I can't fight DDOS ... (Only the ISP's can "Scrub those data volumes"
Even back in 2013 i was at a company that had 4 x 100Mbit lines , and they were all flodded.
In the end we had to subscribe to a (rather expensive to activate) "Scrubbing service" at the ISP's.

What i hope for by using two different "implementations" would be :
To avoid some "unknown Zero day exploit" or a "Build error" from the manufactor.

If I GOOF , in implementing rules .. It really depends.
Did i hit wrong button (maybe correctable in the other fw) or did i misunderstand and implemented the same "error" on both systems (not correctable on he other fw).

/Bingo

Hardware based:
You use TurboBoost and HT on both machines and HT
is having a problem let us say as an example, so now
it is not really important because both boxes are "open".

Problem based:
If you are using something with NAT (a router) in front of
(WAN) and behind that the firewall, you may be able to prevent a DDOS, but an amplified DDOS attack is not
able to hold away! But you will be having let us say less
points if you are using a DMZ with servers inside, such
as web, mail and fileservers (FTP), like a firewall offers
to you.

Software based:
If you use a Linux based and a FreeBSD based OS
and both are using OpenSSL............

pfSense as the border (WAN) gateway and a mikrotik router with NAT and IPv4 behind the pfSense may be
not that bad. And between them the servers like web
connected servers.

Based on your problem (DDOS) I would think it is nice
to go with a router in front of the pfSense, but if servers
such web, mail and ftp will be in the DMZ then I would
go with the pfSense in front of the router.

Your both devices may be good for;

• MikroTik RouterOS
• OpenWRT
• TSNR

or as an addon devices like

• Logging server
• Snort or Suricata server
• PI hole and/or AdGuard
• WiFi device`s

A single card or port for the dmz port may be also nice to have no other data are "shared" over this switch chip there.

Caching proxy in front of your lan and reverse proxy in
front of your dmz and nothing is directly connected to
internet, ids in fron of the dmz and the lan will be doing
also something on top of all.

despite my resistance to all CLI...I am a GUI person Apple spoiled.

I like CLI - Almost all my Linux servers have no GUI installed at all.

I was brought up on a 24x40 TV monitor "Terminal" connected to a Flex09 (MC6809) system.
Then CP/M and then MS-DOS ...

Began toying w Linux around 97' , and switched away from Windows around 2005 , been using linux as main OS ever since.

@bingo600 What is the external exposure...?

That would be someone from the outside trying to get in.
Not plain portscan or the likes.
But someone targeting a "potential Zero Day or known but yet unfixed/unpatched" vuln. in the pfS.

Seems like that could only be a bad firewall or NAT rule that unexpectedly allowed access to the WAN IP or a device on LAN?
It's not the rules ... But OS or Intel AMS or .....

In that case I'd myself probably fall into the trap of duplicating rules on both, vs. having someone else create their own ruleset on the inner firewall.

I was thinking somewhat the same ... If i make a bad/misunderstood rule on the "inner" it would be likely that i duplicated the mistake on the "outer".

I don't think there is much chance of a flaw that allows packets past the firewall.

I know pfSense is proven & hardened ....
But my "Tinfoil Hat is itching" ... Annnnd i do have this little $55 thingy

I just had to bring one up ...

.
.
.

.
.
.

But i also know ... More boxes, more failure possibilities.

IMHO it would only make sense if i go with another OS: TNSR or even "The unmentionable "cousin"...."

Keep'em comming

/Bingo