Draytek 2860 router - how to allow all traffic from specific subnet though to LAN

I need to  allow the following ip ranges through the draytek router/firewall to allow Worldpay to scan our network to ensure it meets PCI compliance.

Can someone ecplain how I would do this. I have created 3 objects matching the above subnets but Im unsure what to do next.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
How about a tunnel (IPSEC) to their location?
Otherwise you will need a WAN->LAN firewall rule + a whole bunch of NAT rules... (one for each object behind the firewall.
Or do you supply a jump server (one server they can go to and then go from there, in that case one NAT rules would do).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Martyn SpencerSoftware Developer / Linux System Administrator / Managing DirectorCommented:
This is not PCI advice, as I am not a PCI professional. However, I would suggest that you consider what is in PCI scope before adding a particular IP address for scanning. If you are unsure, seek the advice of a PCI professional.

It you do decide that your LAN needs to be scanned (ie you are processing or storing card details and this falls within PCI compliance scope), consider the following.

What exactly do you want them to scan inside your network? If you are accessing the Internet using primarily NAT, which most people are, it provides a degree of inbound security. Adding a rule from the WAN to the LAN is not really going to help an external PCI scanner. If a WAN based host attempts to open a port to your public IP address, the router would only report it as open if there is a static port mapping in place, or you have a DMZ host provided. If you have multiple DMZ hosts, each with public IP addresses, you will need to set up rules for these, but I am guessing (and I may be wrong), you probably don't. If you have a DMZ host, or you have multiple DMZ hosts configured, these would each be visible with their own IP address, or you would have some form of network translation in place. Your scan would be configured appropriately.

As an aside, I do suggest that you ensure that Internet based configuration and the other router services are turned off on your router, unless you require general access (bad idea in my mind). At the very least, you should authorise certain IP addresses to remotely configure your router. I would always only do this via the local network or a VPN tunnel.

I am unsure of your technical knowledge, but if you don't understand some of the above, it may be a good idea to ask someone for some paid support. PCI compliance issues can be very costly as you are probably aware.
I'm not a certified person either. However, for external PCI scans, it's mainly a test of your existing rules. So the fact that they are talking about allowing them becomes a violation of your own security policy of a sort. If you're explicitly blocking their IP addresses, then get rid of that. Otherwise, there's nothing that you really should need to change. However, I recommend getting the advice of a PCI professional and also getting Worldpay to clarify in writing exactly what they're trying to do.
Martyn SpencerSoftware Developer / Linux System Administrator / Managing DirectorCommented:
I agree with masnrock. By adding rules that allow specific hosts to access your network, certainly when the default would be to block them, you are effectively weakening your security.

If they want to carry out an internal LAN PCI scan, usually it would be from a host within your network and it would be a different kind of scan - not the usual "web based" one, in my experience.
roy_battyDirectorAuthor Commented:
Thanks for answering my question
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.