This :

Is the 'simple' setup.

The ipfw firewall works best when it 'sees' the MAC addresses of the connected devices.
If it doesn't, well ... check our AP again : make it work as an AP, not a router. Routers hide MAC addresses for upstream routers (= pfSense). That not good if you want the captive portal to work flawlessly.