I don't know Tomato, but every reasonable router should offer at least the following:

• Firewall rules based on IP addresses
• Firewall rules based on Ethernet (MAC) addresses
• Firewall rules based on VLANs

So you could easily block the machine in question by blocking its IP address and its Ethernet address in the router. Please note that this is not completely safe: The administrator of the machine in question could change the machine's IP address. The Ethernet address of modern NICs can be changed as well. So that method could be circumvented.

On the other hand, VLANs are considered to be safe (unless the firmware has bugs), but are impractical for most home or small office users because every network component between the PC in question and the router must support them.

For example, if the PC in question is connected to a switch, and the switch is connected to the router, and the router should identify the PC based on VLANs, the switch must support VLANs as well. Of course, switches supporting VLANs are much more expensive than standard switches.

Furthermore, VLAN safety is based on the assertion that no user has physical access to the router or switches. Otherwise, the owner of the PC in question can just pull out his network cable from the router, plug it into another network port of the router, configure the PC accordingly, and have full access afterwards.

So if you are in an environment with skilled and evil persons, you should place every network component (i.e. switches, routers etc.) in locations where nobody but you has physical access to, you should use VLANs (meaning that every network component has to support them and must be configured accordingly), and you should configure your router to deny or grant access based on the VLAN ID.

But if you just want to prevent your 6-year-old kid from surfing the net, IP-based rules or MAC-based rules are sufficient (probably).

As an additional idea:

People are thinking too complicated in many cases. So if you just would like to prevent some software on the PC in question from breaking out, you could simply remove the gateway from that PC's network configuration.

This is quite easy and safe provided that you have administrative access to that PC, and that you let run that software without administrative privileges. Of course, removing the gateway is possible only if the network is configured manually (and not automatically via DHCP).

A final warning:

If you deny internet access, the O/S won't be able to get updates. This is a very high risk, even if the PC is not connected to the internet (think of viruses on USB sticks and the like), so I really wouldn't do that.

If you would have detailed the reasons for denying internet access, we eventually would have been able to propose a better solution ...

Check the Parental Controls.

I'm not familiar with Tomato settings but many firmwares will let you control and/or meter the internet access using parental controls.

You should be able use the machines IP or MAC address to restrict its access.

I can block access completely or allow it on a schedule with my Asus router.