | 938 Mbps | 612 Mbps | 941 Mbps | 14 W |
| Protectli VP2420 i3-N305 (OPNsense 25.10) | 941 Mbps | 728 Mbps | 938 Mbps | 11 W |
| N100 mini-PC (OPNsense 25.10) | 939 Mbps | 461 Mbps | 692 Mbps | 7 W |
| MikroTik RB5009UG+S+IN (RouterOS 7.16) | 941 Mbps | n/a (no IDS) | 612 Mbps | 9 W |
| MikroTik CCR2004 (RouterOS 7.16) | 941 Mbps | n/a (no IDS) | 871 Mbps | 28 W |
| UniFi UDM-Pro (4.1 / Net 10.1) | 940 Mbps | 540 Mbps | 380 Mbps | 26 W |
| UniFi Cloud Gateway Max (4.1) | 941 Mbps | 720 Mbps | 612 Mbps | 12 W |
A few honest notes on these numbers:
- WireGuard on UDM-Pro is still capped well below line rate in 2026. UniFi has not closed that gap, and the IDS is the more compelling reason to run that box anyway.
- N100 hardware is fine until you turn on IDS. With Suricata enabled and the OPNsense default ETOpen ruleset, single-thread bottlenecks show up. The i3-N305 in the VP2420 has the cores to keep up.
- MikroTik’s IDS story is genuinely missing. RouterOS does packet inspection at the firewall layer, but it is not a Suricata or Snort replacement. If you want signatures, MikroTik is the wrong stack.
- Vendor-lab numbers for the Netgate 4100 claim 18.62 Gbps NAT throughput on the spec sheet (Netgate 4100 datasheet). My WAN is 1 Gbps. Nobody in a homelab is hitting 18 Gbps WAN. The number is true and irrelevant.
pfSense Plus — what it is good at, what it is not
pfSense Plus 25.10 is the most stable router OS I run. The Netgate 4100 has been up 217 days through a Suricata version bump, two ZFS-on-root snapshots, and a WireGuard tunnel re-key. The web UI is dated. It works. The pkg ecosystem (HAProxy, ACME, ntopng) is mature in a way OPNsense is still catching up to.
What it is not good at:
- Plugin curation. The community pkg list still includes packages that have not been touched in years. You have to know what to avoid.
- Multi-WAN UI. It works, but the gateway group concept is not friendly. OPNsense does this part better.
- The Plus vs CE split is still annoying. Plus only runs on Netgate hardware or registered installations. CE exists but lags Plus on backports. (Netgate Plus vs CE)
If you want a router that you can ignore for two years, this is it. The Netgate 4100 is the SKU to buy.
OPNsense — the better UI, the slightly thinner backstop
OPNsense 25.10 has the better UI by every measure that matters at 2 a.m. when something is wrong. Search across menus is faster, the inline help is current, and the plugin set is curated tighter than pfSense’s pkg list. WireGuard is a first-class tab now, not a side car. (OPNsense 25.10 release)
What is thinner: the long-tail commercial backstop. Deciso supports OPNsense and ships hardware in the EU; the US-side support reach is thinner than Netgate’s. For a homelab this never matters until you need it, at which point it matters a lot. The community is excellent. Vendor support is regional.
If you want to run on commodity hardware (Protectli, an N100, or a repurposed thin client), OPNsense is the better OS choice. The VP2420 with the i3-N305 swap is the SKU I would buy today.
MikroTik — wire-rate and the steepest learning curve
RouterOS 7.16 in 2026 is the best version of MikroTik in a decade. ZeroTier works, containers work, FastPath plays nicely with WireGuard, the Winbox replacement (WebFig and the new RouterOS app) is actually usable. The CCR2004 will route 12×10G interfaces at line rate without breaking $1,000. There is nothing else in the market that does that.
What is hard:
- The learning curve is real. Firewall rule order, mangle vs filter, and the bridge VLAN filtering quirks will eat a weekend the first time you hit them. (MikroTik bridge VLAN filtering wiki)
- IDS is not a thing. RouterOS does L3/L4 firewalling brilliantly. It does not do signature-based inspection. Bolt a Suricata box behind it if you need that.
- Documentation lags features. The community Reddit and forum threads are often more current than the official wiki.
If you have multi-gig WAN or you run a lot of VLANs, this is the right stack. If you want IDS and a friendly UI, it is the wrong stack.
UniFi — the easy mode that still has rough edges
UniFi is the only stack here that someone non-technical can administer. The Network App 10.1 finally has packet captures and a usable IDS pane. The Cloud Gateway Max is the right box for most homes — it sits between the UCG-Ultra and the UDM-Pro on price and beats both on throughput-per-watt at this price point. (UniFi Cloud Gateway Max product page)
What is still rough:
- WireGuard throughput on UDM-Pro is capped well below line rate. The Cloud Gateway Max is better but still not pfSense-level.
- The Threat Management ruleset is a curated subset of Suricata signatures. It works, but you cannot bolt on ETOpen or your own ruleset the way you can on pfSense or OPNsense.
- Cloud features keep moving. If you do not want a UniFi account and a phone app in your firewall path, this is the wrong stack.
If a family member will ever touch the network, UniFi is the right answer. If you want a rule set you fully control, it is not.
Decision tree for picking one
- 1 Gbps WAN, want IDS, want to set it and forget it → Netgate 4100 with pfSense Plus.
- 1 Gbps WAN, want IDS, want a modern UI, fine running on commodity hardware → Protectli VP2420 i3-N305 with OPNsense.
- 2.5 Gbps or more symmetric WAN, comfortable with CLI, multi-VLAN heavy → MikroTik RB5009 or CCR2004 with RouterOS.
- Want a partner or roommate to be able to add a port forward → UniFi Cloud Gateway Max.
- Already on the UniFi APs and switches, want one pane of glass → UniFi UDM-Pro or Cloud Gateway Max.
What I run today
Edge: Netgate 4100 with pfSense Plus 25.10. WireGuard for road-warrior, OpenVPN as fallback for two legacy clients, Suricata in inline mode on the WAN with the ETOpen ruleset and four manually disabled rules that false-positive on Steam and Plex. ZFS snapshot before every package update.
Core: MikroTik CCR2004 doing the 10G distribution to four switches and running the VLANs that the edge router does not need to see.
Wireless: UniFi U6 Enterprise APs on a separate Network App instance, no UniFi gateway in the path. APs adopt to the Network App but routing stays on pfSense.
This is overkill for a single-WAN home. It is the layout I’d recommend for anyone who wants both signature IDS and wire-rate inter-VLAN routing without compromising on either. For the simpler case I would run a Cloud Gateway Max and stop there.
If you are also picking the LAN backbone, 10 Gbps home networking on a budget covers the switches and NICs that pair with these routers. If you are picking the box the router runs on rather than buying an appliance, the best mini-PC for a homelab in 2026 is the companion piece. And if you want the LLM that this router will eventually be feeding, self-hosting a local LLM on an RTX 5060 is the next stop.
Related
- Proxmox vs TrueNAS vs Unraid storage backends 2026
- 10 Gbps home networking on a budget 2026
- Best mini-PC for a homelab 2026
- Self-hosting a local LLM on an RTX 5060 (2026)
Sources
- Netgate 4100 datasheet
- Netgate WireGuard documentation
- pfSense Plus vs CE
- OPNsense documentation
- OPNsense 25.10 release notes
- MikroTik RouterOS changelogs
- MikroTik bridge VLAN filtering wiki
- UniFi release notes
- UniFi Cloud Gateway Max product page
Last verified: 2026-05-08 by LK Wood IV.