@Pakal 

For that much traffic hitting a portal, definitely go with a hardware controller (which also doesnt need device licenses) - in your case i would suggest OC300.  It isnt too expensive

Controller handles all aspects of the portal, nothing is done on the gateway or EAPs

You can adopt whatever devices you need, you dont have to adopt a gateway to manage access points

  @GRL 

Thanks for your reply. If I go with a hardware controller (OC300) I guess both the controller and all the APs have to be on the same subnet mask managed by any brand router/switch. What would be the convenience of adding an Omada gateway and/or Omada switches, if I already have other switches (although unmanaged) in place? 

  @Pakal 

ACLs to control inter-vlan communiocation, URL filtering, IDS / IPS, VPNs, switch ports that dont automatically put someone plugging something into a port on the management vlan......lots of things

For a big deployment with users in the hundreds ER605 wouldnt cut it, its not designed for that.

ER7206 v2 / ER7406 / ER707-M2 would all be fine for this, ER8411 if you want higher bandwidth WAN/LAN in the future

Switch wise SG2008 or higher support all omada features like ACLs, the ES series is a basic omada switch can has far less features

  @GRL 

Thanks,I have a couple more questions. How is the ip assignment managed by the sdn? Citing my initial post I have the "problem" of  several hundreds devices connecting to the captive portal. 90% of them will not authenticate with a voucher. Is this amount of unauthenticated devices going to be a problem? 

Also, can I define different SSID at an AP level, or can I have some AP with SSID1 and others with SSID2? 

Can they all share the same vouchers?