Sorry @erictung , I am still stucking on this.
My local network is 192.168.1.0/24, my NAS is 192.168.1.48. User need to access SMB on this NAS. They also has network drive (Z:) connect to NAS.
Follow your advice, I set like this:
Create link for access
Settings > General Settings > Team Domain **mstarcorp** .cloudflareaccess.com
Creating a team
Home > Access > Access Group > Add group
Creating a tunnel (Docker)
Install cloudflared on NAS Synology follow this tutorial
This also create a tunnel, I did not create tunnel anymore.
Removing my subnet from excluded IPs in Split Tunnel
Exclude mode: 192.168.1.0/24 not in the list
Adding my network to Private Networks
Access > Application > Private network point to 192.168.1.48
Configure device enrollment permissions to see who can enroll to WARP
Settings > Device enrollment > manage
Proxy is enabled (Settings->Network->Firewall->Proxy)
Ask users to enroll to WARP
After all the configuration:
I can access my NAS via webpage, link to DSM without open any port - as the video tutorial above.
I still cannot access my NAS via SMB - on NAS: 192.168.1.48
Now I can access my NAS at the company via Cloudflare WARP app on Windows, using Private Network. Here is the docs, from A to Z (in Vietnamese, just a few words) for those who want to use this feature to replace VPN. The only thing I am confuse is the speed of connection. I cannot test it right now.