Well if you want the full proof solution...
a. put IP on its own vlan or bridge or separate ethernet subnet.(disables any connectivity at layer 2)
b. allow vlan/bridge/ethernet subnet to and fro home subnet (use firewall to allow connectivity at Layer 3 but only internally)
c. DONE.
c. assumes drop all else at end of forward chain.
Firewall Filter Forward Rules
standard fastrack
standard accept established related
standard drop invalid
standard ipsec
+++++++++ All the flow you WANT TO ALLOW ++++++++++
drop all else
++++++++++++ examples of flow you wish to allow++++++++++
home LAN to WAN
home LAN to special subnet for problem devices/people
special subnet to home LAN
allow port forwarding if required (WAN to home lan)
+++++++++++++++++++++++++++++++++++++++++++++++++
The other method keeps layer 2 connectivity between all LAN IPs (keep existing LAN structure no changes required)
Create a firewall address list - 'bannedWAN' ( a source address list) of the IP or multiple IPs that you wish to block from the internet.
The key here as noted is that you are relying upon that IP not changing, so it has to be statically assigned.
In this case above the LAN to WAN rule could be modified or you could make two rules.
One rule option
add action=accept chain=forward in-interface-List=LAN source-address-list=!bannedWAN out-interface-list=WAN
Two rule option (ORDER IS IMPORTANT)
add action=drop chain=forward in-interface-list=LAN source-address-list=bannedWAN out-interface-list=WAN
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN