aha, sorry, -I inserts at the head of the chain, you want -A append if you give it in the order I gave you (thats what I get for doing it on the fly from my phone).
AHA thanks for giving me the ifconfig, I guess on tomato the vlan1,vlan2,vlan3 interfaces are what I was assuming was called eth0.3 etc.
ebtables -A FORWARD -i ! vlan3 -o vlan3 -j ACCEPT
ebtables -A FORWARD -i vlan3 -o ! vlan3 -j ACCEPT
ebtables -A FORWARD --logical-in br1 -j DROP
We have to remember to clear out ebtables before inserting/appending things. you probably should look at your ebtables rules, it shouldn't have any older leftover ones...
I think this should work.