How to monitor WAN with PPPoE & masquerading?


I recently switched my WAN interface to connect to my VDSL modem via PPPoE. Naturally I have to NAT my outgoing traffic to the public IP which is why I have enabled masquerading for my WAN interface.

Now, it kind of bothers me that I can no longer get proper insights into the WAN traffic on the pppoe-wan interface. Using iftop or tcpdump is kind of useless due to masquerading. All source IPs on the network are the ones of the router.

So I wonder what are your suggestions to alleviate this situation?

I was thinking about maybe introducing a transparent "gateway network".

router --- gateway (eth0.66, ethernet) --- wan (eth0.7, pppoe) --- inet

All traffic matching the default route would be targeted at the gateway network interface and then forwarded to the WAN interface. I could then monitor the gateway interface.
Any suggestions on how to implement this?