Firewall/NAT

My m0n0wall is set up as follows:

LAN interface em0 has addresses 192.168.42.1 and 2001:470:1f11:8eb::1
WAN interface rg0 has address 66.93.213.254
DMZ interface rg1 is bridged with WAN

I have a physical host on the DMZ segment which houses some VMs. One Linux VM, at 66.93.213.109, is working fine. I can connect to it from the LAN as well as allowed address ranges on the internet, for example with an SSH session on port 22. A Windows VM, at 66.93.213.10, can be reached from allowed internet address ranges, but is not reachable from the LAN.

When I try to connect to 66.93.213.10 from the LAN, for example to initiate an RDP session on port 3389, the SYN gets through to the destination just fine, and an ACK is sent, but the ACK never makes it back to the client on the LAN. According to the m0n0wall firewall log, there is traffic being denied from 66.93.213.10, port 3389 to 66.93.213.254, port 1766. (Of course the destination port for the ACK is different each time.)

Not sure what else to include that might be relevant, except to say that LAN and DMZ are both allowed through the firewall without any restrictions.

Any idea what I'm doing wrong?

Now, with the only apparent change being that I've restarted my desktop PC, I can't connect to 66.93.213.109 port 22 for what seems like the same reason. I'm seeing packets blocked from the DMZ, 66.93.213.109 port 22 to 66.93.213.254 port 53912 (and other high ports on 66.93.213.254... different for each attempt).

Am I running into the problem described in http://doc.m0n0.ch/handbook/faq-bridge.html? Because that FAQ entry makes it sound like I should never be able to make these connections. However, what I'm seeing is that it's intermittent.