The default settings make Tomato's administration ports (SSH and HTTP/S) reachable from all VLANs/WLANs configured on the router.
If you don't want communication to be available on a certain VLAN or WLAN, you can filter out access to those ports by using the following script in the Administration/Scripts/Firewall page:
iptables -t filter -I INPUT 1 -p tcp -m multiport -i br1 --dport 22,23,80,443 -j REJECT
Your bridge number will reflect the interface on which you which to disable the above protocols. To avoid locking yourself out of access to the router, avoid filtering on bridge br0.
If you're using non-standard port numbers, You can change the ports used above (22,80,443). You can also add additional lines changing br1 if you have multiple bridges/guest VLANs. This command will take effect as soon as the firewall script is called next. You can force the command(s) to take effect manually by either logging on to Tomato with SSH or Telnet and issuing the command: service firewall restart or by rebooting the device from the web interface..