Having just solved a problem that's been bugging me half the day I thought I would share. Maybe the behaviour should have been expected and obvious, but it wasn't to me.
OPNsense 22.7 with WAN, LAN and DMZ interfaces. Also two separate Captive Portal zone definitions, one for LAN and one for DMZ, and each defined a few addresses (that being the only option) that could access the network without seeing the login screen.
I could have used just one captive portal zone, but since I find the interface for managing allowed devices to be a bit cramped and awkward, I thought it would be easier to use separate zones ... and therein lies the problem.
I later introduced a firewall rule to let LAN devices access a HTTP server on the DMZ and it didn't seem to be working. What I found was that a connection would make to the server, but the responses never got back. It appears Captive Portal was blocking it.
The device in question did have its address in the LAN Captive Portal zone, but did not have it in the DMZ Captive Portal zone. As soon as I added it there too, the connection started working.
All good, I have merged the two Captive Portal zones into one, so I have just one list of device exceptions, and now I can move on. In my situation this arrangement is not going matter very much, but I can imagine it could be inconvenient in some more complex networks.