So I need a command I can issue that will cause a currently connected device (be it through ethernet or wireless) to disconnect.  It is OK if the device reconnects after, I just need it to disconnect temporarily.  Another option is a command to close all ports associated with an IP address or mac address.  Any suggestions?  I've searched extensively and, surprising enough, was unable to find it.

There is a package called "cutter" which attempts to inject RST packets into all established TCP streams matched by IP or port, it should be available in the opkg repository.
The utility home page talks some more about the details and some alternative iptables techniques; http://www.lowth.com/cutter/

Thanks.  That is perfect.  I'm having a problem though:

root@OpenWrt:/proc# cutter 10.0.0.108
openning /proc/net/ip_conntrack: No such file or directory
root@OpenWrt:/proc# cd net
root@OpenWrt:/proc/2070/net# ls
arp                  ip_tables_matches    nf_conntrack         route                udp
dev                  ip_tables_names      nf_conntrack_expect  rt_acct              udplite
dev_mcast            ip_tables_targets    packet               rt_cache             unix
fib_trie             layer7_numpackets    pppoe                snmp                 vlan
fib_triestat         mcfilter             protocols            sockstat             wireless
igmp                 netfilter            psched               softnet_stat         xt_recent
ip_mr_cache          netlink              ptype                stat
ip_mr_vif            netstat              raw                  tcp

As you can see it complains about there being no 'ip_conntrack' file to read.  I go to the directory and that seems to be the case.  What dependencies am I missing?  As far as I can tell ip_conntrack should be compiled into the kernel code, not as a module, and so should always be active.  I even have entries in sysctrl.conf related to the max number of entries.

So there really is no command that will cause a connected device to disconnect from the router?  I can't shut a person out once they have connected?

Come on, I am sure somebody knows the command.  It has to exist.  I just can't find any documentation on it.  I don't want the person to remain connected, I want to terminate their lease.

hi, same that you have kmod-ipt-conntrack or kmod-nf-conntrack, both don't work together. However, a kernel module is not on user workspace, don't worry about it (always main always that kernel need it). Regards.

Iptables MAC Address Filtering
I believe this is the command you're looking for:

iptables -A INPUT -m mac --mac-source ${MAC_Address} -j DROP

The problem is, a DHCP server hands out leases, and even says how long they last, but it's up to the client to stop using them at or before the expiration time. There's no way for the server to tell a client that their lease has expired or terminated. The server can give the terminated address to a new client, but if the old client is still using it, that will merely cause network clashes, but it doesn't guarantee that the old client will go away.

This has been a known problem ever since DHCP was created - see Section 7, "Security Considerations," in  RFC 2131.

Define "disconnect"? For how long?

If you read "cutter", you'll find that both server and client are aware of being disconnected normally, not just DROP or REJECT. I think you can drop or reject the connection from a specific ip or mac address within firewall if that's what you want.