Captive Portal + LAN Deny All + Access Points

From:	John <naverxp at yahoo dot com dot sg>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Captive Portal + LAN Deny All + Access Points
Date:	Sat, 22 Jan 2005 02:51:39 +0800

Hi
First come first, I've got m0n0wall running for about a week, its been 
stable. Hurray!

--------------
| internet |
--------------
|
|m0n0wall|----------- DMZ
|
|--------------
| | |
AP PC1 PC2

This time i've added a Access Point to my internal network and 
incorporated Captive Portal & PPTP. Logically speaking, this makes only 
users with PPTP accounts granted access to all network + WAN.

So i drafted out these set of rules:
- LAN Deny All
- PPTP Allow 80, 443, 110, 25
- WAN Allow Identd
- Captive Portal Enabled without Radius

But whenever i perform, LAN Deny All, my captive portal won't work. 
(however i can still dial vpn)
it is only when i do a, LAN Allow All, my captive portal resumes its 
function. But this isn't what i want.

How do i fix this issue according to my scenario?
Thanks.