The default settings make FreshTomato's administration ports (SSH and HTTP/S) reachable from all configured VLANs/WLANs.
If you don't want communication to be available on a certain VLAN or WLAN, you can filter out access to those ports by using the following script in the Administration/Scripts/Firewall page:
iptables -t filter -I INPUT 1 -p tcp -m multiport -i br1 --dport 22,23,80,443 -j REJECT
Your bridge number will reflect the interface on which you which to disable the above protocols. To avoid locking yourself out of access to the router, avoid filtering on bridge br0.
If you're using non-standard port numbers, you can change the ports used above (22,80,443). You can also add additional lines changing br1 if you have multiple bridges or guest VLANs. This command will take effect as soon as the firewall script is next called. You can force the command(s) to take effect manually by either logging on to FreshTomato and issuing the command: service firewall restart or by rebooting the device from the web interface.