Create a public subnet on the LAN port of your router. Make sure the masquerade rule you have setup only applies to the private subnet(s). Use a static DHCP reservation or a manually configured IP on the client and you're done... So basically you'd be running two networks on one physical segment.
Here's the catch. You'll need a block of IP's large enough to subnet and route..
if you've only got a /29 from your ISP this would be difficult, because you'll only be able to subnet out two /30's.
Other than that you're stuck with doing 1:1 NAT, or Proxy-ARP. I'd recommend using the 1:1 NAT over Proxy-ARP.
I authenticate users on my network using PPPoE, most if not all residential subscribers get a private address (172.16.xx.xx) conserving the /22 we have from our ISP for static and business customers. Using PPPoE it's just a matter of changing the clients "Pool" or static IP assignment in the database, and a simple reset of the PPPoE connection to get them a public IP.
Here's some additional reference site(s):