iCloud+ Private Relay and pfSense Split DNS
This is not a question but sharing my knowledge. It is all for you - readers - because I already found the solution after just spending two entire days troubleshooting a Synology Drive Client connection issue on one particular MacBook Pro. And I don't want that to happen to you.
First, I don't think iCloud+ Private Relay is a bad product, quite the opposite. But please be aware of this specific use case.
Synology Drive is a Dropbox/OneDrive type of file hosting service, hosted on a local Synology NAS. My data, my NAS, no one sniffing my files and plenty of storage.
On this particular MacBook Pro, the Synology Drive Client halted sync for no apparent reason. We have seven other MacBooks that did not have this issue. It turned out that this particular MacBook Pro had iCloud+ Private Relay turned on and that this service didn't play well with our firewall Split DNS configuration.
Split DNS on pfSense firewalls is an elegant way of using NAT reflection or NAT loopback *) for when you host your own server with domain name on your local network. It works like a DNS override for the local network only, where the domain name gets resolved to the local IP address of the NAS, i.e. when a local client tries to resolve the domain name, it gets redirected to the local NAS IP address straightaway. Domain names not on the local network get resolved to their WAN address, hence the "Split DNS" name.
You can test Split DNS from local clients by opening a terminal session and using the ping <domain name> command, which should be redirected to the local IP of the NAS.
However, with Private Relay enabled on the Macbook, the ping doesn't resolve to the local IP anymore, but gets blocked and the firewall has no choice but to revert to the external (WAN) address, effectively routing the traffic out and in, thus confusing the Synology Drive Client app and interrupting the sync process.
Deactivating the Private Relay instantly restores local IP resolution pings and drive sync continues.
So: be careful using Private Relay if your network has any kind of NAT reflection or Split DNS configuration.
*) local servers (local on your LAN, that is) that are accessed both locally and from outside your firewall. The server has a domain name and a certificate so the MacBooks can access the data by using the domain name (e.g. synologydrive.jasonpeterson.com). This is quite straightforward from outside your network, but when a client (Macbook) tries to access the local NAS while on the local network itself, by using the domain name, the data gets sent out through the firewall and straight back in, causing delay and other issues. That is where NAT reflection or NAT loopback comes in.