• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 79
  • Last Modified:

Draytek 2860 router - how to allow all traffic from specific subnet though to LAN

I need to  allow the following ip ranges through the draytek router/firewall to allow Worldpay to scan our network to ensure it meets PCI compliance.

Can someone ecplain how I would do this. I have created 3 objects matching the above subnets but Im unsure what to do next.

1 Solution
nociSoftware EngineerCommented:
How about a tunnel (IPSEC) to their location?
Otherwise you will need a WAN->LAN firewall rule + a whole bunch of NAT rules... (one for each object behind the firewall.
Or do you supply a jump server (one server they can go to and then go from there, in that case one NAT rules would do).
Martyn SpencerConsultantCommented:
This is not PCI advice, as I am not a PCI professional. However, I would suggest that you consider what is in PCI scope before adding a particular IP address for scanning. If you are unsure, seek the advice of a PCI professional.

It you do decide that your LAN needs to be scanned (ie you are processing or storing card details and this falls within PCI compliance scope), consider the following.

What exactly do you want them to scan inside your network? If you are accessing the Internet using primarily NAT, which most people are, it provides a degree of inbound security. Adding a rule from the WAN to the LAN is not really going to help an external PCI scanner. If a WAN based host attempts to open a port to your public IP address, the router would only report it as open if there is a static port mapping in place, or you have a DMZ host provided. If you have multiple DMZ hosts, each with public IP addresses, you will need to set up rules for these, but I am guessing (and I may be wrong), you probably don't. If you have a DMZ host, or you have multiple DMZ hosts configured, these would each be visible with their own IP address, or you would have some form of network translation in place. Your scan would be configured appropriately.

As an aside, I do suggest that you ensure that Internet based configuration and the other router services are turned off on your router, unless you require general access (bad idea in my mind). At the very least, you should authorise certain IP addresses to remotely configure your router. I would always only do this via the local network or a VPN tunnel.

I am unsure of your technical knowledge, but if you don't understand some of the above, it may be a good idea to ask someone for some paid support. PCI compliance issues can be very costly as you are probably aware.
I'm not a certified person either. However, for external PCI scans, it's mainly a test of your existing rules. So the fact that they are talking about allowing them becomes a violation of your own security policy of a sort. If you're explicitly blocking their IP addresses, then get rid of that. Otherwise, there's nothing that you really should need to change. However, I recommend getting the advice of a PCI professional and also getting Worldpay to clarify in writing exactly what they're trying to do.
Martyn SpencerConsultantCommented:
I agree with masnrock. By adding rules that allow specific hosts to access your network, certainly when the default would be to block them, you are effectively weakening your security.

If they want to carry out an internal LAN PCI scan, usually it would be from a host within your network and it would be a different kind of scan - not the usual "web based" one, in my experience.
roy_battyDirectorAuthor Commented:
Thanks for answering my question
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now