As per

	"In a devilishly subtle difference, netfilter DNAT [i.e. NAT done with
	iptables DNAT commands] does not cause the kernel to answer ARP requests
	for the NAT IP, where iproute2 NAT automatically begins answering ARP
	requests for the NAT IP."

This means that if you have a setup similar to the following:

public IPs:
private IPs:

                     (     ).    
                    _(       '`. 
                .=(`(          ) 
               ((    Internet  )          
               `(              ) )      
                 ` __._____:'
              | upstream router |
              |      |
              | firewall                                  |
              | main public IP:    NAT mappings:          |
              | - |
              |           - |
              |           - |
              |           - |
                   |              |
              +----------+   +----------+
              | server   |   | server   |
              | |   | |    . . .
              +----------+   +----------+

The firewall machine will not answer ARP requests from the upstream router for
the NATed IPs (e.g., so unless a packet using one of the NATed
public addresses as its source IP has previous passed through the router
outbound, inbound packets will be dropped because ARP fails to come up with
anywhere to send them.

There are several solutions to this:

1. In the upstream router, add two routing table entries for the same subnet:
   - one entry as host-only, telling it that the your router's IP address is
     locally connected on whatever interface.
   - another entry as for the entire subnet, at a slightly lower priority,
     saying to pass all traffic for that subnet to your router's IP as the
   e.g. if the upstream router were running Linux, the equivalent commands
   would be:
   ifconfig eth0
   route add -net gw

2. If your upstream router doesn't support setting up an entry for a given
   subnet pointing into the same subnet, you have a couple of options:

   a. use a different IP for the router, that isn't on the NAT subnet

   b. split the subnet up, so that the router's own IP is technically not on
      the same subnet

   c. if some of the NAT IPs are too close to the router's IP to fit the
      subnetting, e.g. if the router is .10 and the NATed IPs are .11, .12, ...,
      do this:
      split the subnet up higher, wherever there's room, and make static ARP
      entries on the upstream router for the IPs below that. e.g.:
      .10 - router
      .11 - static ARP
      .12 - static ARP
      .13 - static ARP
      .14 - static ARP
      .15 - broadcast address; end of subnet 1
      .16 - beginning of subnet 2

3. Use an entirely different IP for the firewall, e.g. a non-routable one, and
   have the upstream router treat that as the gateway for all traffic bound
   for the public subnets on your firewall.