You need this rule to disable internet access for a person based on their mac-address.
option proto 'tcp udp'
option name 'Block Internet for MAC'
option dest 'wan'
option target 'REJECT'
option src 'lan'
option src_mac '00:11:22:33:44:55'
# you can add more mac-addresses with a space 'xx:xx:xx:xx:xx:xx xx:xx:xx:xx:xx:xx'
I think your rule caused the firewall to not work entirely because there is no source interface so it may have identified it as input rule. I am not an expert in firewall related stuff so please someone else can better advise you.