From f75405506e804b4c230470e52cc3b3cd11c17a21 Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Sat, 6 Jun 2026 15:41:14 -0700 Subject: [PATCH] docs(wiki): SMB files+printer over Tailscale (Windows) + Wolkin scope Robert Wolkin use case is RSW-Laptop accessing file shares + a shared printer on front. Add a reusable Windows files/printer section to the pattern (SMB over the tailnet, the 445 firewall-on-Tailscale-interface gotcha scoped to 100.64.0.0/10, local-account auth on Home, MagicDNS FQDN, Point-and-Print via RMM, Taildrive alternative). Record the concrete per-host post-connect config and the printer-type open item in the client doc. Co-Authored-By: Claude Opus 4.8 (1M context) --- wiki/clients/robert-wolkin.md | 35 +++++++++++++++++--- wiki/patterns/tailscale-client-management.md | 35 ++++++++++++++++++++ 2 files changed, 65 insertions(+), 5 deletions(-) diff --git a/wiki/clients/robert-wolkin.md b/wiki/clients/robert-wolkin.md index d4e968d..98ccdd8 100644 --- a/wiki/clients/robert-wolkin.md +++ b/wiki/clients/robert-wolkin.md @@ -34,8 +34,17 @@ backlinks: ### Tailscale (active rollout) Per [[patterns/tailscale-client-management]] — **dedicated client-owned tailnet, ACG holds -Admin**. **Goal: RSW-Laptop reaches `front` (the front-desk PC).** Only those two nodes are -enrolled; Bob's personal `DESKTOP-V1JT1SE` is out of scope. +Admin**. **Goal: RSW-Laptop accesses shared files AND a shared printer on `front`** (the +front-desk PC) over the tailnet. Only those two nodes are enrolled; Bob's personal +`DESKTOP-V1JT1SE` is out of scope. + +Files + printer run over plain **SMB to `front`'s Tailscale address** — no subnet router +needed (both live on a node). See the Windows files/printer section in the pattern. + +**[CONFIRM] Printer type:** is it **USB-attached to `front`** (→ Windows print share, SMB) or a +**separate network printer** on the office LAN that `front` prints to (→ would need a subnet +router on `front` advertising that LAN, or install it by IP on the laptop)? This changes the +design — verify before the printer step. | Field | Value | |---|---| @@ -54,7 +63,21 @@ enrolled; Bob's personal `DESKTOP-V1JT1SE` is out of scope. | Out of scope | DESKTOP-V1JT1SE | — | Bob's personal machine; NOT enrolled in Tailscale | Enrollment: push [`patterns/tailscale-client-enroll.ps1`](../patterns/tailscale-client-enroll.ps1) -from GuruRMM with the auth key as a masked parameter. +from GuruRMM with the auth key as a masked parameter (RSW-Laptop + front only). + +**Post-connect config (push via GuruRMM after both nodes are up):** + +*On `front` (host):* +1. Firewall — allow SMB only over the tailnet: + `New-NetFirewallRule -DisplayName "Tailscale SMB (files+print)" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 445 -RemoteAddress 100.64.0.0/10` +2. Confirm/create the **file share** + a **local user account** for the laptop to authenticate + as (Win 11 Home, no domain, insecure guest disabled → real creds required); grant share+NTFS. +3. Confirm the **printer share** (if USB-attached to `front`). + +*On `RSW-Laptop` (client):* +4. Map the share by FQDN/IP: `\\front..ts.net\` (save creds via `cmdkey`). +5. Add the printer `\\front..ts.net\` — install the driver via RMM + (SYSTEM) to dodge Point-and-Print admin prompts for the non-technical user. ### Servers & Services / Email & Identity / Network @@ -84,8 +107,10 @@ Not yet documented. [unverified] - **Tailscale rollout (2026-06-06):** Stand up Robert's tailnet, assign ACG as Admin, set the `tag:wolkin` ACL + MagicDNS, generate a reusable/pre-approved tagged auth key, and - enroll **RSW-Laptop + front** via the GuruRMM script (agent IDs above). Goal: RSW-Laptop - reaches `front`. Do NOT enroll DESKTOP-V1JT1SE (Bob's personal machine). Runbook in + enroll **RSW-Laptop + front** via the GuruRMM script (agent IDs above), then push the + post-connect SMB config so RSW-Laptop can reach **files + the shared printer on `front`**. + Do NOT enroll DESKTOP-V1JT1SE (Bob's personal machine). Open item: confirm printer type + (USB-attached vs network). Runbook + Windows files/printer gotchas in [[patterns/tailscale-client-management]]. ## History Highlights diff --git a/wiki/patterns/tailscale-client-management.md b/wiki/patterns/tailscale-client-management.md index c158b63..8053444 100644 --- a/wiki/patterns/tailscale-client-management.md +++ b/wiki/patterns/tailscale-client-management.md @@ -102,6 +102,41 @@ With **MagicDNS** on, the two boxes reach each other by name (e.g. `front-desk`, --- +## Accessing files + a printer on a host node (Windows) + +When one node needs SMB file shares and/or a shared printer that live on another Windows +node (e.g. laptop -> front-desk PC): + +- **It runs over plain SMB to the host's Tailscale address - no subnet router needed** + when the files/printer are *on a node*. (A subnet router is only needed if the printer is + a SEPARATE LAN device the host prints to - then advertise that LAN subnet from the host.) +- **The #1 gotcha: Windows Firewall blocks SMB (TCP 445) on the Tailscale interface.** + Windows classifies the Tailscale adapter as Public, where File & Printer Sharing is off. + Fix on the HOST with a rule scoped to the Tailscale CGNAT range, so SMB is reachable only + over the tailnet (not the local LAN / Public networks): + ```powershell + New-NetFirewallRule -DisplayName "Tailscale SMB (files+print)" -Direction Inbound ` + -Action Allow -Protocol TCP -LocalPort 445 -RemoteAddress 100.64.0.0/10 + ``` +- **Auth:** Windows 11 Home machines aren't domain-joined, and Windows disables insecure + guest SMB by default - so the client must authenticate as a **real local account on the + host**. Create/confirm a local user on the host, grant it share + NTFS permissions, and + save the credential on the client (Credential Manager / `cmdkey /add`). +- **Address by MagicDNS FQDN or 100.x IP**, not the bare `\\host` short name (Windows SMB + name resolution is unreliable for the short MagicDNS name): + `\\front..ts.net\Share` or `\\100.x.y.z\Share`. +- **Shared printer:** add as `\\\`. Post-PrintNightmare + Point-and-Print restrictions often require admin to install the driver - push the + driver/printer install from **GuruRMM** (agent runs as SYSTEM) rather than walking a + non-technical user through it. USB-attached printer -> SMB print sharing is the only + option; a network printer -> install by IP on the client instead. +- **Alternative (files only): Taildrive** - Tailscale's built-in WebDAV share + (`100.100.100.100:8080`), enabled via `nodeAttrs`. Avoids opening SMB/445 entirely, but + it's a WebDAV mount (less familiar than a mapped drive) and does NOT cover printing - so + if a shared printer is in scope you're on SMB anyway. + +ACL note: the `tag:` "see each other" ACL already permits 445; no extra grant needed. + ## Offboarding Delete the client's tailnet, or revoke your admin seat and rotate the auth keys. Because the