Yes, the router knows (via its routing table) who is where. Some routers will allow you to set up a second subnet (with its own set of routes) so it wouldn't be impossible, but unlikely to be very practical.
You're trying to check vulnerabilities on the router itself, or on devices behind the router?
Assuming you've no services accessible from the outside, your best bet is in fact to educate your network users. If there are any 'vulnerabilities', it's uneducated users. Show them the differences between legitimate mail and mail which is looking to steal/phish credentials, for example. Explain policies with passwords, checking to see that the address of whichever website looks genuine before submitting any information. Stuff that, to you and I, would be fairly common sense.
A heads-up that the results of 'an nmap scan' shouldn't inspire too much confidence. Buggy web apps, misconfigured mail servers, open shares - nmap won't tell you anything about these.