Thanks , ppalias for your reply
the interface is correct, two rules were wrong…
the default policy for the forward chain is drop, but I added , at line 6
FORWARD/006 ACCEPT all — ETH00.6 * 0.0.0.0/0 0.0.0.0/0
which allows some applications not using tcp port 80/443 to bypass login page
removing that rule, and the last rule added by GUI
FORWARD/015 DROP all — * * 0.0.0.0/0 0.0.0.0/0
the captive portal works fine .