You are correct in assuming that it can be done using the "Traffic Rules" page. You can add a rule by using the "New Forward Rule" section.
To block a specific client from WAN access, add a rule like this:
Then in the rule editing window set up your rule like this:
- Protocol: All.
- Source zone: lan.
- Source address: IP of the client to block.
- Destination zone: wan.
- Action: drop.
Setting it up like this will deny WAN access for the specified client while leaving LAN communication untouched.
Also, as another answer suggests, you can use the Custom Rules page to set up the same thing. In many cases it can be even more convenient, but it requires you to know iptables syntax.
Hope this information is helpful.