Bit late to the party, but I had a bit of a look at this a couple of months ago. Not 100% got my head around it, so some of the below may be incorrect but hopefully some of it may make sense
So first a bit of a history lesson, in older firmwares the CWP address used to be 1.1.x.x. This used to be fine until Cloudflare came along and started using 184.108.40.206 I believe :) But as this became unavailable it got switched to 198.18.x.x in later firmwares- important to note this is not a typo and is meant to be 198., not 192.! Still a private IP though, that when combined with a DNS entry allows the client/AP to resolve to the Captive portal (as we can’t directly hook the client due to it being HTTPS rather than http).
Why the IPs and where do they come from? Well, easiest if you go into one of your APs CLI and run the below:
First of all “show interface”. In the list you’ll see all of your SSIDs twice, one for WiFi0 and another for WiFi1 on a specific interface. Find the SSID that has the captive web portal. Lets say for example it was on WiFi0.6 and WiFi1.6.
Next command is to run “show ip route” and you’ll get something like the below
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 mgt0
127.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 lo
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 mgt0
198.18.12.0 0.0.0.0 255.255.254.0 U 0 0 0 wifi0.6
198.18.44.0 0.0.0.0 255.255.254.0 U 0 0 0 wifi1.6
Our two CWP interfaces have got assigned an IP, which is what the DNS record will need to be (if you have more than one SSID with a CWP you’ll see more of course).
As far as I’m aware the DNS record should only be needed if you’re using HTTPS on captive portals.