I have a bit of a weird situation. A CCR is serving hotspot users and PPPoE clients on one ethernet interface (ETH2), and has another ethernet interface configured as WAN uplink (ETH1). PPPoE sessions are encrypted, the CPE device being a hAP. Hotspot users are just coming in via various WiFi APs.
As testing various things, I need to place a Meraki security appliance between clients and upstream network, to test things like IPS, firewall / traffic shaping of P2P, etc. The Meraki is in effect a transparent bridge that doesn't modify packets in transit, it just inspects & takes whatever action is needed. It's then supposed to show you, per client, things like protocol/application usage, etc.
I placed the Meraki between the clients & the CCR, basically connecting the "input" into Meraki to the downstream switch where APs & PPPoE clients come from, and the "output" of the Meraki to ETH2 of the CCR. I can see traffic from hotspot users, but PPPoE traffic, being, encrypted up to the CCR, not. If I place the Meraki between ETH1 and the upstream WAN router, it will see all traffic as coming from the CCR.
What I need is to be able to output all traffic after PPPoE decryption on a CCR port, pass it through the Meraki, and back into the CCR for sending upstream via the WAN link. Something like:
[Clients] --- [Switch] --- [CCR ETH2 PPPoE server] --- [CCR ETH3] --- [Meraki] --- [CCR ETH4] <-NAT-> [CCR ETH1 WAN]
I can draw an actual diagram if the above is not entirely clear...