if you just have one device of the same generation you could identify your device by hostname. e.g. android devices have the same for each "generation": Galaxy-S8, Galaxy-S9, etc. the hostname could be changed on the device itself also.
so you could (i don't know if possible; don't have device to test now) assign a static ip for a certain hostname via dnsmasq (according to this: https://openwrt.org/docs/guide-user/base-system/dhcp mac is not a required attribute). the device should get the same ip always. now you could block the device over ip within iptables. (in my ofc limited theory ).