I want to setup pfsense community edition to NGO school behind the router/access points.
so we want every student to have username and password to access the internet
it will be open wifi network with front page asking for username and password, and only students who can access this.
and if possible to make some usernames with different permissions to the network.
On a standard pfsense community version install you can turn on "captive portal" and do what you described. But it won't do two factor authentication. If you absolutely want two factor, then you can do the same with two factor on opnsense which is a pfsense forked independent project but quite similar in functionality and performance.
If you want two factor auth, you can install the FreeRADIUS package and use it there (Google Authenticator or mOTP)
it will be open wifi network […] if possible to make some usernames with different permissions to the network.
That isn't possible with captive portal, but if your access points can do multiple SSIDs on different VLANs, you could setup a different SSID that has WPA2 Enterprise authentication, then it could put those special users on a different VLAN with different firewall rules/setup.
You'd setup the second VLAN/Network on pfSense but getting users into that network is entirely up to your access points and switches, though, not pfSense