Classic
Although using the LAN interface as the captive portal interface isn't the best choice, it has something very important : a general pass rule.
On a dedicated interface, you need to pass traffic that you would allow for your users. One of them should take care of "UDP traffic to any port 53". Simply copying the default rule from LAN will do the trick.
Of course, you can narrow down your rules for captive portal users (actually, you should !) but again : do not forget to have DNS coming in.
The default ipfw rule set adds the IP of the interface of the Captive portal as a accepted "all traffic" destination : this means that when you use the resolver unbound or forwarder dnsmasq on pfSense, you'll be fine without thinking about DNS issues or rules.
When you want to communicate all DNS requests to some outsider then you have to deal with it.
Consider this : no one ever asks about : what is needed for DHCP ?
On any interface, LAN and others, the ip firewall does accept incoming broadcasts, and replies, all for port 69. Without these, even DHCP wouldn't work .... Hidden 'DHCP' rules are setup for evey LAN type interface.
Remember : if no pass rules are triggered, the firewall blocks.