Check out this page : https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting
Execute the commands listed - and see the firewall rules numbers that ipfw is using.
The "64500" is a limit, you can't go (much) above.

Also note that " /var/db/captiveportaldn.rule" can not grow indefinitely. I guess it about 700 K when it starts, and depending on the length of the name(s) of your captive portal zone(s) is might double, maybe triple.

You can 'read' this file to understand its structure. Its a serialized PHP array.

The nasty thing :
Every time a user connected and passes through (== authorized) "pass" rules are injected in the firewall ipfw AND the rule set (two: "the numbers" and the "portal zone name") are injected into this array (which becomes a file called /var/db/captiveportaldn.rule on disk).
When the connections times out, the firewall rule is removed, and the corresponding entry  in to array is set to false (something like "").

All this reading and writing (updating) of this 1 (2 , 3 ?) MB file happens when users login AND are being thrown off the portal.

function captiveportal_free_dnrules($rulenos_start = 2000, $rulenos_range_max = 64500) {

Just one question : your system can keep up with it ?