azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(wiki): SMB files+printer over Tailscale (Windows) + Wolkin scope

Browse Source 
Robert Wolkin use case is RSW-Laptop accessing file shares + a shared
printer on front. Add a reusable Windows files/printer section to the
pattern (SMB over the tailnet, the 445 firewall-on-Tailscale-interface
gotcha scoped to 100.64.0.0/10, local-account auth on Home, MagicDNS
FQDN, Point-and-Print via RMM, Taildrive alternative). Record the
concrete per-host post-connect config and the printer-type open item in
the client doc.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-06-06 15:41:14 -07:00
parent 32e71a1300
commit f75405506e
2 changed files with 65 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
wiki/clients/robert-wolkin.md
View File

@@ -34,8 +34,17 @@ backlinks:
### Tailscale (active rollout)
Per [[patterns/tailscale-client-management]] — **dedicated client-owned tailnet, ACG holds
Admin**. **Goal: RSW-Laptop reaches `front` (the front-desk PC).** Only those two nodes are
enrolled; Bob's personal `DESKTOP-V1JT1SE` is out of scope.
Admin**. **Goal: RSW-Laptop accesses shared files AND a shared printer on `front`** (the
front-desk PC) over the tailnet. Only those two nodes are enrolled; Bob's personal
`DESKTOP-V1JT1SE` is out of scope.
Files + printer run over plain **SMB to `front`'s Tailscale address** — no subnet router
needed (both live on a node). See the Windows files/printer section in the pattern.
**[CONFIRM] Printer type:** is it **USB-attached to `front`** (→ Windows print share, SMB) or a
**separate network printer** on the office LAN that `front` prints to (→ would need a subnet
router on `front` advertising that LAN, or install it by IP on the laptop)? This changes the
design — verify before the printer step.
| Field | Value |
|---|---|
@@ -54,7 +63,21 @@ enrolled; Bob's personal `DESKTOP-V1JT1SE` is out of scope.
| Out of scope | DESKTOP-V1JT1SE | — | Bob's personal machine; NOT enrolled in Tailscale |
Enrollment: push [`patterns/tailscale-client-enroll.ps1`](../patterns/tailscale-client-enroll.ps1)
from GuruRMM with the auth key as a masked parameter.
from GuruRMM with the auth key as a masked parameter (RSW-Laptop + front only).
**Post-connect config (push via GuruRMM after both nodes are up):**
*On `front` (host):*
1. Firewall — allow SMB only over the tailnet:
`New-NetFirewallRule -DisplayName "Tailscale SMB (files+print)" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 445 -RemoteAddress 100.64.0.0/10`
2. Confirm/create the **file share** + a **local user account** for the laptop to authenticate
as (Win 11 Home, no domain, insecure guest disabled → real creds required); grant share+NTFS.
3. Confirm the **printer share** (if USB-attached to `front`).
*On `RSW-Laptop` (client):*
4. Map the share by FQDN/IP: `\\front.<tailnet>.ts.net\<Share>` (save creds via `cmdkey`).
5. Add the printer `\\front.<tailnet>.ts.net\<PrinterShare>` — install the driver via RMM
(SYSTEM) to dodge Point-and-Print admin prompts for the non-technical user.
### Servers & Services / Email & Identity / Network
@@ -84,8 +107,10 @@ Not yet documented. [unverified]
- **Tailscale rollout (2026-06-06):** Stand up Robert's tailnet, assign ACG as Admin, set
the `tag:wolkin` ACL + MagicDNS, generate a reusable/pre-approved tagged auth key, and
enroll **RSW-Laptop + front** via the GuruRMM script (agent IDs above). Goal: RSW-Laptop
reaches `front`. Do NOT enroll DESKTOP-V1JT1SE (Bob's personal machine). Runbook in
enroll **RSW-Laptop + front** via the GuruRMM script (agent IDs above), then push the
post-connect SMB config so RSW-Laptop can reach **files + the shared printer on `front`**.
Do NOT enroll DESKTOP-V1JT1SE (Bob's personal machine). Open item: confirm printer type
(USB-attached vs network). Runbook + Windows files/printer gotchas in
[[patterns/tailscale-client-management]].
## History Highlights

35
wiki/patterns/tailscale-client-management.md
View File

@@ -102,6 +102,41 @@ With **MagicDNS** on, the two boxes reach each other by name (e.g. `front-desk`,
---
## Accessing files + a printer on a host node (Windows)
When one node needs SMB file shares and/or a shared printer that live on another Windows
node (e.g. laptop -> front-desk PC):
- **It runs over plain SMB to the host's Tailscale address - no subnet router needed**
when the files/printer are *on a node*. (A subnet router is only needed if the printer is
a SEPARATE LAN device the host prints to - then advertise that LAN subnet from the host.)
- **The #1 gotcha: Windows Firewall blocks SMB (TCP 445) on the Tailscale interface.**
Windows classifies the Tailscale adapter as Public, where File & Printer Sharing is off.
Fix on the HOST with a rule scoped to the Tailscale CGNAT range, so SMB is reachable only
over the tailnet (not the local LAN / Public networks):
```powershell
New-NetFirewallRule -DisplayName "Tailscale SMB (files+print)" -Direction Inbound `
-Action Allow -Protocol TCP -LocalPort 445 -RemoteAddress 100.64.0.0/10
```
- **Auth:** Windows 11 Home machines aren't domain-joined, and Windows disables insecure
guest SMB by default - so the client must authenticate as a **real local account on the
host**. Create/confirm a local user on the host, grant it share + NTFS permissions, and
save the credential on the client (Credential Manager / `cmdkey /add`).
- **Address by MagicDNS FQDN or 100.x IP**, not the bare `\\host` short name (Windows SMB
name resolution is unreliable for the short MagicDNS name):
`\\front.<tailnet>.ts.net\Share` or `\\100.x.y.z\Share`.
- **Shared printer:** add as `\\<host-fqdn>\<printershare>`. Post-PrintNightmare
Point-and-Print restrictions often require admin to install the driver - push the
driver/printer install from **GuruRMM** (agent runs as SYSTEM) rather than walking a
non-technical user through it. USB-attached printer -> SMB print sharing is the only
option; a network printer -> install by IP on the client instead.
- **Alternative (files only): Taildrive** - Tailscale's built-in WebDAV share
(`100.100.100.100:8080`), enabled via `nodeAttrs`. Avoids opening SMB/445 entirely, but
it's a WebDAV mount (less familiar than a mapped drive) and does NOT cover printing - so
if a shared printer is in scope you're on SMB anyway.
ACL note: the `tag:<client>` "see each other" ACL already permits 445; no extra grant needed.
## Offboarding
Delete the client's tailnet, or revoke your admin seat and rotate the auth keys. Because the