the above solution was not good. this is what you should do...
when i could not get masquerade yes on the firewall to work (i believe this is a bug), i added a source 192.168.0.0/24 to allow the under computers to access the internet. this caused all subsequent issues. as a result packets would go by the internal interface where samba was to external maybe or whatever and not mount right. i fixed this my adding a new policy that essentially, if not actually, did the maquerading...
firewall not configurable
Code:
firewall-cmd --zone=external --remove-source=192.168.0.0/24
to fix the pass-through...
to fix masquerade...
Code:
# firewall-cmd --permanent --new-policy intToExt
# firewall-cmd --permanent --policy intToExt --set-target ACCEPT
# firewall-cmd --permanent --policy intToExt --add-ingress-zone internal
# firewall-cmd --permanent --policy intToExt --add-egress-zone external
# firewall-cmd --reload
...and now everything works. i was able to samba mount again.