NAT WiFi Clients before they reach captive portal

My use case for this is a number of IoT devices and user devices need to connect to the Wireless network on wlan0. The network needs a captive portal but the catch is that any device that authenticates to the portal should then 'unlock' the network for the other connected devices. For instance a mobile device could authenticate which then enables the IoT devices to be useable.

I can do this with two physical routers where all wireless clients connect to the second router and the first router only sees effectively one device being exposed from the second router which is performing NAT.

This diagram describes how I think this could work in one device but I am unsure if it is possible to configure OpenWRT this way?

The IP Address are just there to illustrate.

I expect this will work if I can configure the router so that the captive portal is only seeing the NAT gateway MAC/IP address.

On the router I have CoovaChilli running (configured as part of the Teltonika OpenWrt firmware)

Any pointers on how to achieve this setup if it is possible?