How to allow several IPs to bypass a filter rule

I have various filter rules to detect port scanners and block them coming into my Mikrotik from the internet. For example:

add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“Add NMAP NULL scan to Port Scanners address list” disabled=no
in-interface=ether1-WAN protocol=tcp
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg

add action=drop chain=input comment=“dropping port scanners input chain”
disabled=no src-address-list=“port scanners”

add action=drop chain=forward comment=
“drop port scanners on forward chain from the WAN” disabled=no
in-interface=ether1-WAN src-address-list=“port scanners”

The problem is, I need to allow a Security Metrics port scan to take place so they can test our network, so they have provided me with several IP addresses that I need to bypass my firewall rules. I can’t figure out how to do this. I can’t add them to another address list and choose NOT from that address list, because I am already using the Address List field in the drop rules to match with detected port scanners.

I actually added a feature request for multiple address lists, think it would solve multiple problems.

Try to modify first rule in the next way:

add action=add-src-to-address-list address-list="port scanners" \
 address-list-timeout=2w chain=input comment="Add NMAP NULL scan to Port Scanners address list" disabled=no \
 in-interface=ether1-WAN protocol=tcp \
 tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg src-address-list=!allowed_ip

And put to “allowed_ip” address-list addresses that you need to bypass.

Thank you very much, AlexN. I didn’t even think about modifying those rules!

Still, I second the idea that the multiple address list features would be helpful.