I was able to configure things with double NAT but not without:
192.168.89.1/30
as network for routeros and firewall where the routeros device works as gateway for the firewall.
Routeros doing masquerading for all outoging packages to the PPPoE interface.
This is working only if the firewall is doing masquerading too which leads to double NAT.
If there is no masq on the firewall side ICMP is working for instance but not HTTPS. Any ideas?
Please provide a network picture so we can understand what you are trying to achieve.
Where is the PPPOE client? Configure that node to do the NAT. Now add some routes from that node to the rest of the network (most likely some RFC1918 networks like
"route 192.168.0.0/16 to the next nodes RFC1918 address"
and use only RFC1918 in the internal network.
I have such a setup at the moment.
I have the PPPOE client on my router (the modem is actually a VDSL modem in an SFP). The router does the VLAN de-capsulation and then does the actual NAT.
Now I route all internal (RFC1918) traffic to my internal network through my firewall (PFSENSE HA setup) with RFC1918 addresses. That firewall does the rest of the filtering as required, but it sees only RFC1918 addresses for the internal nodes and uses RFC1918 itself.
To make things easy use a transit RFC1918 network to connect the PPPOE client and the firewall