I suggest you block by MAC address as the IP address can change.
Cant use groups for that.
If you insist on using IP - block by a single IP first -- get that working then switch to the group.
I do this by creating WAN_OUT rules. (Some folks dont like WAN OUT rules, btw)
Assume ETH0 is the Wan.
Create a new ruleset - call it "WAN OUT" or whatever.
Assign it to ETH0 as the interface. Direction is OUT. Default Action is Accept.
Add a rule to the ruleset.
Call it "Drop kids Computer". action is drop. All protocols. Do not check any of the boxes (established/related/...) on advanced. On SOURCE - put the mac address of your kids computer. (Or IP address instead if you insist)
Save it. Test. If it works, add the other computers. You will need a rule per MAC.
Incoming Should not need rules because you have NAT in place and no exposed ports right? So no IN possible without an established OUT, which you blocked.