Firstly, my thanks to the Tomato and TomatoUSB developers, as well as Shibby for his particular build for I am currently using tomato-K26USB-1.28.RT5x-MIPSR2-083V-AIO.trx on my ASUS RT-N16. All is well so far.
On the WAN side of my router I have a Draytek Vigor 120 ADSL modem. You can't really do much with it other than set the ADSL type and PPPoE, etc. But, it's still useful to be able to access it from behind the router to view ADSL line stats. Similarly, if you have a less powerful, ISP-supplied router setup in bridge mode in front of your Tomato-equipped device, it can be useful to connect to it to diagnose line issues and so on.
So what to do when the device in question gives itself a private IP but transparently bridges? Simple - add an IP alias to your Tomato router's WAN so that traffic destined specifically for your modem/bridge can be routed appropriately.
This is easy to do in linux:
ifconfig ifaceX:aliasN a.b.c.d netmask e.f.g.h up
I don't know about TomatoUSB in general but Shibby's build attaches the WAN port to a VLAN interface, vlan2. So to set it up via the web GUI I went to administration -> scripts, then clicked the "WAN up" tab and entered something along the lines of:
ifconfig vlan2:0 192.168.2.1 netmask 255.255.255.0 up
This is sufficient to bring up the alias when WAN comes up. I don't know how it'll behave if the WAN disappears and reappears, but it certainly works on boot. The routing table automatically gets an entry for 192.168.2.0/24 on the correct interface.
If you want to try it first you can execute the command over SSH or in Tools -> System via the GUI. Obviously make sure your LAN subnet does not conflict with the subnet your modem/bridge is using, or things will go pear-shaped.
Maybe this will be useful for somebody else. Let me know if it is! And let me know if anything can be improved or amended.