By default the NAT in your router prevents it. When traffic comes into your router from a unkown location and wants to send data to a machine in your lan the router does not know which machine to send it to so it just discards it. This is why you have to have port forwarding rules to tell the router where to send certain traffic.
The firewall in a router does very little since the nat has already blocked almost all traffic. You generally only want the firewall features that protect the router itself any form of traffic filters will greatly degrade the speed if you have a fast internet connection.
In general the best way to prevent a machine from talking to the internet is to leave the gateway and dns fields blank or set to a invalid value. This way even if something on the outside were to get to the machine it has no ability to respond since it does not know the gateway (ie router) is to send traffic. This of course only is used on a device that need no access ever to the internet.
Thank you for your reply. The device I want to block from internet access is a Seagate Central drive. It has following settings in its admin panel:
Network mode: DHCP Client OR Static
IP address: 192.168.1.x
Netmask: 255.255.255.0
Default Gateway: 192.168.1.x
DNS servers: [x] Obtain DNS server address automatically (If uncheck this I can add two DNS server addresses)
It does not let me leave default gateway and DNS server addresses as blank.
How should I configure these options to block internet access from/to this device but keep it accessible over LAN?
If I set those addresses as a non-existing local IP, such as 192.168.1.0, would it be a good solution?