All depends on how you access the Internal Resources and your Captive Portal rules.

If traffic goes to the External Interface on Untangle and back again you will need to configure rules to allow it.
If you are Session heavy to your internal servers i would solve it but creating a alternative path for users to the internal resource.

ex Use Public DNS to have Extern DNS for service.example.com = Public IP and then Local DNS service.example.com = Internal IP
And then have ACL's to control what ports/ip's client can access directly without going through untangle