Wouldn’t it just be easier to not give those to be blacklisted devices the Wi-Fi password?
I think you’re looking for GL GUI → Clients → $device → Block WAN but that’s per device. Otherwise one can put all those devices to be blocked on a Guest SSID/Wi-Fi network & block the Guest network from WAN access but that’d take a bit of customization to the firewall & isn’t provided as a stock feature of the GL GUI.
It would also be completely isolated from your LAN proper so they could only communicate amongst themselves.
Another option makes no distinction between wireless or wired connections but requires a VPN provider/service:
GL GUI → VPN → VPN Dashboard → VPN Client → Global Options:
GL GUI → VPN → VPN Dashboard → VPN Client → Global Proxy:
(Firmware 4.2.1-release4)