Whitelisting IP addresses for external scan ER605
I have set up 2 LANs, one with a POS card payment machine. I am required to allow 3 IP addresses to be whitelisted to allow for external vulnerability scanning. On my previous router I could set this in the firewall, however I am unclear as to how to do this on the ER605. Is it done via a Gateway ACL rule, which seems to be for LAN-to-WAN access rather than allowing WAN-to-LAN access, or via the URL whitelisting section under the Network Security tab? I assume that, either way, these can be allowed to scan the card payment LAN (176.16.0.x) rather than the main LAN (192.168.0.x)?
Thanks for any help on this.