The main question is whether it is possible to have a Mikrotik with only a single IP and single interface act as a router without replacing the source mac addresses with it own mac address when forwarding traffic on. See below for explanation of why.

So I have a firewall router as my WAN device that has the option of tracking clients by IP address or by MAC address. It is a Cisco Meraki for anyone that may feel it necessary to know. We have a Mikrotik acting as our internal router on the same subnet as the LAN interface of the Meraki. The Mikrotik not only acts as a VPN endpoint for various reasons, but it also handles some NAT rules that the Meraki cannot do. As such, the Mikrotik is the default gateway for the overall subnet, with the Meraki being the Mikrotik's default gateway. Because the Mikrotik replaces the source MAC address of outbound traffic with its own, the Meraki must track clients via IP address. This was all well and good until we were asked to add Meraki Access Points to the network. In order for them to be inside the same Meraki network as the firewall, the firewall must track clients by MAC address. I could put the APs in a separate Meraki network, but that's not quite the point of asking this question. I prefer to track by MAC address anyway. So is there a way to not replace the MAC address? This would of course cause asymmetric routing, in that the connection outbound would go through the Mikrotik AND the Meraki, but inbound would skip the Mikrotik. What issues might that cause from the Mikrotik side, if any?

Thanks for the assistance in advance. I've been working with Mikrotiks for years, and I only ever seem to post with very convoluted problems.

"...Because the Mikrotik replaces the source MAC address of outbound traffic with its own..."

This is not Mikrotik, but how IP & routing works

Indeed, since Mt is the router it forwards packets on behalf of others, which translates into replacing macs.

This would of course cause asymmetric routing, in that the connection outbound would go through the Mikrotik AND the Meraki, but inbound would skip the Mikrotik. What issues might that cause from the Mikrotik side, if any?

Even if we dismiss what @CZfan and @sebastia brought forward and we should not ... NAT implies connection tracking and assymetric routing trashes connection tracking.

There is a mechanism which would help you but I don't have slightest idea if ROS implements it (it might not, many think of mechanism negatively): ICMP route redirect.

The description in the OP is also a bit confusing to me. But why not place the Cisco Meraking inside the LAN of the Miktoik router users gateway points to the Meraki, go through the Meraki to the MT Router where things get routed and NATed. Just open the necessary ports on the MT in order for the Mraki to communicate with the cloud for management system
That way all devices on the Subnet / LAN must speak to the outside via the security device as well as traffic coming in before hitting the internal network and will be able to report on internal clients MAC Addresses