But this method doesn't seem to do what I want. I want the static address I've defined to not communicate in/out of the WAN but only be active on the LAN. In the firewall config, this did not seem to do it:
config rule
option name 'Drop_outgoing_single_IP'
option family 'ipv4'
option proto 'all'
option src '*'
option dest '*'
option dest_ip '192.168.16.6'
option target 'REJECT'
The local Ip that you wish to block from wan needs to be the source, not the destination.
EDIT: You should ideally include the source zone (LAN), although it is not strictly necessary. I would recommend adding in the and the destination zone (WAN).
Also, you didn't mention if you are using VLANs or multiple subnets in your network, but this won't limit your normal network activity for the device in question, the rule only prevents it from reaching the WAN.
EDIT 2: here's what the rule should look like, assuming you're working with lan and wan as your zones in your firewall (tested and working):
config rule
option src 'lan'
option name 'block-single-device'
list src_ip '192.168.16.6'
option dest 'wan'
option target 'REJECT'