diff --git a/src/etc/rc.d/netflow b/src/etc/rc.d/netflow
index bfddedd2e..7eb466788 100755
--- a/src/etc/rc.d/netflow
+++ b/src/etc/rc.d/netflow
@@ -40,6 +40,7 @@ status_cmd="${name}_status"
 extra_commands="status"
 
 [ -z "$netflow_enable" ] && netflow_enable="NO"
+[ -z "$netflow_egress_only" ] && netflow_egress_only=""
 
 # setup_interface (interface)
 # - use netgraph + ng_netflow in combination with samplicate to record netflow data and send it to multiple locations
@@ -58,7 +59,16 @@ setup_interface()
         echo "error : interface $interface not found"
         return
     fi
-    echo "setup $interface"
+    # disable ingress (traffic to this host) for selected interfaces
+    # avoids counting traffic going through this firewall double when using nat
+    if [ ! -z "`echo " $netflow_egress_only " | grep " $interface "`" ]; then
+        conf="10"
+        echo "setup $interface [egress only]"
+    else
+        conf="11"
+        echo "setup $interface"
+    fi;
+
     # make sure netgraph is attached
     /usr/local/sbin/ngattach $interface
     # remove earlier setup (if any)
@@ -69,7 +79,7 @@ setup_interface()
        name	$interface:lower netflow_$interface
        connect $interface: netflow_$interface: upper	out$ifIndex
        mkpeer netflow_$interface: ksocket export$nfversion inet/dgram/udp
-       msg netflow_$interface: setconfig {iface=$ifIndex conf=11}
+       msg netflow_$interface: setconfig {iface=$ifIndex conf=$conf}
        msg netflow_$interface:export$nfversion connect inet/$netflow_int_destination
 SEQ
 }
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Diagnostics/forms/netflow_capture.xml b/src/opnsense/mvc/app/controllers/OPNsense/Diagnostics/forms/netflow_capture.xml
index 9bd210491..c52fc5421 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Diagnostics/forms/netflow_capture.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Diagnostics/forms/netflow_capture.xml
@@ -7,6 +7,14 @@
         <help><![CDATA[Select interface(s) to enable netflow on.]]></help>
         <hint>Type or select interface.</hint>
     </field>
+    <field>
+        <id>netflow.capture.egress_only</id>
+        <label>Egress only</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <help><![CDATA[Select interfaces used for wan traffic to avoid counting nat traffic twice]]></help>
+        <hint>Type or select interface.</hint>
+    </field>
     <field>
         <id>netflow.collect.enable</id>
         <label>Capture local</label>
diff --git a/src/opnsense/mvc/app/models/OPNsense/Diagnostics/Netflow.xml b/src/opnsense/mvc/app/models/OPNsense/Diagnostics/Netflow.xml
index d32454ae7..886f97c2a 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Diagnostics/Netflow.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Diagnostics/Netflow.xml
@@ -13,6 +13,14 @@
                     <enable>/^(?!0).*$/</enable>
                 </filters>
             </interfaces>
+            <egress_only type="InterfaceField">
+                <Required>N</Required>
+                <default>wan</default>
+                <multiple>Y</multiple>
+                <filters>
+                    <enable>/^(?!0).*$/</enable>
+                </filters>
+            </egress_only>
             <version type="OptionField">
                 <Required>Y</Required>
                 <default>v9</default>
diff --git a/src/opnsense/service/templates/OPNsense/Netflow/netflow.conf b/src/opnsense/service/templates/OPNsense/Netflow/netflow.conf
index f6c36a40a..f9d70b315 100644
--- a/src/opnsense/service/templates/OPNsense/Netflow/netflow.conf
+++ b/src/opnsense/service/templates/OPNsense/Netflow/netflow.conf
@@ -11,6 +11,11 @@
   OPNsense.Netflow.capture.targets.strip()
   %}
 netflow_interfaces="{% for interface in OPNsense.Netflow.capture.interfaces.split(',')
+%}{{
+    physical_interface(interface)
+}} {%
+  endfor%}"
+netflow_egress_only="{% for interface in OPNsense.Netflow.capture.egress_only.split(',')
 %}{{
     physical_interface(interface)
 }} {%