In VB your VM needs three interfaces. It needs a bridged or NAT’d interface from Red to external (so to the VM hosts network). Internally you need two more LANs, one to connect to Green and one to Blue.
Green is you normal LAN from which you plan to administer your captive portal. In reality, as yours is all a testing set up internal to your bigger LAN, you could just open port 444 and whatever else you need to manage the captive portal to red and you can then manage the captive portal from red. Otherwise you need some sort of VM on green to manage the captive portal.
Blue is your captive portal. To test it working, I assume you need a VM on the Blue LAN. As this Blue LAN is inside VB and not a physical LAN, it will have to be a VM to test if it is working. If you VB host has a second NIC, you could use that NIC bridged to Blue instead and then use a phusical machine connected to that NIC to test the captive portal functionality.
Red could be set up either Bridged (easier) or NAT’d. If NAT and you want to manage IPF from the external LAN you will then have to do port forwarding in VB which makes it more complicated. If you are going to manage IPF from Green then it does not matter if Red is bridged or NAT’d.