You should really read up on some networking.
So you're saying forged packets aren't broadcasted in the open? I've seen plenty of firewall rules where the source from = public IP to destination = private IP. That could be internal 192.168.x.x or 10.x.x.x. Obviously, if that private IP subnet doesn't exist, there won't be a route for it.
You are misguided if you think that just setting a private ip as a destination address the packet would reach from the internet to a NATted LAN. The router only routes packets to NATted subnets for which there are NAT entries - either from configuration or dynamic port mappings that usually are generated from NATting outgoing traffic. It would be dropped even without the SPI.
Forged packets? I suppose HP printers will attempt communication via DNS lookup to the outside (because of all those stupid silly feature services for ease of access).
Do you mean that the attacker would forge packets to printer's tcp port 9100 as a forged answer to its outgoing DNS requests? That would again not work, as there is no NAT mapping in the router to printer's address port 9100 as a result of its DNS request unless the DNS request originated from port 9100...