[solved] iCloud Private Relay users have RFC1918 IP

Edit: The issue appears to be fixed. I opened a ticket with Cloudflare and never got reply, other than a quick response asking for clarification. Then they tried to automatically close it since I “the zones previously mentioned in this ticket have been either moved away from Cloudflare or deleted”. I didn’t move them away or even grey-cloud them. But as of Nov 16, 2021, Private Relay users now show an IP address from the list Apple publishes, and the country is identified correctly. You don’t have to include the XX country in your firewall rules any more.

Visitors to my site using Apple’s iCloud Private Relay service appear to be browsing from RFC1918 addresses.

I use a firewall rule to block traffic that doesn’t come from Canada / USA and is not a bot:

(not ip.geoip.country in {"CA" "US"} and not cf.client.bot)

A user emailed me to let me know he was blocked when he tried to access my site. This is the error page he got

So the IP being reported is in the 172.16.0.0/12 range. I checked my firewall log and this is what I saw

The rule blocked it since that IP doesn’t exist in either of those countries. I added the “Unknown states, other entities or organizations (XX)” country to my rule, so now it shows

(not ip.geoip.country in {"CA" "US" "XX"} and not cf.client.bot)

as a workaround but I hope this can be fixed. I guess Cloudflare is providing at least some of the network for Private Relay. But I think it should report the customer’s Private Relay IP (one of the ones here https://mask-api.icloud.com/egress-ip-ranges.csv) rather than an RFC1918 address, so Geo-IP can work properly.

I saw a couple of similar threads regarding WARP so maybe this is the same or a related bug

To me, that’s VPN traffic which I don’t mind blocking to prevent abuse.

In your case, do you mind getting non-Canadian/US visitors?

But allowing XX is pretty much the only option left if your legitimate visitors/customers insist on using Apple’s VPN.

I agree and would like to block it as VPN traffic to prevent abuse. But I think that to prevent operators from doing this, Apple will push its user base to use the service, and we will end up blocking a lot of legitimate users by doing so. I guess time will tell. So for now I want to allow it and monitor the amount of traffic I get.

I would prefer not to get non-Canadian/US visitors. I run a small shop located in one city in Canada and there’s no reason to allow visitors outside of Canada and the US. This firewall rule has reduced the load on my server significantly as well as the number of attacks.

I don’t think I should have to allow XX to allow these users. Cloudflare shouldn’t be returning a 172.16.0.0/12 IP - these are supposed to be for private networks only and not routed on the Internet. They should return the public IP the user is using from the .csv I linked above.

While returning a 172 address that narrows down their geographical location would be nice…

  1. That may be less privacy than the user wants.
  2. That sort of defeats the double hop.

A 172.16.0.0/12 address can’t narrow down their graphical location. These are RFC1918 addresses intended for use on LANs (along with 10.0.0.0/8 and 192.168.0.0/16). I think the issue here is that the 2nd hop is internal to Cloudflare which is why it shows a LAN IP. But a webserver on the internet should never see a LAN IP in its firewall log; these IPs can’t be routed on the internet.

You mentioned the user might want more privacy, and defeating the double hop, but if you read the links I posted, Apple by default chooses a 2nd hop in the same city as the user (if they select “Maintain General Location”). If they adjust this setting to “Use Country and Time Zone” then it chooses another city in the same country and time zone as the user. It doesn’t let the user choose a location outside their country or time zone. The 1st hop could be anywhere though.

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.