What does that router do with packets a local program (running on the router) sends to 10.x.x.x? By default it would likely do the same with an external packet addressed to 10.x.x.x, and that would not be to drop the packet.
When I've seen a "NAT" box configuration it's literally been two iptables rules: one to do NAT, and one to default drop packets from outside.
When I've seen a "NAT" box configuration it's literally been two iptables rules: one to do NAT, and one to default drop packets from outside.