I was in a discord recently and someone sent a grabify link. I clicked on it and it led me to a soundcloud page. I think my firewall on my router is alright, is that enough to prevent them from doing anything with my ip?
Furthermore, could they have somehow installed a virus with only the grabify link even though it led to soundcloud, a safe website?
Links don't install viruses. The website you land on does. However, the site you end up landing on might be just the last site in a chain. It is possible that you passed through multiple sites to get to the last one and each one might have tried to do, well, anything.
Whether or not a virus was installed depends on your browser and any weaknesses it might have.
I think my firewall on my router is alright, is that enough to prevent them from doing anything with my IP?
No.
Let us look at the whole operation in slow motion. You clicked on a link, which tells your browser "Go there and activate whatever you find". The there is website, which can both run code to e.g. determine what browser you're using and where you're coming from (and react accordingly) and send your browser instructions.
So, the fact that an antivirus, or someone else, or a different browser, or even you half an hour later, found nothing suspicious on the target website, means little.
Moreover, some of those "instructions" could be a simple redirect, that sends the browser on to another website (and again, this might happen only the first time, or just at a given hour, or with certain browsers, etc.), and so on.
In all this, the firewall never enters the equation because the connection was originated by you (clicking on the link). Some, more advanced firewalls may perform more or less deep packet inspection to prevent you from e.g. downloading a known virus - a virus that the firewall has been updated to recognize.
That is why you also need an updated antivirus on whatever machine your browser runs on.
Then your antivirus should also have system inspection capabilities (so-called behavioral guard) so that an unknown malicious code can be recognized and blocked by the fact that it is doing something recognizedly malicious, something suspicious, something unusual, or just something forbidden on general grounds (e.g. writing a file or trying to execute a file downloaded to the browser object cache, or checking whether an antivirus is running, and so on).
So far, everything has behaved as expected: the browser browsed, the firewall firewalled.
Unfortunately there may be bugs (vulnerabilities) in both the browser and the firewall. Only the second kind require knowledge of your IP; the first require reliably recognizing your browser (which is why some "security packages" rewrite the User-Agent and other information to make your browser look different from what it is). A malicious website that recognized you as using Google Chrome 78 might send an exploit that would likely be harmless against Firefox 56, and vice versa.
The firewall might have the same kind of vulnerability to a targeted attack. This usually happens when the firewall's configuration is accessible from the outside (some firewalls are configured that way to allow technicians or ISPs to more easily help you). Or the administration functions might be insufficiently protected against authentication forgeries; or someone from the outside might be able to trick your browser into sending the firewall specific commands that, coming from the inside, might be obeyed blindly (this is called a XSS, or cross-site-scripting, attack). You prevent these by keeping routers and firewalls updated, with robust passwords, and locked against outside access. Setting them to unusual internal addresses might help, very little.
So, the first line of defense would have been to check the grabify URL using the grabify expander, or try just googling it. Then, there are extensions that allow to block redirects until you manually confirm them (you can whitelist some sites, of course). So if you see a redirect to some funnily-named site that looks like a fire-and-forget malware haven, you have a chance to verify the URL.
There are also online services that allow scanning a URL to verify it is clean, but keep in mind that the target website might choose to send a clean response if it detects that the asker is a known security scanner, or does not look like a trusting browser.
Then, you have firewall, antivirus, and full and adequate backups.
And, of course, any "serious" navigation ought to take place from a separate user account, OS partition, system, sandbox, virtual machine or better yet, physical device (I've lost count of people lending their laptops to their kids to attend Covid19-safe "video school", and discovering their home banking credentials have leaked).
