Client isolation works on layer 2.

In secure datacenters, it is common to assign /32 netmasks to servers and configure the switch to only allow communications between the servers and the router, not between servers directly. This way, all communications are transformed into layer-3 ones (i.e., routed through the router, not switched at the Ethernet level), and traditional firewall rules configured on the router then apply.

For home networks, this setup is extremely rare due to the associated performance overhead, as it completely disables the fast path made possible with bridging and breaks multicast-based network neighborhood discovery. You can still try it.

Add the string below to the "Additional options" advanced field in the DHCP server config for the LAN:

1,255.255.255.255

Or, equivalently, put this line into /etc/config/dhcp and restart dnsmasq:

list dhcp_option '1,255.255.255.255'

This works with Arch Linux and Windows 11. Other operating systems might not support the /32 netmask, as it has been a relatively recent-ish addition to the standards.