• Hello Everyone,
    So I noticed that my ntopng web gui is available on the wan side. I don't want anyone from the wan accessing the ntopng web gui. I cannot seem to figure out how to stop this from happening. Can anyone guide me here.. I've tried port blocking but it doesn't seem to work. Any help would be much appreciated.


  • By default,nothing from the WAN side passes into your network, unless it first originated on the LAN side. This means any machine on your LAN side can initiate a session and traffic will get passed back thru to that LAN client. NEVER the other way around.

    Unless... you have created rules to pass WAN traffic thru the firewall. Have you done anything like that? Can you show your WAN rules?


  • Thanks for your reply!

    So I think I figured out what is causing the issue. I noticed that my default setup on another pfsense box. Under firewall/nat/outbound the default is ticked "automatic outbound nat rule generation".

    However, on my custom pfsense box which has a xbox setup for it online use. The "hybrid Outbound rule is ticked. I am wondering if this is the reason why my ntopng is accessible to the wan. I have not changed anything yet but Im curious if you agree?

    Thanks again!

  • Netgate Administrator

    No that would not allow inbound traffic. No custom outpound NAT rules could pass inbound traffic.

    You mentioned a custom setup for xbox, exactly what have you added for that? There are some bad guides out there...

    Did you enable upnp for example?

    A screenshot of your WAN firewall rules would be pretty conclusive here.


  • @stephenw10 Yes upnp was enabled to allow for xbox setup. 99% of the time the XBOX isn't in use. The Xbox has a assigned ip on the network.

    This was the guide I used to setup the xbox.
    Youtube Video

    For the short term I has just turned off ntopng .. Would once I figure out how to fix it.. I will have it enabled again. Many thanks for the help.


  • Netgate Administrator

    Mmm, that's actually a pretty good video. There is some total garbage out there!

    Importantly they restrict what can open port forwards. I would still check the upnp status for anything opening port 3000 though.


Log in to reply