Apple’s Private Relay is a feature designed to enhance user privacy by ensuring that network traffic remains private and secure when browsing the web in Safari. It works by routing traffic through two separate internet relays, which helps prevent websites from tracking user activity and IP addresses. However, many UniFi network administrators have encountered issues with Private Relay not working as expected on their networks, leading to the following common error message on iPhones and iPads:
Private Relay is turned off for network XXXXX. Private relay is either not supported by the network or Limit IP Address Tracking has been turned off in Wi-Fi settings.
This can be frustrating, especially for users who rely on Apple’s privacy features. Fortunately, there is a solution to this problem that involves adjusting your UniFi network’s firewall settings. In this article, we’ll walk you through the steps to make your UniFi network compatible with Apple Private Relay.
Why Does This Happen?
The issue arises because Apple’s Private Relay needs to communicate with specific domains to function properly. If your network firewall blocks these domains, Private Relay will be disabled, and users will receive the error message mentioned above. By default, UniFi’s firewall settings may block certain types of traffic, including the domains that Private Relay depends on.
To resolve this, you need to configure your UniFi network’s firewall to allow traffic to the required Apple Private Relay domains.
Step-by-Step Solution
Here are the steps to modify your UniFi firewall settings and enable Private Relay:
1. Access the UniFi Network Controller
First, log into your UniFi network controller. This can usually be accessed via a local web address (e.g., https://unifi.local
) or through UniFi’s cloud management portal if you have cloud access enabled.
2. Navigate to Firewall Settings
- Once logged in, click on Settings in the left-hand menu.
- Under Security, select Firewall from the options available.
3. Create a New Firewall Rule
You’ll need to add a new firewall rule that allows traffic to the domains Apple uses for Private Relay. These domains are essential for the feature to work, and by whitelisting them, you ensure that Private Relay is able to operate without interruption.
- In the Firewall rules section, click Create New Rule or Add Rule, depending on your UniFi interface version. Here’s what the rule should include:
- Rule Action: Allow
- Description: Allow Private Relay domains
- Direction: Outbound (this allows devices on your network to communicate with external servers)
- Source:
Any
(or specify your local network if desired) - Destination: Custom
- Custom Destination: Add the following domain names:
mask.icloud.com
mask-h2.icloud.com
4. Apply the Rule
Once you’ve configured the rule, click Apply or Save to ensure the changes take effect.
5. Restart Devices (Optional)
If users continue to experience issues after the rule has been applied, you may want to advise them to either reconnect to the Wi-Fi network or restart their devices. This will ensure that the new firewall rule is being properly applied.
Verifying the Fix
After the new firewall rule is in place, users should no longer see the error message, and Apple Private Relay should function normally on your UniFi network. To verify that everything is working:
- Ask users to open Safari and check if Limit IP Address Tracking is now enabled without errors.
- Users should see no interruptions in their browsing experience, and Private Relay will continue to protect their privacy as intended.
Conclusion
Apple’s Private Relay is a powerful tool for protecting user privacy, but it requires proper network configuration to work seamlessly. By adding the domains mask.icloud.com
and mask-h2.icloud.com
to your UniFi firewall’s allow list, you can ensure that Private Relay operates without interruption on your network. This simple fix helps maintain a balance between privacy and security while offering a smooth user experience for Apple device users on your UniFi network.
By following these steps, you can avoid the frustration of Private Relay being disabled and give your users the privacy protection they expect from Apple’s ecosystem.