pfSense

When a captive portal user is manually disconnected their entry is removed from the portal database, but the entry remains in the ipfw table (Check ipfw table <name>_auth_up list)

Some more debugging from the forum:
https://forum.pfsense.org/index.php?topic=146046.msg795216#msg795216

(pfsense 2.4.3-RELEASE (amd64))
When a user press the disconnect button, in /usr/local/captiveportal/index.php (line 151) calls the captiveportal_disconnect_client function. This function first removes the information about the session from the captive portal database (file /etc/inc/captiveportal.inc line 1098), then the function captiveportal_disconnect (line 1104) is called. In captiveportal_disconnect, before removing an ip from the ipfw tables (lines 1038-1041), it is checked (lines 1035, 1036) whether this ip is logged. Because the information about the session is removed from the database, it bypass lines 1037-1041. As a result of this disconnection from the Internet does not occur.
I commented the lines 1035, 1036, 1042. The Captiva portal began to disconnect users.

I was able to reproduce the problem by logging into the portal and then disconnecting the user from Status > Captive Portal