Happy you got things sorted out. This might come a bit late but I saw things in this thread that gave me serious shivers.
I have a bit of a service provider background and while I've moved on to a less stressful job I've still been helping a rural FTTH-network. Hard to keep away from the fun
Anyway, the security in Internet Protocol is not built into subnets, but between them. All kinds of nasty can happen inside subnets, like ARP-spoofing, rogue DHCP and other similar things. There are ways of keeping customers that share a broadcast domain separated but I'm strongly of the opinion that it's a bad and expensive idea. Business customers are usually given their own public subnet and they receive the added security, why should consumers be treated as second class citizens? Also, maintaining "large" layer 2 networks is painful.
This particular FTTH-provider was given some but not enough IPv4-addresses, which lead to a Carrier Grade Nat setup with 1:1 NAT at the core for customers who wish to have their own public IP. Needless to say, the whole network is numbered with RFC1918 -addresses. What really is special about this network is that everything is fully routed all the way, albeit statically. Every customer is placed on it's own L2 segment and L3 -subnet and this subnet is routed at distribution or in some cases even at the access level if the equipment is capable. The customer subnets have a DHCP service that enables automatic configuration of the customer owned (not enforced by law but the communications ministry in this country makes it quite clear) CPE. True plug and play, IP over Ethernet.
The beautiful part is that whatever kind of storm the customer creates, it will in a worst case scenario make it's way through an access device to a distribution device and in best case it will only affect the access-port and CPU of the access device. But, customers will never be able to spoof any traffic because each customer is isolated from the others by one or more L3-routers. Some L2-filtering is required to protect the Provider Edge from overload but at minimum possible level. Also, the customers are allowed to communicate over the shortest route with each other (also according to recommendation from the communications ministry). As the customer subnets are very static and will only be present on one access port, It's very easy to pinpoint the source of possible attacks. The provider network works just like the Internet, but at a much smaller scale.
IPv6 on the other hand is right around the corner. I've recommended that the FTTH-network sweet talk their upstream providers into sponsoring a Provider Independent block of addresses and then a suitable amount of CCR1016:s at distribution layer. Once again, statically assigned Prefix Delegation and separate L2 and L3 segments for each customer.
I understand that WISP:s have the burden of shared broadcast domains on the last mile but I still cannot see a need for PPPoE. This, I believe, is where CAPsMAN comes in and saves the day. To my understanding it should be possible to tunnel each WiFi-client to a controller and treat the traffic as needed at the controller. This should enable separating customers sufficiently.
Time to end my ramblings: Remember kids, shared broadcast domains are bad, mmmkay?