Is there any way to block specific device from WAN?

There is a similar post here.  Hopefully, that will work for your use case as well.

---

@AdrianM wrote:

On my previous router, I had some rules linked to its MAC address that prevented it reaching the WAN but I can't see any way of doing this with Orbi. Any suggestions?

---

I believe what you want is on the  Advanced tab of the web interface, under Security, Block Services.  It was not obvious to me, but the way it works is you Add a block, select "Any" for the services and enter the IP address of the Z-wave controller.  (or, maybe you have to have one block for TCP and another block for UDP?)  (Disclaimer: I haven't set one up myself.)

From the user guide:

Block Services From the Internet

You can block Internet services on your network based on the type of service. You can block the services all the time or based on a schedule.

Ok, do "internet services" refer to WAN only (not my LAN) because I need local http access on port 80 to send commands to the gateway's REST api.

To block services:
1. Launch a web browser from a computer or mobile device that is connected to your
Orbi network.
2. Enter orbilogin.com.
A login window opens.
3. Enter the admin user name and password.
The user name is admin. The password is the one that you specified the first time
that you logged in. The user name and password are case-sensitive.
The BASIC Home page displays.
4. Select ADVANCED > Security > Block Services.
The Block Services page displays.
5. Specify when to block the services:
• To block the services all the time, select the Always radio button.
• To block the services based on a schedule, select the Per Schedule radio button.
For information about how to specify the schedule, see Schedule When to Block Internet Sites and Services on page 50.

6. Click the Add button.
The Block Services Setup page displays.
7. To add a service that is in the Service Type list, select the application or service.
The settings for this service automatically display in the fields.
8. To add a service or application that is not the list, select User Defined.
a. If you know that the application uses either TCP or UDP, select the appropriate
protocol.
Otherwise, select TCP/UDP (both).
b. Enter the starting port and ending port numbers.
• If the service uses a single port number, enter that number in both fields.
• To find out which port numbers the service or application uses, you can contact
the publisher of the application, ask user groups or newsgroups, or search
on the Internet.

I don't know which ports might be in use and I can't get such info because nobody cares about these abandoned devices. Would start 0, end 65536 be acceptable?

9. To specify how to filter the services, select one of the following radio buttons:
• Only This IP Address. Block services for a single computer.

Not by MAC then. I guess it means reserving an IP for the gateway and entering that? I will try it at the weekend. Thanks.

@AdrianM wrote:

Not by MAC then. I guess it means reserving an IP for the gateway and entering that? I will try it at the weekend. Thanks.

Yes.  You figured it out!  

Pick a range of consecutive IP addresses for reservation in case you want to block more than one devices.

Good.

Oh, BTW, what's with the rich text editing on these forums - I coloured all the text I pasted from the User Guide in blue and inserted my comments in black and it looked fine in the preview but only the first blue line appeared when posted (and when editing using the rich text view) HTML looks OK I think but gives me a headache tracing the tags so it may be borked!

BWT, only need to worry about TCP/UDP ports if you want to block a specific application like email/torrent/etc.  In your case, you want to block all, so select the big hammer from the drop down menu.

One more suggestion.

• First, create a schedule rule, by default it's every day, 7 days a week.
• After you add one or range of IP to block, select bock by schedule and select the schedule you've just created.