@pfsenseuser1234 Why three? There's simply too much traffic for one (over 50k requests/minute, over 2Gbps of upload). Two is enough for now, third one is just to be safe.
No problem with that :)
I'm guessing pfsense can handle 50k req/min for now and I would be fine with simple active-standby approach. But what if I go to 100k by the end of the year? Or 150k. I'll probably hit some limit sooner or later. That's why I'm thinking about multi-master configuration.
I can understand the thought, but pfSense simply can't work in an active-active constellation.
*Not only volumetric DDoS (>10Gbps to kill one VM), but also SYN floods, DNS amplifications, slow HTTP requests… I get them all.
OK you could get various DDoS but the goal of all is clear: denial of service via massive flooding. Be it SYN, be it DNS, be it slow HTTPs. You can filter out some, but at the end your own firewall will give up or your upstream pipe is full. DDoS mitigation is nothing you can do on your end/site in a meaningful way. Yes you can somehow slow the process and try to mitigate the hit but with enough firepower / distribution you'll get nuked nonetheless. So if you get hit on a continuous fashion the only really helpful thing is bringing a CDN into play and (actually) try to hide the real endpoint addresses so they don't actually leak out (or the attacker will just ignore the CDN and hit the IP). That's the point where Cloudflare, Akamai or Stackpath etc. come into play.
Other then bringing a CDN into play and balancing your three proxies out for traffic reasons, I don't see a quick/simple way to bump that up further. But perhaps some other can chime in.