I have the ap as access so I guess that would be part of my issue as well. I configured it via the cmd line and it's a standalone ap

I've attached the configs of the switch and router

The trunk port option will work. But i see tricky configuration .

Would like to understand , What is the reason behind applying the restriction for WLAN, if you want to apply the restriction for wifi user it's better to apply on vlan 2 not on vlan 1 ,

I would suggest to apply the below configuration and try every thing will work

interface FastEthernet0/1.1
 description LAN
 encapsulation dot1Q 1 native
 ip address 10.10.1.253 255.255.255.0
 ip nat inside
 ip virtual-reassembly

interface FastEthernet0/1.2
 description WIRELESS
 encapsulation dot1Q 2
 ip address 192.168.2.254 255.255.255.0
 ip access-group Wifi_block in
  ip nat inside
 ip virtual-reassembly
!

access-list wifi_block permit 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list NAT deny ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list NAT deny ip 192.168.2.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list NAT permitip any any

on the access-list wifi_block permit 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255 would it be deny then a permit any below? I guess Im confused on that.

Thank you for the help

Huhhh yaaa missed it.. :D

here we go with correct one 

access-list wifi_block deny ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list wifi_block permit ip any any 

Let me know whether above proposed solution wored or not.. ;)

so on the router it would be

old configuration 

ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.10.1.14 3389 interface FastEthernet0/0 3389
!
access-list 1 permit 10.10.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 10 deny   192.168.2.0 0.0.0.255
access-list 10 permit any

Then the new one would be

ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.10.1.14 3389 interface FastEthernet0/0 3389

access-list 1 permit 10.10.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255

access-list wifi_block deny ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list wifi_block permit ip any any 

Would this be correct and also turn the port on the AP's to trunk mode and allow vlan 1,2

Thank you again

New one would be as below :

Then the new one would be

ip nat inside source list NAT interface FastEthernet0/0 overload
ip nat inside source static tcp 10.10.1.14 3389 interface FastEthernet0/0 3389

access-list NAT deny ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list NAT deny ip 192.168.2.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list NAT permitip any any

access-list wifi_block deny ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list wifi_block permit ip any any 

One more question before I try it. On the AP's since they are currently set on a access port, when I change it to a trunk port how would I tell that SSID to be dumped off into the vlan 2 and not the native vlan? I want to make the port on it trunk on vlan 1 and 2.

Thank you again

You can configure particular vlan for the SSID. No issues for that

I got the router and switch configured just fine. However on the AP I am still having issues getting an IP on VLAN 2. I thought I changed the vlan correctly but I guess not. Here is my config before I started messing with it. 

What do I need to change to get the ssid J&B2 ssid to get an ip on vlan 2 but still allow the gigabit port to see both vlans so i can use ssh to talk to it from vlan 1?

Does the ssid need a sub interface or something?

Thank you for all your help. You've helped me greatly on this.