What is the best way to isolate an IP on wired or wireless network?
The goal is for that IP to be able to connect to the outside world/internet but nothing on the LAN

the easiest (and most consistent) way: isolate it in separate subnet only routed to internet

What is the best way to isolate an IP on wired or wireless network?
The goal is for that IP to be able to connect to the outside world/internet but nothing on the LAN

Specifically here the most basic way.

/ip firewall filter
add action=accept chain=forward src-address={YourIP Here} out-interface={Your Outbound Interface} comment="This allows your isolated IP to talk to the Internet Interface, thereby allowing web traffic.
add action-drop chain=forward src-address{your IP here} dst-address=0.0.0.0/0 comment="This will Drop any other traffic, thereby isolating your device.

As long as the accept rule is first, it will match all internet traffic. But this is a bit of a blunt instrument. It will not catch any unwanted traffic or broadcasts from the same subnet. If you can, subnet your network in such a way that devices you want to isolate can be completely separate.

Thank you for your fast replies!
I've tried the exact firewall rules mentioned above but something is still wrong, I can still reach other devices on LAN from the IP I'm trying to isolate.
I've tried moving the rules to different positions on the firewall, no affect.
I hope I'll have some more time in the weekend to try a different subnet as well. However with the new subnet how can I be sure that the specific subnet is not assigned to other devices? (I must use DHCP). Actually I can assign a specific address from that different subnet to the MAC address of the device I want to isolate.

with firewall in forward one can only limit forward traffic => between subnets.

Within one subnet, the traffic will not go though forward table.

This worked, all good.
Thank you for your help!