Solved
We have a third-party security appliance(Kharon), with its own network, and an MX attached to its second LAN port. The MX has its own stack and, at present, has a Z3C attached to a port on the MX.
The WAN port on Kharon connects to a modem in PPPoE/MPoA mode. In order to access the WEB GUI on the modem, we need additional ports on the connection to the modem (additional alt-addresses on the eth0 port do not cut it). So by configuring a Pseudo-Ethernet port, we have an additional WAN port, peth0. Multiple Pseudo-Ethernet ports are possible, in some respects it is like have a virtual switch on the WAN uplink. The glue that ties this all together is a Masquerade NAT rule. It is easier to set up than to describe.
Now, the clever bit, if I connect my phone to the Z3C's WiFi, I can get through both the intervening MX and Kharon and access the web GUI on the modem, which has previously been impossible.
I wouldn't have written all this if Kharon was expensive. But it isn't; it comes in various flavours and a top of the line product has 8 x 10G SFP+ ports and dual power supplies. It might be simpler to install a device like Kharon that would be up and working almost immediately, then spend time trying to get what you need working on the MX. In actual fact, I have taken the opportunity to offload all the risky IoT stuff, Guest WiFi, AV, and Multicast TV streaming which Meraki does not handle, and IPv6 is being implemented.
Pseudo Ethernet means different things to to different brands and OS, so take care. The OS on Kharon is derived from a branch of VyattaOS.
By taking this approach we did not have to dump Meraki based solutions, we use the synergy.
@uberseehandel
