CP/pfSense behind another firewall with proxy

BGS

Hello,

we're facing a problem with our pfSense setup for our students at school. We're trying to secure the students wifi with a captive portal. Therefore we use a router with a proxy for content filtering.

This is our setup:

Internet <–--> Router with firewall and proxy <---> pfSense WAN -- <pfsense>--pfSense student interface <---> (mobile) clients (iOS, Android, Windows/Mac OS)
                              10.10.11.1/24                              10.10.11.2        DHCP                    172.20.0.0/22                        DHCP via pfSense
                                proxy port: 800                                              DNS-Resolver
                                                                                                          CP

NAT Portforwarding enabled on WAN interface for students "NET" --- TCP/UDP "any" IP and "any" port to 10.10.11.1:800

The proxy is manually set on every device (iOS, Android, ...) We use an non-transparent proxy without authentification

iOS: If i connect to the network i get an IP, DNS ... everything looks fine. CP opens, I enter the voucher code and press "Continue" for access. But nothing happens. If I check the status on the cp interface, the client is listed as authenticated. There is no redirection to the url specified in cp settings, neither a "success" from the captive.apple.com
I've found a workaround: Connect to wifi without proxy settings. CP appears, enter login credentials, press "continue", press "Cancel" on captive portal browser (device is listed as athenticated in pfsense)-- "Forget network" -- connect to wifi -- enter proxy settings -- happy internet browsing via proxy ... -.-
If i do the workaround the device is shown in the firewall and the proxy of the router.

Android: I connect to the wifi, get an IP, DNS settings, everything looks good. On some devices i get an cp, on some devices I don't get a cp ...-.-

I hope you can help us!

Thank you
BGS</pfsense>