iptables:

*nat
-A PREROUTING -d 10.100.0.220/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 80 -m set ! --match-set mac-allowed src -j DNAT --to-destination 10.100.0.220

*filter
-A FORWARD -i vlan1+ -j macallowed
-A macallowed -d DNS-сервер -p udp -m udp --dport 53 -j ACCEPT
-A macallowed -m set --match-set mac-allowed src -j ACCEPT
-A macallowed -j DROP

ipset:

create mac-allowed hash:mac hashsize 1024 maxelem 65536
add mac-allowed A0:4E:A7:55:44:33

More or less like this.
In nat prerouting, traffic not from the ipset of allowed MAC addresses is wrapped to the host with the portal.
And on the portal, you need to specify the code 511 in the header so that the captive portal detection understands that this is a sandbox and
opens the window for additional actions to connect (although this is not accurate):

header('HTTP/1.1 511 Network Authentication Required', TRUE, 511);
header("Location: http://10.100.0.220/portal/index.php?step=1");

PS. You can do without ipset, but it's faster when there are a lot of records.

create a chain and throw everyone there
if in one L2 segment, then from the DST NAT user's poppy to the captive portal address, after successful authorization delete the user's poppy from the chain