Heads up that even if you block local forwarding in the router, it won't always be enough to prevent devices talking to each other over, say, an unmanaged switch or a wifi link.
Some (even cheap) unmanaged switches have a "vlan" or "isolation" switch that does exactly that, where only one or two "uplink" or "wan" ports can talk to the rest. If you have a managed switch, vlans is what most people would use for isolation.
On the software side you could also assign /32 IPv4 addresses only and add explicit ip route for the router only.
Instead of that I highly recommend either setting up a VM or picking up a $35 thin client and running OPNSense. After years of OpenWRT/DD-WRT I switched about 5 years ago and oh my god what a difference. You will spend basically 0 time on system maintenance and just focus on the actual networking stuff. It has more knobs than a basic router but the UI is excellent and there are very few bugs, if any.
In most shitty routers: no. They don't even have raw ability to do that.
You can look around for something like device isolation, but I doubt you'll find it unless you go a couple of steps up from whatever router ISPs ~give away these days.
My ISP's router has isolation. Has had for 5+ years. Main SSID has it off so we can do LAN stuff. Guest SSID is used for IoT things and isolation turned off. Handy.
What exactly does it isolate? An SSID? IP addresses? individual MAC addresses? How does this stop a pre-infected device you purchased from shitting traffic out of your network, acting as a residential proxy or try to own your other IoT devices?
The one I've seen on ~basic consumer routers just disallows wifi devices from talking to each other at all, it won't route between them. I usually need something more nuanced personally, but it's not a bad start at all.
Sometimes; I've seen it called client isolation or something like that. Or, yeah, if you can get under the hood it's probably as easy as one or two iptables rules (or nftables or whatever).
Is this true? For devices on the same subnet, I'm petty sure they don't even have to takl to the router. Maybe a managed switch can stop it, but I doubt most home routers have anything more than a dumb switch in them.
It depends™:) Yeah, if you have a dumb switch with devices plugged in, then the upstream router probably isn't relevant. But if you've got all devices on wifi running through a single box that's a router+switch+WAP+modem (very common in consumer home networking) then that single network box is in an excellent position to control devices talking to each other. YMMV.
Client isolation is a Wi-Fi feature, not an Ethernet feature. So a wireless client can't talk directly to another wireless client when client isolation is on.
usually lan devices do not talk to the router unless they need a resource outside your lan network
you can however isolate with vlans and a vlan capable switch, then it would be on the router to isolate traffic between lans (I do exactly this for my less trusted virtual machines)
