This : Is the 'simple' setup. The ipfw firewall works best when it 'sees' the MAC addresses of the connected devices. If it doesn't, well ... check our AP again : make it work as an AP, not a router. Routers hide MAC addresses for upstream routers (= pfSense). That not good if you want the captive portal to work flawlessly.