I have a fairly large network consisting of 26 Mikrotik routers, predominantly RB1200's.
Not going to use real IP's below...
Each router has a 1.1.x.x/22 subnet off it and then we do 2.2.2.x/29 backhaul links off other interfaces and run OSPF. Some sites have redundancy, some do not. I have multiple OSPF areas and run multiple instances.
All the 1.1.x.x/22 subnets consist of customer UBNT devices. Customer routers pull a 1.1.x.x address from the local router at the site they are subscribed from.
The 1.1.x.x/22 traffic works its way back to a core Cloud Core router in our backbone area where it is NAT'd out to the internet.
I'm looking to build firewall rules that allow all our administrative traffic from 3.3.3.x/24 to get to everything. But I want to ensure that each router at each site doesn't allow 1.1.x.x/22 traffic from other sites.
I'm looking for any ideas, suggestions?