Simple. You don't put any IP addresses or services on the PPPoE interface.
ether1 goes to your network, has your IPs, has the PPPoE IP space routed to it.
ether2 points to the clients. It has one service running on it: a PPPoE server. No IP addresses, nothing.
If someone doesn't authenticate with PPPoE, they have nothing to communicate with, and can't get access.