What you need is a black-list with a bypass to allow the IP addresses that you do not want to block, and these IP addresses will be match with the mac address of the end device so the DHCP will always give the same IP address to certain mac address.
I have experience with Pfsense, for more information contact me.