If I understand the question correctly, then I have a scheme where I accept a pool of 40 ip on Mikrotik and distribute them to virtual machines for many many vpn from the current point.
Actually the logic is this: you raise your own direct network between routers (in any convenient way).
Through netmap, you cross-record two rules (on the router on which they are configured in ipaddreses): external ip to internal ip (incoming traffic), internal ip to external ip (outgoing traffic). On the second router, you do not need to configure anything separately.
You can give all ip to one internal node, in principle, for the input, but you will have to choose one for the output, otherwise the traffic may not go.
I didn’t try double forwarding, I didn’t try to control all this. I must say right away that the rules for restricting traffic do not work. technically the whole stream is behind netmap. dnat works. Unfortunately, I can't describe codes.

Look it up =)

Hmm ... since you were going to "collective farm" the switch, then I will assume that Mikrotik and frya are in the same broadcast domain, i.e. do they see each other on L2? If this is the case, then make the bridge m / y the uplink port from the provider and the port where the frya is connected.

> There will be your own router.
You can configure one more port for the tick as a switch with a wan port, forward it further and receive L2 provider traffic on the router. But as for me, I would use Vlan.
Here you can see how to make two ports in switch, not bridge
https://habrahabr.ru/post/313702/