<div>
This is not PCI advice, as I am not a PCI professional. However, I would suggest that you consider what is in PCI scope before adding a particular IP address for scanning. If you are unsure, seek the advice of a PCI professional.<br />
<br />
It you do decide that your LAN needs to be scanned (ie you are processing or storing card details and this falls within PCI compliance scope), consider the following.<br />
<br />
What exactly do you want them to scan inside your network? If you are accessing the Internet using primarily NAT, which most people are, it provides a degree of inbound security. Adding a rule from the WAN to the LAN is not really going to help an external PCI scanner. If a WAN based host attempts to open a port to your public IP address, the router would only report it as open if there is a static port mapping in place, or you have a DMZ host provided. If you have multiple DMZ hosts, each with public IP addresses, you will need to set up rules for these, but I am guessing (and I may be wrong), you probably don't. If you have a DMZ host, or you have multiple DMZ hosts configured, these would each be visible with their own IP address, or you would have some form of network translation in place. Your scan would be configured appropriately.<br />
<br />
As an aside, I do suggest that you ensure that Internet based configuration and the other router services are turned off on your router, unless you require general access (bad idea in my mind). At the very least, you should authorise certain IP addresses to remotely configure your router. I would always only do this via the local network or a VPN tunnel.<br />
<br />
I am unsure of your technical knowledge, but if you don't understand some of the above, it may be a good idea to ask someone for some paid support. PCI compliance issues can be very costly as you are probably aware.
</div>


<div>
I'm not a certified person either. However, for external PCI scans, it's mainly a test of your existing rules. So the fact that they are talking about allowing them becomes a violation of your own security policy of a sort. If you're explicitly blocking their IP addresses, then get rid of that. Otherwise, there's nothing that you really should need to change. However, I recommend getting the advice of a PCI professional and also getting Worldpay to clarify in writing exactly what they're trying to do.
</div>


<div>
I agree with masnrock. By adding rules that allow specific hosts to access your network, certainly when the default would be to block them, you are effectively weakening your security.<br />
<br />
If they want to carry out an internal LAN PCI scan, usually it would be from a host within your network and it would be a different kind of scan - not the usual &quot;web based&quot; one, in my experience.
</div>


<div>
Thanks for answering my question
</div>


<div>
<div class="content wysiwyg-content">
I need to &nbsp;allow the following ip ranges through the draytek router/firewall to allow Worldpay to scan our network to ensure it meets PCI compliance.<br />
<br />
91.209.196.32/28<br />
178.255.82.64/27<br />
199.66.200.32/28<br />
<br />
Can someone ecplain how I would do this. I have created 3 objects matching the above subnets but Im unsure what to do next.<br />
<br />
Thanks
</div>
</div>


I need to  allow the following ip ranges through the draytek router/firewall to allow Worldpay to scan our network to ensure it meets PCI compliance.

91.209.196.32/28
178.255.82.64/27
199.66.200.32/28

Can someone ecplain how I would do this. I have created 3 objects matching the above subnets but Im unsure what to do next.

Thanks

Draytek 2860 router -  how to allow all traffic from specific subnet though to LAN

A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.

Routers

DrayTek

Networking is the process of connecting computing devices, peripherals and terminals together through a system that uses wiring, cabling or radio waves that enable their users to communicate, share information and interact over distances. Often associated are issues regarding operating systems, hardware and equipment, cloud and virtual networking, protocols, architecture, storage and management.