The default settings make FreshTomato's administration ports (SSH and HTTP/S) reachable from all configured VLANs/WLANs.
If you don't want communication to be available on a certain VLAN or WLAN, you can filter out access to those ports by using the following script in the Firewall field of the Administration/Scripts menu:
iptables -t filter -I INPUT 1 -p tcp -m multiport -i br1 --dport 22,23,80,443 -j REJECT
The bridge number (br1 in the example above) refers to the target interface on which you want to disable access. Cross check the Network/Basic page if in doubt. Also to avoid locking yourself out of access to the router, refrain from filtering on bridge br0.
If you're using non-standard port numbers, you can change the ports used above (22,80,443). You can also add additional lines changing br1 if you have multiple bridges or guest VLANs. This command will take effect as soon as the firewall script is next run. You can force the command(s) to take effect manually by either logging on to FreshTomato and issuing the command: service firewall restart or by rebooting the device from the web interface.