OMG -- dude if I am sending 1gbps of traffic down your pipe, and your pipe is 10mbps.. How is any good traffic going to get to pfsense? at all?? This isn't complicated... Your traffic cop at the end of the road, can't do anything about the 3 mile long pileup on the 1 lane road to him, if all the cars from a 10 lane freeway are trying to get onto the 1 lane dirt road.. You need to put someone up at the 10 lane freeway off ramp to your 1 lane dirt road, to only let cars onto that road that you want.. You really need to do some more research if you think any sort of firewall, be it pfsense or 100K super NGFW from cisco can do anything against a volumetric ddos that fills up your 1 lane dirt road to get to it.. edit: this is a bit late.. But ran across this just a bit ago, and thought this is a perfect example how a firewall can not stop a volumetric attack ;) https://www.zdnet.com/article/google-says-it-mitigated-a-2-54-tbps-ddos-attack-in-2017-largest-known-to-date/ So even if you had 1, 10 or even 100 gig pipe, what hope do you think your firewall would have with such an attack ;) 2.5TBps - this is what I mean when the pipe is full, its full - nothing your firewall can do at the end of the pipe ;)