if you use a cheap router instead of a switch the far end will only see one MAC address which is the one of the router. doing NAT then is as easy as it could be. You could literally use just about any router out of the box without even configuring anything. you can also add an ethernet switch behind this device easily. only limiting a port to a single MAC is therefore somewhat pointless. you would prohibit valid use cases (adding a switch) without hindering any nefarious user (guy with a cheap router). Also, NAT for MAC addresses is a thing although not necessarily the most useful approach in this case...