Understood and I was not asking the question to set you up for a war on behalf of OpenWrt or pfSense. I was genuinely curious as one who has used both, fairly extensively, and ended up sticking with OpenWrt even on x86.
Objectively, what commands does pfSense offer that you wish you had (or had more thorough versions of) on OpenWrt? I have found that a lot of the full and proper commands/libs can be had through a custom OpenWrt build.
OpenWrt does favor “temp” stuff a lot, which makes sense given its history as a router based distro. Historically memory-bound devices and the desire to minimize writes to disk have, and still are, shaping the way it functions as an OS. I have overcome some of that by altering the locations (via symlinks or modifying paths in configs) of some files, like the DHCP lease file, so they survive reboots.
On the IDS/IPS front, you are correct. The gold medal goes to pfSense on that one from a feature availability perspective. That is, assuming you have the horsepower in your x86 box to turn all that on. I found pfSense to be very memory heavy for the additional packages you enable. Especially with things like pfBlockerNG. (I prefer Pi-hole to pfBlockerNG now anyway, FWIW)
A couple more thoughts between the two...
I found the traffic shaping and QoS configuration in pfSense to be downright maddening at times. It affords you a ton of configuration options (as does the whole of pfSense), but requires a ton of knowledge to know how to tweak all the pulleys and levers. Even after weeks of tuning, I still could not achieve the same level of consistent bufferbloat reduction in pfSense that I get with OpenWrt SQM (CAKE) with about 30 minutes of tuning.
I much prefer pfSense’s GUI version of firewall rule configuration to OpenWrt’s GUI. It’s much easier to visually see what you’ve got set up hierarchically with rule precedence in pfSense because each interface has a separate tab with just its rules. OpenWrt’s firewall GUI, while more “pretty”, is far less functional to me. Along those lines, pfSense makes it so much easier via either web console or pftop to quickly view firewall logs in real-time.
The available packages for pfSense are significantly smaller in variety and availability. There are pros and cons to that, of course. A pro is that you get well-curated and functionally tested/stable packages that just work. The cons are that there are a limited number of pfSense devs who have time to test new packages and approve them. So the package selection tends to stay pretty static and they very much favor lagging version upgrades in favor of stability (not necessarily a con). It’s definitely a more tightly controlled environment as opposed to the very open, community driven approach of OpenWrt.
Lastly, one of pfSense’s strengths is also one of its biggest deterrents. It provides one with hundreds of textboxes, dropdowns, checkboxes, and radio buttons to tweak about anything you can dream up on a firewall/router. Even with decently advanced network knowledge, I was finding myself having to refer to pfSense docs a lot to get clarity on many of the settings. A lot of times that led me down the road of landing on pfSense forums. In order to not offend anyone, let me just say that OpenWrt’s community forums are top notch in the level of friendly support offered. OpenWrt forums are generally (sure, there are some exceptions) filled with people who care to help others understand concepts without belittling them. That cannot be understated, and it is one of the main reasons I love to stick with OpenWrt. It has a great community that I haven’t found a lot of other places.
Anyway, I’ll wrap this up here because I just realized I wrote a book. Strictly from a stable network perspective, both pfSense and OpenWrt will get you there. It’s the value-adds that have to be weighed.
EDIT 1
I lied... I wasn’t done. Another thing I just remembered that I meant to call out is that OpenWrt has been [thankfully] very accepting of WireGuard. It has not been well accepted by pfSense to date. In fact, here is an example of both their WireGuard stance and what is a very common style of forum response.