A couple of thoughts. I can go into more detail on any of these if you need me to.
-When it comes to wireless, there are two ways to plan. One is for coverage, the other is for capacity. Based on the number of devices(capacity) and space(coverage) that you describe, I believe that capacity is going to the be the bigger deciding factor. Remember that wireless is like using an old-school hub. Everyone hears everything. That also means that only one client can talk to one AP at a time. This isn't a limitation of a device (Cisco vs. Netgear) this is a limitation of the physical medium (airspace). Since you are programming for mobile devices, which will only support a single stream, you should plan on 1 dual band AP per 50 devices. If you choose to only support 2.4 or 5Ghz (airspace issues with neighbor offices for instance), then plan on 1 AP per 30 devices.
-The Cisco 887 only has a 100Mb connection. If you keep with your current plan, and do all of your L3 routing on the 887, it will become a bottleneck for anything that routes between your internal networks. Examples include: Local replication for Dropbox, Wireless synching between i-devices and itunes, Copying files from machine A to B, Time machine backups, etc. etc. This bottleneck occurs because anytime data must flow from one network to another (wlan to lan) it will need to be routed, and must go out, and then back in, from the same 100Mb interface. This might not be a big deal, but I wanted to mention it, just-in-case.
-The Wireless controllers are a good idea. The initial setup takes a little while longer, but from that point on, it becomes super easy to deploy more AP's or WLAN's. I don't know anything about them from personal experience, but I have heard good things about the Meraki AP's. It is an cloud-based controller solution, which Cisco recently bought. EDIT for clarity: I don't know anything about the Meraki solution. I know A LOT about the Cisco Wireless Controllers :-).
-How are you powering your AP's? Do you plan on using VOIP in the future? Consider both of these when considering whether or not to order a switch with PoE.
-Also, just noticed, you are planning on putting a firewall in-line after the router. That further complicates your plan to route between subnets there. I would plan on purchasing an L3 switch. That would simplify the deployment considerably.
Hope this helps. Good luck.
You need to provide a route, otherwise you have two networks with no reason to talk across the link, as they are different subnets, with different default gateways, and the nanostation at network 2 is on network 1. If you plug a single computer into the LAN port on that nanostation, does it connect to network 1? it should, if the link is working. But without a route, no traffic will flow.
So you need a router at each end that is capable of managing a connection to WAN and a connection to the other network. Not difficult, but not consumer-grade stuff.
Best Answer
Since you've clarified (comments above) that IP net/mask/gw are the same for wired/wireless clients, then your AP is bridging (as opposed to routing or NAT'ing the wireless clients.)
Verify the wireless systems are getting DNS servers via DHCP. If "cannot access Internet" means "web sites do not load", this may be all that is wrong.
Verify your Internet edge router, (and/or firewall,) isn't blocking the traffic. You might have everything configured correctly from the network and IP point of view, and then not realize that the edge router has special rules to only permit certain of your internal LAN IP addresses out. (For example, your DHCP server could be configured to give specific IPs to certain DHCP clients (the boss's desktop), while servicing the rest of the clients (eg, printers) from a pool of numbers which aren't generally permitted out to the Internet.