It might be the IP of the router, in which case the router itself will accept the connection if something is listening (like the web interface perhaps). But whoever sent you the L2 frame has full control over the contents of the IP in the packet, so it could be anything.

NAT doesn't protect you from either of these.

Repeating the same wrong points doesnt make you right.

Every NAT based product will have a firewall built in also by default. And it'll be deny-all except for conn-tracked.

And that L2 attack is a martian packet. Why are you allowing reserved IPs talk on public network interfaces (hello, spoofing and obvious at that)? These are always blocked due to the reasons you describe.

https://en.wikipedia.org/wiki/Martian_packet