Macos tunneler bug?

Hi Team,

I'm facing a strange issue: I'm using a Mac with Macos Tahoe 26.3. I can access a Windows server through SMB protocol on the local LAN and it's working fine.

Yesterday, I have added the tunneler on this server and created a service making me able to access this server with remote desktop securely from my Mac, wherever I am, through Openziti. It's working fine as well but when the tunneler is up, SMB doesn't work anymore.

It's like the tunneler intercepts SMB traffic. It shouldn't as the configurations for this service spécifies only RDP port 3389.

Tunneler version 2.51 (548)
Ziti version 1.6.6

Any idea?

Hi @Eric,

It's not impossible to believe that someone adding the tunneler could the up causing connection problems like you're describing but to be honest, i would expect that it's some form of configuration error with OpenZiti moreso than a bug with OpenZiti in the scenario you're describing.

I assume you mean the Mac tunneler? It should be really easy to test this by just disabling the tunneler momentarily. If you meant the windows server, the same sort of test there would be an option too. That would maybe give us some steps to reproduce.

To be totally honest, i would be surprised if this was somehow an OpenZiti tunneler issue.

If you can reproduce, maybe send us some logs and we can try to look

Hi @Eric,

Are you by any chance using the SMB server’s LAN IP address in your intercept configuration? All of the OpenZiti tunnelers intercept connections by routing the IP addresses in the intercept configurations to the tunneler’s listener (in the case of the macOS tunneler, this is a “tun” network interface that the tunneler reads packets from). The tunneler then matches the packet’s protocol and destination port with the service configurations that it is aware of. If a match is found the tunneler uses the packet to initiate or continue an OpenZiti connection. If the packet does not match any service configurations then the tunneler discards it. Unfortunately there is no reliable way to regurgitate the unused packet back into the host’s network stack without the tunneler re-intercepting it.

For this reason, it’s best to avoid using LAN or public-routable IPs in your service intercept configurations. Instead I recommend using a hostname, like “windows-host.ziti” in the intercept “addresses” field. This will cause the tunneler to assign a unique IP address to your service from its DNS IP range (100.64/10 by default), and you can use the hostname to access the RDP service while still using the LAN IP for SMB connections.

Thank you for your answers.

Behavior is strange. Herds is what happens wjhen the tunnel is ON:

Capture d’écran 2026-02-27 à 14.25.331920×2030 213 KB

It's in French but this means Connexion to server "serveur01" has failed.

When tunnel is OFF:

Capture d’écran 2026-02-27 à 14.25.561920×1980 181 KB

The process is fine and I can enter my password.

Another thing to mention: after entering my password, I can access the server. If I turn the tunnel ON, SMB is still working for a while.

Here is my RDP intercept config. I don't use the server's IP.

Capture d’écran 2026-02-27 à 14.34.161140×1964 200 KB

Thanks @Eric, how is the SMB connection declared? Is it by hostname like serveur01? I am "the windows guy" so I am not familar enough with the MacOS UI to know if that's the name being used to connect or if that's just the name of the connection and you can declare the connection some other way?

When the ZDEM is running, and you try SMB, are there any logs that are captured in the tunneler's logs related to the connection?

You are accessing the SMB server with a hostname “serveur01”, which is also the hostname in your RDP service (albeit with a .zpix domain appended). If your mac’s network settings include “.zpix” as a search domain, then it’s possible that the “serveur01” hostname is being resolved by the tunneler’s DNS server, which would return one of those 100.64 IPs that the tunneler will intercept.

You can test this by “ping”ing the hostname from a terminal. You may see different results when pinging the hostname with different domains. e.g.:

ping serveur01
ping serveur01.zpix
ping serveur01.

If “.zpix” is an existing domain in your network I’d recommend changing your ziti service intercept addresses to not overlap your existing domains. I often use the “.ziti” domain in my services to make it clear that I'm intending to use the ziti overlay for connections.

The pings:

eric@Mac-M4 ~ % ping serveur01               
PING serveur01.eliptec.local (10.137.137.1): 56 data bytes
64 bytes from 10.137.137.1: icmp_seq=0 ttl=128 time=1.091 ms
^C
--- serveur01.eliptec.local ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 1.091/1.091/1.091/nan ms
eric@Mac-M4 ~ % ping serveur01.eliptec.local 
PING serveur01.eliptec.local (10.137.137.1): 56 data bytes
64 bytes from 10.137.137.1: icmp_seq=0 ttl=128 time=0.860 ms
^C
--- serveur01.eliptec.local ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.860/0.860/0.860/nan ms
eric@Mac-M4 ~ % ping serveur01.zpix         
PING serveur01.zpix (100.64.0.5): 56 data bytes
64 bytes from 100.64.0.5: icmp_seq=0 ttl=255 time=0.348 ms
^C
--- serveur01.zpix ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.348/0.348/0.348/0.000 ms
eric@Mac-M4 ~ %

Regarding SMB, I enter smb://serveur01.eliptec.local in a popup and the Mac establishes the connection with the server.

Regarding the logs, I don't know where they are stored and I don't know how to set them. The Mac tunneler is very different from the Windows one.

Ziti Desktop Edge for macOS logs can be accessed through the “Z” menu in your title bar under Logging → Packet Tunnel. This will pop up a Console window showing the tunneler log with live updates. You can get to the log file with the “Reveal” button (

image124×132 6.96 KB

edit: the logs will be most useful to us if you increase the log level to TRACE before attempting to access your SMB server.

I might be stupid, I don't see any Z menu.

Capture d’écran 2026-02-27 à 16.36.292108×1124 221 KB

it's a small z up here

image466×396 65.6 KB

I was cliking like an idiot on the Title bar of the main window... Thank you. I 'll send the logs.

Actually, it's confusing. I see such behavior:

1. I turn the tunneler OFF
2. I launch the SMB session with the server -> I see the folders and files in the Finder window
3. I start the tunneler
4. I still can walk in the server within the opened Finder window
5. I close this window
6. I open a new one -> access to the server fails

Here are the logs with tunnel UP and trying to establish SMB session.
appex.log (202.1 KB)

If it's reusing/keeping the connection open from before the tunneler is turned on (which would not surprise me) then it makes sense to me.

I'd definitely be interested in your logs when the tunneler is on and you cloe the finder window and reopen it to see if the tunneler is trying to intercept that traffic at that time.

Here are the logs as you requested.
appex.log.zip (43 KB)

Do you know what ports SMB is using? Oh it also makes me wonder if the SMB protocol can/does return back to the client the IP or hostname to use (i'll have to look into that)

I guess port 445, maybe 139

Yeah that's what I would expect -- just confirming. Merci!

C'est avec plaisir.

I'm leaving the office. If it can help, here is the Wireshark capture on the inet interface of my Mac (10.137.137.11) when I try to access the server (10.137.137.1). Thanks both for your help. I'll survey your messages this week-end and further.

Cheers!
capture.pcapng.zip (29.9 KB)