I guess I don't understand this. The ARP table for a router should be shielded from the outside network. Thusly, a hacker outside the router network segment couldn't read/detect the ARP table or redirect traffic by poisoning the ARP table.

How could an external ISP/network block a router by looking at the ARP table, unless the router is set as an AP only and not a router?

NAT routers by definition blocks ARP tables and its contents from outside the local network. Am I missing something?

Some reference materials I've been reading to try to understand how this is possible (it's not):

http://stackoverflow.com/questions/4...rs-mac-address

http://answers.google.com/answers/th...id/765054.html

http://forums.cnet.com/7723-7589_102-209397.html

EDIT: after more research, it seems more likely that the way to detect NAT routers is by OS fingerprinting, and/or deep packet inspection, as described here: http://www.sflow.org/detectNAT/

If you're really worried then buy a Cisco router like a PIX 501 that won't decrement the TTL on the packets that it passes, then it would be virtually impossible for the host network to detect the NAT router. The only way then is to sniff the traffic over a period of time, and try to determine if there are different users possibly originating the packets..something not easily done by your run of the mill ISPs. Another option is to use DD-WRT to hide this as well: http://www.dd-wrt.com/wiki/index.php...ifying_the_TTL

It is unlikely that the ISP / host could detect / read the ARP tables behind a NAT router.

Bottom line, if I want to use a NAT router on a network, and if I use the Cisco router, or a DD-WRT router with the right settings, and I use a VPN to shield my traffic, with the MAC set to a PC address, it would be impossible for the host / external ISP to block my router or find out that I'm using a router. The only way they could block it is to require a local authentication program on your PC, which is pretty much unheard of for most public ISPs.