As per http://linux-ip.net/html/nat-dnat.html: "In a devilishly subtle difference, netfilter DNAT [i.e. NAT done with iptables DNAT commands] does not cause the kernel to answer ARP requests for the NAT IP, where iproute2 NAT automatically begins answering ARP requests for the NAT IP." This means that if you have a setup similar to the following: public IPs: 172.16.1.0/24 private IPs: 10.0.0.0/24 ___ ( ). _( '`. .=(`( ) (( Internet ) `( ) ) ` __._____:' | | +-----------------+ | upstream router | | 172.16.1.9 | +-----------------+ | +-------------------------------------------+ | firewall | | main public IP: NAT mappings: | | 172.16.1.10 172.16.1.11 - 10.0.0.1 | | 172.16.1.12 - 10.0.0.2 | | 172.16.1.13 - 10.0.0.3 | | 172.16.1.14 - 10.0.0.4 | +-------------------------------------------+ | | +----------+ +----------+ | server | | server | | 10.0.0.1 | | 10.0.0.1 | . . . +----------+ +----------+ The firewall machine will not answer ARP requests from the upstream router for the NATed IPs (e.g. 172.16.1.11), so unless a packet using one of the NATed public addresses as its source IP has previous passed through the router outbound, inbound packets will be dropped because ARP fails to come up with anywhere to send them. There are several solutions to this: 1. In the upstream router, add two routing table entries for the same subnet: - one entry as host-only, telling it that the your router's IP address is locally connected on whatever interface. - another entry as for the entire subnet, at a slightly lower priority, saying to pass all traffic for that subnet to your router's IP as the gateway e.g. if the upstream router were running Linux, the equivalent commands would be: ifconfig eth0 172.16.1.9 route add -net 172.16.1.0/24 gw 172.16.1.10 2. If your upstream router doesn't support setting up an entry for a given subnet pointing into the same subnet, you have a couple of options: a. use a different IP for the router, that isn't on the NAT subnet b. split the subnet up, so that the router's own IP is technically not on the same subnet c. if some of the NAT IPs are too close to the router's IP to fit the subnetting, e.g. if the router is .10 and the NATed IPs are .11, .12, ..., do this: split the subnet up higher, wherever there's room, and make static ARP entries on the upstream router for the IPs below that. e.g.: .10 - router .11 - static ARP .12 - static ARP .13 - static ARP .14 - static ARP .15 - broadcast address; end of subnet 1 .16 - beginning of subnet 2 ... 3. Use an entirely different IP for the firewall, e.g. a non-routable one, and have the upstream router treat that as the gateway for all traffic bound for the public subnets on your firewall.