Wouldn’t it just be easier to not give those to be blacklisted devices the Wi-Fi password?
I think you’re looking for GL GUI → Clients → $device → Block WAN but that’s per device. Otherwise one can put all those devices to be blocked on a Guest SSID/Wi-Fi network & block the Guest network from WAN access but that’d take a bit of customization to the firewall & isn’t provided as a stock feature of the GL GUI.
It would also be completely isolated from your LAN proper so they could only communicate amongst themselves.
Another option makes no distinction between wireless or wired connections but requires a VPN provider/service:
This feature will be available in firmware version 4.4 and above, please wait for the new firmware for AXT1800.
As an alternative, in version 4.2 you can turn on Parental Controls and enable Block WAN for Unmanaged Devices. This blocks these devices from accessing the Internet, but does not blocks them from accessing LAN.
Also, if you think your Wi-Fi password has been compromised, it’s a good idea to change it.