I’ve read a lot of the 2.9 docs and watched the forum since we started using MT a few months back. Now I have some questions for the gurus among this membership. For the sake of argument consider anything currently configured to be changeable.
We started with a single RB500 w/ db (9 ports total) running 2.9.18 configured w/ NAT and one hole punched thru for a mail server. each inside port got a 172.16.1x.1\24 address. each got a related DHCP server. Because of historic static network configs there are serveral 10.10.10.xx\4 addresses also masq’d. route out our provided T1s thru ether1. all fixed wireless and other network devices have management addresses of 172.32.x.xx\16 (our “command net”) — this setup worked fine but we couldn’t remote manage anything.
Then we expanded using a canopy backhaul and added another MT(Core) at the next site. To keep things simple I setup the same basic network structure. each port gets 172.16.2x.1\24 and related DHCP and NAT. route out thru ether1 to the first MT (Head). same “command net” that has to be physically attached to to manage. 
This has worked but we can only manage both MTs with winbox from Core (MT2), going from Head (MT1) doesn’t work. and I can’t see anything on “command net” except with ip-scan. I know this is not the best setup. I know I should be tunnelling but I can’t get it to work right (been trying IPIP tunnels). and now my forehead is getting sore.
So I’m asking - what would you do? I would like to have the following functionality:
- both routers (and any additional) would seem as one big router. meaning a ping from Head(MT1) say 172.16.12.1 to 172.16.23.1 on Core(MT2) would respond.
- command net devices would be accessible regardless of port or router and not route outside.
- support traffic management when we get there
- support radius when we get there.
Any and all suggestions will be reviewed. I have two more RB500s for testing currently running 2.9.20 with similar test environments so these test won’t blow my network away.
As a bonus, I am willing to work up a wiki doc once I know it works detailing how to setup a tunneled MT pair with NAT, static masqs, and a private unrouted nework. 
I’ve written Linux training docs before and know how to make them readable and usable.
I know this is a little long for a first post but…
./done