IMHO, the only kosher option is to transfer the servers to the data center (at least transfer the nodes accessible from the outside) and provide DDoS protection by the data center provider or a specialized office. In addition to the router, the provider also has equipment that is unlikely to like DDoS on its channel (restrictions may begin).

you can try to hide behind using cloudflare.com. They will definitely protect against pioneer attacks, and in the basic version - for free. But it would be desirable to change the static home IP at the same time, because. if the “offended” attacks by IP, then it will not be possible to defend themselves with such services.
Based on the existing server, there is little chance of collecting more or less decent protection against (D)DoS, I can “fill up” such a “server” with requests from one machine.

DDoS protection on a single machine (or router) is often doomed to failure. It is enough to exceed the capabilities of the machine in terms of processor, memory or channel. It's pretty simple when it comes to DDoS (Distributed Multiple Machine Attack). A guaranteed option is to become a proxy to specialized services, after changing the real address of the machine and provide for measures so as not to burn it (for example, in the mail, etc.).
In our practice, we ( ddos-guard.net) quite often we encounter similar cases and successfully solve them. We have an online consultant on our site, there is always someone from the team who can advise on DDoS protection issues. Even if one of our commercial solutions does not fit, we will help with consultations and cases, for free, in the name of a safe Internet.