Flint 2 - 4.8.1 - Samba shares unaccessible if Tailscale is ON

I am running Flint 2 Router

4.8.3 firmware

Tailscale active WAN & LAN access is ON

SMB server, USB disk is mounted - DLNA & SAMBA is on

OSX Mac Monterey with Tailscale on, and same network connected with Ethernet to the router, wifi is off on router and Mac.

I cant connect at all to the SAMBA shared USB drive on the router if tailscale is on.

I tried to toggle allow local network acces, use tailscale DNS settings in OSX settings for tailscale, no difference at all.

When i use command-K to connect i cant reach the SAMBA USB disk.

However if i turn off tailscale on the router, it works PERFECT.

So what is wrong?

Obviosly its a crash between tailscale and SAMBA share, and i cant manage to find the solution. I tried loads of things.

Would be happy to solve this as i need both tailscale and SAMBA on the same network router.

thanks!

Please provide the logs of your router and check the logs of macOS as well.
How do you connect? Via IP or DNS? Does it work when you enter the Tailscale IP of your router?

When tailscale is active, it does not work at all. (wont connect, sometimes the login dialog comes, but will just stand chewing and not log in after putting username and password)

If i put tailscale IP in the webbroswer when tailscale is active on the router, i get loginpage for the router. so tailscale works and talks from mac to router. Just it will not connect to SAMBA.

After resetting router firmware, removing all the settings in the firewalls and all, i noticed that if i start the SAMBA server first and tailscale after, the normal connect with IP will work but not with tailscale IP. So it seems it makes a difference what order the services are started.

When i disable tailscale, and use the normal IP 192.168.8.1 it works just fine.

So only difference is the toggle for tailscale, i dont make any other changes.

IP is used for connect, not DNS.

I can retrieve the log from router, but dont know how to find it on OSX:

Thu Mar 19 00:47:12 2026 daemon.err nmbd[8934]: Copyright Andrew Tridgell and the Samba Team 1992-2023
Thu Mar 19 00:47:12 2026 daemon.err nmbd[8934]: [2026/03/19 00:47:12.598872, 0] ../../source3/nmbd/nmbd_become_dmb.c:294(become_domain_master_browser_bcast)
Thu Mar 19 00:47:12 2026 daemon.err nmbd[8934]: become_domain_master_browser_bcast:
Thu Mar 19 00:47:12 2026 daemon.err nmbd[8934]: Attempting to become domain master browser on workgroup WORKGROUP on subnet 192.168.3.3
Thu Mar 19 00:47:12 2026 daemon.err nmbd[8934]: [2026/03/19 00:47:12.599083, 0] ../../source3/nmbd/nmbd_become_dmb.c:307(become_domain_master_browser_bcast)
Thu Mar 19 00:47:12 2026 daemon.err nmbd[8934]: become_domain_master_browser_bcast: querying subnet 192.168.3.3 for domain master browser on workgroup WORKGROUP
Thu Mar 19 00:47:12 2026 daemon.err nmbd[8934]: [2026/03/19 00:47:12.599202, 0] ../../source3/nmbd/nmbd_become_dmb.c:294(become_domain_master_browser_bcast)
Thu Mar 19 00:47:12 2026 daemon.err nmbd[8934]: become_domain_master_browser_bcast:
Thu Mar 19 00:47:12 2026 daemon.err nmbd[8934]: Attempting to become domain master browser on workgroup WORKGROUP on subnet 192.168.8.1
Thu Mar 19 00:47:12 2026 daemon.err nmbd[8934]: [2026/03/19 00:47:12.599277, 0] ../../source3/nmbd/nmbd_become_dmb.c:307(become_domain_master_browser_bcast)
Thu Mar 19 00:47:12 2026 daemon.err nmbd[8934]: become_domain_master_browser_bcast: querying subnet 192.168.8.1 for domain master browser on workgroup WORKGROUP
Thu Mar 19 00:47:12 2026 daemon.err smbd[8933]: [2026/03/19 00:47:12.616207, 0] ../../source3/smbd/server.c:1746(main)
Thu Mar 19 00:47:12 2026 daemon.err smbd[8933]: smbd version 4.18.8 started.
Thu Mar 19 00:47:12 2026 daemon.err smbd[8933]: Copyright Andrew Tridgell and the Samba Team 1992-2023
Thu Mar 19 00:47:20 2026 daemon.err nmbd[8934]: [2026/03/19 00:47:20.617054, 0] ../../source3/nmbd/nmbd_become_dmb.c:112(become_domain_master_stage2)
Thu Mar 19 00:47:20 2026 daemon.err nmbd[8934]: *****
Thu Mar 19 00:47:20 2026 daemon.err nmbd[8934]:
Thu Mar 19 00:47:20 2026 daemon.err nmbd[8934]: Samba server GL-MT6000 is now a domain master browser for workgroup WORKGROUP on subnet 192.168.3.3
Thu Mar 19 00:47:20 2026 daemon.err nmbd[8934]:
Thu Mar 19 00:47:20 2026 daemon.err nmbd[8934]: *****
Thu Mar 19 00:47:20 2026 daemon.err nmbd[8934]: [2026/03/19 00:47:20.617343, 0] ../../source3/nmbd/nmbd_become_dmb.c:112(become_domain_master_stage2)
Thu Mar 19 00:47:20 2026 daemon.err nmbd[8934]: *****
Thu Mar 19 00:47:20 2026 daemon.err nmbd[8934]:
Thu Mar 19 00:47:20 2026 daemon.err nmbd[8934]: Samba server GL-MT6000 is now a domain master browser for workgroup WORKGROUP on subnet 192.168.8.1
Thu Mar 19 00:47:20 2026 daemon.err nmbd[8934]:
Thu Mar 19 00:47:20 2026 daemon.err nmbd[8934]: *****
Thu Mar 19 00:47:35 2026 daemon.err nmbd[8934]: [2026/03/19 00:47:35.639265, 0] ../../source3/nmbd/nmbd_become_lmb.c:398(become_local_master_stage2)
Thu Mar 19 00:47:35 2026 daemon.err nmbd[8934]: *****
Thu Mar 19 00:47:35 2026 daemon.err nmbd[8934]:
Thu Mar 19 00:47:35 2026 daemon.err nmbd[8934]: Samba name server GL-MT6000 is now a local master browser for workgroup WORKGROUP on subnet 192.168.3.3
Thu Mar 19 00:47:35 2026 daemon.err nmbd[8934]:
Thu Mar 19 00:47:35 2026 daemon.err nmbd[8934]: *****
Thu Mar 19 00:47:35 2026 daemon.err nmbd[8934]: [2026/03/19 00:47:35.639621, 0] ../../source3/nmbd/nmbd_become_lmb.c:398(become_local_master_stage2)
Thu Mar 19 00:47:35 2026 daemon.err nmbd[8934]: *****
Thu Mar 19 00:47:35 2026 daemon.err nmbd[8934]:
Thu Mar 19 00:47:35 2026 daemon.err nmbd[8934]: Samba name server GL-MT6000 is now a local master browser for workgroup WORKGROUP on subnet 192.168.8.1
Thu Mar 19 00:47:35 2026 daemon.err nmbd[8934]:
Thu Mar 19 00:47:35 2026 daemon.err nmbd[8934]: *****

So i found this out:

If i turn off Tailscale, i can mount a smb disk from the router using local IP (not tailscale IP).

If i turn on Tailscale, and dont unmount that volume, i can mount also a tailscale volume.

If i unmount both volumes, i cant mount any of them back again as long as Tailscale is active.

If i turn off Tailscale again, i can log in with local IP.

It seems that the tailscale destroys something with the ability for the OSX to establish SMB connection to the router again.

What i tried:

I went to Lucy and i edited the firewall settings to accept bridge between Lan/wan/tailscale0.

I activated the masquearade also (dont know why but read it somewhere)

I updated the tailscale software to latest, and i checked the MTU that is 1280.

All problems still presist.

Turning tailscale off gives direct function of the samba feature to the USB disc, reactivating tailscale shuts it down straight.

Spent to many hours on this problem now, very happy if someone can solve. I did reset the router back to default 3-4 times this night going through lots of settings using grok, chatgtp and other AI. Non of the advice works from the AIs.

Hi

Could you clarify where Tailscale is running?

From your description, it sounds like it’s also running on the Mac to remotely access the SMB volume on the Flint 2.

If possible, please try to draw a simple topology so we can better understand the issue.
Note to indicate the role of each device (e.g., which one is running Tailscale and which one is the SMB server), as well as their IP addresses.

Hello thanks for your reply, i really appreciate it.

I made a real picasso drawing so i hope you enjoy art se attachment.

1. So i have a PC, it is running tailscale and is connected to my flint 2 router running tailscale. Tailscale works when i acces the router from remote location on tailscale network IP.
2. On the flint 2 router there is also a SMB server running. verified it works with the PC.
3. The SMB server works fine if i turn off tailscale on the router and keep it on in the PC (OSX), however if i have tailscale “on” - both devices i stops responding to connections.

My intention is to have tailscale running on the flint 2 router, and simultanious SMB sharing, so that i can reach the SMB disk from any portable device including smart TV and so on, or stationary PC, that is connected to my tailscale network.

There is also a remot PC connected to the same tailscale network, i also want that PC to access the SMB share from the flint 2 router that is on a remote location.

The Flint 2 router sits behind another router, so the IP on the flint router is:

192.168.8.1 internal network ip

192.168.3.3 external network ip (wan port)

and also it has a tailscale IP 100.107.136.10X

The PC (OSX) connected to the tailscale router with ethernet is running on IP:

192.168.8.122 (LAN)

100.126.196.9X (tailscale)

I tried connecting to the router SMB IP 192.168.8.1 when tailscale is off, then it works, if i keep that connection on local IP and turn tailscale back on (on the router) i can also connect on the tailscale IP 100.107.136.10X. However, if i unmount the first session on local IP, it will not respond to tailscale session request.

Does this answer the questions you need?

Is the fact that my Flint2 is running behind another router making any of these things more complicated? Because there is no access to the firewalls on the other router. Its in another building and i just get DHCP from that router, same as from ISP.

I know the PC / OSX can talk the SMB talk to the router, because it works. So its not a compability issue between them.

I know the tailscale works because i can access the flint 2 router via tailscale from remote locations using tailscale IP in the webbrowser, 100.107.136.1XX. So tailscale works perfect on the router, just not accessing the SMB.

I also know that if i have local access first, with tailscale off, i can turn on tailscale and get a tailscale access to the SMB but it wont open unless there is a simultanious connection.

I think the problem is in the routing.

I have WAN and LAN subnets active on the router, and i dont use any exitnode on any of the attached devices. Is this correct? Or should WAN and LAN routing be deactivated in router so that the router is not casting any other IPs on the network around it?

When tailscale is off, the SMB connections is SUPERFAST and it replies instantly.

When tailscale is on, the SMB connection is very slow to reply. The login windows comes like 30 sec after i send the request to login to SMB.

Another important factor:
I get the login window for the SMB, so there is some kind of communication actually working sometimes. But it will not accept the connection. I dont know why. It gives timeout or similar errors. Encryption problem somewhere with the SMB protocol when tailscale is active?

I spent many hours now trying to figure this out, and i did reset firmware, upgrade tailscale, change routing tables and so on. Trying to add another interface for the tailscale and so on, but i dont know if i did it all wrong.

Does the Tailscale IP have acces to the internal SMB feature of the router? Or is there some kind of block between there, so that the SMB only will be accessible from local IP?

Had the same problems quite a few times.
Try this: Turn completely OFF Tailscale and wait a few seconds.
Then turn ON Tailscale, BUT ONLY THE FIRST TOGGLE SWITCH. Wait a few seconds.
Then turn ON Allow Remote Access LAN (or WAN if you need it) and wait again a few seconds.
Try your connection.
Basically everytime I enabled all the toggles switches too fast I had the same problem, enabling them one by one solves the problem for me for some reason.

Thank you kindly for response.

Seems your help - helped me solve it - i am very thankful because this was like hours and hours of waste of time on my side. Now i managed to get remote access to the SMB from a remote computer on the tailscale network. (located in another country).

Did you have same problem with SMB as i have, or tailscale in general?

Those two toggles at bottom says somthing that actually i dont need, because i dont want to cast the network to others, i just want local access to this particular Router and thats it:

1. If this option is enabled, the resources on the WAN side of the device will be allowed to be accessed via the Tailscale virtual network.
2. If this option is enabled, the resources on the LAN side of the device will be allowed to be accessed via the Tailscale virtual network.

Now i just did what you said, and i turn off everything and i wait. Then i toggle back ONLY the first Toggle. I leave WAN and LAN toggles OFF.

• Enable Tailscale ON

• 100.107.136.1XX

• Custom Exit Node OFF

• Allow Remote Access WAN OFF

• Allow Remote Access LAN OFF

Also i added some rule in the firewall, i dont know if this helps or not but:

Firewall - Traffic Rules - Tailscale regel

• General Settings

Name

• Tailscale

Protocol

• TCP

Source zone

• tailscale0(empty)**

Source address

• -- add IP --

Source port

• any

Destination zone

• Device (input)

Destination address

• -- add IP --

Destination port

• 443 139

Action

No, I only had problems with Samba shares when Tailscale was enabled, but if I turn ON toggle switches one by one everything is always ok.

We believe the issue is caused by a routing conflict.

When Tailscale is running on the router and Allow Remote Access LAN is enabled, it advertises a LAN route (by default, 192.168.8.0/24) to the Tailnet—provided it has been approved in the Tailscale Admin Console.

In this situation, if devices connected to the router are also running Tailscale (with route acceptance enabled), they may receive two routes:

• 192.168.8.0/24 via the local LAN
• 192.168.8.0/24 via the Tailnet

This conflict can break network connectivity.

Disabling Allow Remote Access LAN resolves this issue.

In general, we recommend that once your Tailscale setup is properly configured, you only run Tailscale on the router. There’s usually no need to run it on individual PCs as well.

That sounds a bit unusual.

After changing the relevant settings, there should normally be a waiting period to prevent issues caused by rapid configuration changes.

Under normal circumstances, once the settings are adjusted, the backend script will restart the Tailscale process and apply the new configuration.

Would you be able to reproduce the issue again and share the device with us via GoodCloud (following the guide below) so we can perform a remote inspection?

Yeah, when you change settings there is this wait time:

But then, when it goes away there is this:

unknown_2026.03.20-08.251920×1080 163 KB

It's not consistent to reproduce and unfortunately I have no time at the moment, but usually it happens more easily when you first bind your device to Tailscale.
By coincidence I helped a friend of mine who bought a Flint2 a couple of weeks ago and had the exact same problem after enabling Tailscale with Samba shares.
It also happened on my Flint3.

Thanks for clarifying the details.

We’ll try to reproduce the issue locally, and if we can, we’ll have our development team look into it and see how it can be improved.

I have successfully repeated this thing now 2 times.

It is correct what the poster carrying the solution says, it is because i am to fast when i apply the changes. Then SMB becomes unresponsive.

I am very thankful for the poster for showing this, i would never have figured it out. I spend litteraly hours trying to figure this out, digging deep with AI assitance in the routing tabels and firewall settings of the router.

I want to add the fact that i added a rule in the firewall, that keeps the ports open from tailscale interface to the device. I dont know if this helps but now as it is working i will not change anything.

My advice to developers would be just to add a timing restriction on this feature in coming update, and maybe a “?” with explanation not to edit settings before the agent is loaded and running as these settings will not apply or will block the service totally.

To make sure you understand, if these settings are applied in a patient manner it will operate fine under all 3 conditions:

Tailscale ON, WAN OFF, LAN OFF

Tailscale ON, WAN ON, LAN OFF

Tailscale ON, WAN OFF, LAN ON

Hello Will.Qiu.

Thank you kindly for adressing this issue with my question in such a swift and timely manner, i really appreciate the service provided. I have now ordere 2 more Flint 2 routers as i really appreciate the service here and the customazibility of the product, and the performance this model delivers.

I would like to make a suggestion for how you can alter the firmware, in order to make this tailscale to optimum solution for lower teir users like me. I dont know the exact way to performe this change in the firmware but i am sure it can be managed somehow.

If you, in future upgrades, could add these features as shown in the attached image, it would increase the value of the tailscale integration by a exponential magnitude, as there is lots of smaller units that cant run tailscale and needs it through the router. At the same time, some users dont want to expose all the network, or all the clients, interfaces or subnets to the tailscale network. This forces us to use multiple routers in the home with different configurations, but it can be solved from one unit if firmware allowed for easy setup.

If these 3 extra options were added, and they would automatically configure the firewall/routing tabeles according to the users needs, it would be not even one inch short of fantastic:

Activating tailscale only for selected interfaces, subnets or clients. Thus allowing the user to use tailscale for example ONLY on one of the WiFi SSIDs, or only on the LAN, or only for a few chosen connected clients or a special subnet on the router. Using popdown menues to choose whatever is best suited for the user.

image_2026-03-20_1440025482097×1400 216 KB

Activating the service “allow remote access clients” would present the user with a list of all clients connected to the router, and just use “checkbox” to mark what clients to be connected to tailscale.

Or similar with “allow remote acces subnet” would present user with a list of avalible subnets on the router, and then allow the user to make a dedicated subnet for one WiFi channel, and connect that WiFi SSID to tailscale while rest of clients are not exposed to tailscale.

Same feature would go for interface, allowing the user to activate this feature and only connect tailscale to a dedicated interface, like ethernet ports or wifi.

I dont know how much time would be needed to add these features, but i would be happy if any of the developers could qote a time estimation for developing this feature.

Thank you for your update and suggestions.

• Regarding whether firewall configuration is needed for Tailscale: by default, access from Tailscale to the device itself is already allowed, so no additional configuration is required.
  

  

  image1106×859 49.3 KB

• Regarding the issue of Tailscale malfunctioning due to rapid clicks: We have not yet been able to reproduce the issue and may need to conduct further testing.

• Regarding your suggestion, we will forward it to the product team for further evaluation. For now, please use the firewall in Luci to achieve similar functionality.