The default settings allow access to FreshTomato's administration ports (SSH and HTTP/S) from all configured VLANs/WLANs.

If you don't want communication to be available on a certain VLAN or WLAN, you can filter out access to those ports by using the following script in the Firewall field of the Scripts menu:

iptables -t filter -I INPUT 1 -p tcp -m multiport -i br1 --dport 22,23,80,443 -j REJECT

The bridge number (“br1” in the above example) represents the interface on which you want access disabled. Double check the Network menu to be certain. *Avoid filtering on bridge “br0”* to avoid locking out access to the router.

If you use non-standard port numbers, you can change the ports used above (22,80,443).

If you have multiple bridges or guest VLANs, you can add additional lines, and change the relevant bridge interface name. The command will take effect as soon as the firewall script next runs.

You can force the command(s) to take effect manually by logging on to the router and typing the command: “service firewall restart” or by rebooting the device.