Heads up that even if you block local forwarding in the router, it won't always be enough to prevent devices talking to each other over, say, an unmanaged switch or a wifi link.
Some (even cheap) unmanaged switches have a "vlan" or "isolation" switch that does exactly that, where only one or two "uplink" or "wan" ports can talk to the rest. If you have a managed switch, vlans is what most people would use for isolation.
On the software side you could also assign /32 IPv4 addresses only and add explicit ip route for the router only.
Some (even cheap) unmanaged switches have a "vlan" or "isolation" switch that does exactly that, where only one or two "uplink" or "wan" ports can talk to the rest. If you have a managed switch, vlans is what most people would use for isolation.
On the software side you could also assign /32 IPv4 addresses only and add explicit ip route for the router only.