@greygit1 I don't see why it wouldn't work, switches operate at Level 2 so should happily pass the PPPoE discovery and connection. You will need a 'managed' switch to be able to do the port mirroring. The problem you will have though, is that the switch UI will not be accessible from your LAN network. In order to access the switch configuration you will need to connect a device directly to it with a static IP (in the default subnet for the switch).

Running a separate cable from the switch back to a LAN port on the router MAY allow the switch to get a LAN IP via DHCP and resolve the access problem, but whether that would cause other problems I'm not sure ?

I actually have a Netgear GS105E so one of these days I may just try...

@MisterW 

Could this configuration also be used in situations where the ONT and router have to be further apart than the usual theoretical ethernet limit of 100 metres allows? eg could a 150 metre cable run be split in to two 75 metre sections with the switch acting as a repeater?

I also have a Netgear GS105E, (though no FTTP to test on), so would be interested in your results.

@Mr_Paul in theory , yes. The 100m limit is per segment, adding a switch would break it into two segments.

Obviously (?) the switch would have to be a managed type (to setup the outlined). But managed switches have tumbled in price. It would require some considered setup (along with an associated device capturing the mirrored traffic from the mirrored port). There has to be a separate devive to record the traffic on the mirrored port.

Why do I ask? Seen it done before (in a corporate network, with very much more expensive hardware). And that required functionality now appears to have filtered down to the SOHO/consumer level.

Of course. Otherwise how do large-ish buildings have wired ethernet all over their place which actually works? L2 (and L1) devices breaking up the cable runs.

Thick Ethernet ?  😐

Isn't that also subject to the maximum distance (~100m) between nodes?

500m but can go further using Extenders or Bridge.

I think my (proposed) idea isolates the monitoring/listening device doing the packet capture/monitoring from the general WAN (before NAT, no assigned WAN address, in its own isolated LAN, only accessible on a LAN, with other possibilities). The device capturing the traffic has no WAN access; the WAN has no access to that device. It is just sniffing stuff coming in and out of a location with an ethernet connection. That is its only purpose.

A (lucky) malformed IP packet could crash that system via the ethernet port, but it'd be a reboot and start monitoring again?

Eggs in one basket?

I've got a new TP-link gigabit switch arriving.

FYI - the model numbers between TP-link and Netgear appear to be a switch of the first two characters (the TP-link version is SG1050E). I'm suspecting the internal gubbins is identical, and it is only the external casing and badging that is different.