Unfortunately, you may need to ensure that your web app has CSRF protection.
https://en.wikipedia.org/wiki/Cross-site_request_forgeryWhile an attacker cannot route packets into a private network (regardless of your router settings; ISPs simply cannot route private IPs, because they have no idea where to send them, everyone uses them, so they just need to drop those packets), they can potentially cause your own machine(s) to send requests to your own equipment.
Some web services have been attacked this way, especially "localhost" / 127.0.0.1 servers which the developers naively assumed could only be attacked by a user of the local machine.
If you have a device which has a possibly-predictable ip address, web request parameters etc, then someone can write a Javascript which does "blind" attacks against it, sending commands that they can't receive a response to (at least, not directly) but still have an effect.
The usual solution is to ensure that all your web forms require a http post with an unguessable random "csrf token" field supplied, which is available in the web forms. An attacker can't read the contents of the form so won't be able to get the token.