Thank you SonofGalen! although you're scanning from the inside out that is what i would expect of my scan from the outside in. that is only mapped services showing as open. i would hope remote admin was closed no matter what kind of password he could use. that would leave 5631 tcp and 5632 udp showing as open.

the internet provider he is using is adelphia and i think hes in nc.(north carolina not netcat) im on a T threw uunet. i know uunet is not filtering anything so if my scan on the test router (when i get back to work tomorrow) shows as i expect like yours then i can tell him his isp is causing this, given nothing has changed in his set-up from the last time we did this.