If I make a network, such as 10.1.55.x / 24 and I have run out of IP addresses, I would have just changed the mask to /23 and add addresses 10.1.56.x. But suppose 10.1.56.x range already occupied.
How do I make a transparent network in this case?
You should start with a general IP layout plan that suits your needs.
I would block out large ranges for each site, even if they only have one PC and one phone. It's not like you have to conserve private IP space the same way you conserve public IP addresses.
Do you now, or do you expect to ever have more than 255 sites?
If not, then I recommend each site be allocated a /16
E.g. Site1 = 10.1.0.0/16, Site2 = 10.2.0.0/16, etc...
Standardize the layout for all sites:
Break down the 3rd octet into similar ranges for all sites
0-3 = secure network for device management / protected servers / etc...
4-7 = trusted networks (admin workstations, network managment servers, etc)
8-15 = public server networks / printers / etc...
16-247 = general-purpose standard security level LANs / phones / etc..
248-254 = untrusted/low-security/guest networks
255 = infrastructure links, point-to-point networks, transit networks, etc.
Make actual assignments for your sites as needed:
Go ahead and make the LANs large enough to hold any conceivable number of hosts - /22 is about 2k hosts. So what if the network is actually small? This way, you'll never have to re-configure a network/DHCP scope just because a site suddenly grew.
Example workstation LAN for site 14:
10.14.16.0/22 -> wkstation LAN 1
10.14.20.0/22 -> reserved (expansion of wkstation LAN 1)
10.14.24.0/22 -> phone LAN 1
10.14.28.0/22 -> reserved (expansion of phone LAN 1)
Second LAN at site 14:
10.14.64.0/22 -> wkstation LAN 2
10.14.68.0/22 -> reserved.
See how I skipped right over 32-63? Make your assignments far away from each other (sparse) so that you can easily expand any network you want to just by changing the netmask. If you ever assign all of the free space at a site, that's when you start assigning from reserved space.
Make the routing work
Finally, you should make sure that all routers know the routes to all sites, and then use filters to limit access.
Keep all functionality within its natual OSI layer - so don't make something 'secure' by breaking layer3 (not routing an address) because 3 years later, you may forget why a certain network is not in the routing table. If you need to block a kind of access, create a rule, and mark it with a comment explaining the rule's purpose.
You can easily implement this without dynamic routes if you need to - on every site, route 10.0.0.0/8 across the EoIP tunnel, and then route the local /16 to unreachable by default. (so packets sent to unused addresses won't bounce back and forth across the tunnel over and over until TTL expires, wasting bandwidth)
Example at site 4:
/ip route add dst-address=10.0.0.0/8 gateway=Tunnel1
/ip route add dst-address=10.4.0.0/16 type=unreachable
At main site:
/ip route add dst-address=10.0.0.0/8 type=unreachable
/ip route add dst-address=10.1.0.0/16 gateway=TunnelSite1
/ip route add dst-address=10.2.0.0/16 gateway=TunnelSite2
(use GRE or IPIP tunnels, not EoIP, so you don't need IP addresses on the tunnel interfaces)
This is just one example, and you don't need to follow it exactly - I just give this as an example of a scalable IP plan. Your needs may be different. It may seem like overkill but it gives you lots of room to grow into. If a site only has 9 computers and phones, just choose the first "standard LAN" assignment there and don't worry that the rest is just dead space.
The primary purpose of this design is to keep topology and layout very simple and easily extended. If you're more interested in keeping policy simple, you may choose to make the second octet be used for security/purpose, and then the 3rd octet gets assigned for sites:
(10.0-31.x.x = high security, 10.32-191.x.x = standard security, 10.192-255.x.x = untrusted, then assign blocks from each security level to a site as needed, then route them. In this model, I would not try to make octet 3 have any special meaning, and would be more conservative with how much space I assigned to each LAN)
I hope this helps and is not too confusing.