Hello everybody,

I have a bit weird problem with routing over SSH tunnel connecting my office and home networks and I would appreciate any insights into it. In short, routing between two subnets works fine between any two computers EXCEPT for ones connected with tunnel. They can ping each other but not anything else.

My network configuration is as follows:
my office subnet is a couple of computers sitting behind DD-WRT router with address 192.168.1.1/24
my office network is a couple of computers sitting behind DD-WRT router with address 192.168.2.1/24
One of the computers in the office (192.168.1.134) is connected to one of the computers at home (192.168.2.99) via SSH tunnel. On this tunnel office computer has address 192.168.4.1/24 and home computer has address 192.168.4.2/24. Tunnel is set correctly, ip forwarding is ON etc.

----
Routing table on 192.168.1.134 computer:
192.168.4.0 * 255.255.255.0 U 0 0 0 tun0
192.168.2.0 192.168.4.1 255.255.255.0 UG 1 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
default 192.168.1.1 0.0.0.0 UG 5 0 0 eth0
It routes all packets for home subnet to the tunnel.
----
Routing table on 192.168.2.99 computer:
192.168.4.0 * 255.255.255.0 U 0 0 0 tun0
192.168.2.0 * 255.255.255.0 U 5 0 0 eth0
192.168.1.0 192.168.4.2 255.255.255.0 UG 1 0 0 tun0
default 192.168.2.1 0.0.0.0 UG 5 0 0 eth0
----
Routing table on the home router
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.1.0 192.168.2.99 255.255.255.0 UG 2 0 0 br0
WAN 0.0.0.0 255.255.255.0 U 0 0 0 vlan2
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 WAN 0.0.0.0 UG 0 0 0 vlan2
It routes all packets for the office network to the tunnel computer.
----
Routing table on the office router
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.2.0 192.168.1.134 255.255.255.0 UG 0 0 0 br0
WAN 0.0.0.0 255.255.255.0 U 0 0 0 vlan1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 WAN 0.0.0.0 UG 0 0 0 vlan1
It routes all packets for home network to the tunnel computer.
----
Routing tables on the rest of computers are default ones and route all outside requests to the corresponding router. If computer at home tries to reach computer in the office the packet gets to router, router sends it to tunnel computer, tunnel computer sends it over tunnel and everything is peachy. The same in the other direction.

Now, this setup mostly works. Any computer at home EXCEPT tunnel computer can communicate with ANY computer at the office (including office tunnel computer). The same in the other direction. Here is example traceroute from 192.168.1.106:
traceroute to os.home (192.168.2.113), 30 hops max, 60 byte packets
1 192.168.1.134 0.107 ms 0.102 ms 0.105 ms ;; tunnel computer
2 192.168.4.2 23.871 ms 24.660 ms 24.656 ms ;; over tunnel
3 192.168.2.113 24.655 ms 46.745 ms 46.739 ms ;; other network

The problem is that tunnel computers can't talk to any computer on the opposite subnet, except opposite tunnel computer.

Traceroute gets to opposite tunnel computer over the tunnel and stops:
traceroute to os.home (192.168.2.113), 30 hops max, 60 byte packets
1 192.168.4.2 21.454 ms 24.253 ms 24.566 ms
2 * * *

For the life of me I can't understand why it happens. It somebody could help it would be greatly appreciated.

Note: I can not set up normal VPN between DD-WRT routers because company firewall closes all ports except SSH.

Thanks in advance,
Alex.