Passthrough of all traffic? - pfsense

So, it may not be an easy thing to do. But, we have a customer that has a simple Meraki at a few sites. They don’t want to manager multiple internet providers. So, we have a Netgate at each site and behind the Netgate is their Meraki. Our Netgate handles the failover. But! This also gives us inside and control to see if the internet providers go offline. Failover works well. They use Meraki’s AutoVPN thingy and it works well, too. But, now they want to IPSEC to a cloud provider for one of their vendors to have a connection to each of their sites behind the Meraki.

Now, I’m not sure why. But that’s what they want. We don’t care to see what is behind the Meraki. We just want to be able to remote into the Netgate and access it remotely. Which we can now. But how can we just push full passthrough of internet without NAT to the Meraki? If I disable NAT outbound, I’d assume we’d lose our remote access.

I don’t know if this can even be done. But, felt like it was worth asking.
Before it’s asked, we would’ve managed their network and not needed the Meraki. But the customer’s “IT/Consultant” said they needed it. Now, I thought, maybe we can setup the IPSEC on our Netgate for each site to the Vendor and passthrough the IPSEC to the Meraki. Maybe that would work? Never tried it this way.

Could you draw up a quick diagram of what you have and then what you want to do? It would help me understand better.

Have you considered using static routes on the Cisco? Still would be double NAT but your tunnel will be through Pfsense.

Another option is if you have a block of IP’s you can create a VLAN and bridge the WAN. Then you can give the Cisco its own public IP address. This will get rid of your double NAT. But would need a tunnel from the Cisco to the other sites.

Would 1:1 NAT not work here?
Setup a 1:1 NAT rule for each WAN interface to point to the internal IP of the Meraki. Order the rules in the order your gateways failover.
Then you’d still access pfSense via one of the WAN interfaces OR if you have a VPN client on the pfSense box itself that connects to your server for access, it’ll just talk out via one of the WANs.