diff --git a/pkg/rtc/clientinfo.go b/pkg/rtc/clientinfo.go
index 35492927e..1c3b367ff 100644
--- a/pkg/rtc/clientinfo.go
+++ b/pkg/rtc/clientinfo.go
@@ -11,8 +11,20 @@ type ClientInfo struct {
 	*livekit.ClientInfo
 }
 
+func (c ClientInfo) isFirefox() bool {
+	return c.ClientInfo != nil && strings.EqualFold(c.ClientInfo.Browser, "firefox")
+}
+
+func (c ClientInfo) isSafari() bool {
+	return c.ClientInfo != nil && strings.EqualFold(c.ClientInfo.Browser, "safari")
+}
+
 func (c ClientInfo) SupportsAudioRED() bool {
-	return c.ClientInfo != nil && c.ClientInfo.Browser != "firefox" && c.ClientInfo.Browser != "safari"
+	return !c.isFirefox() && !c.isSafari()
+}
+
+func (c ClientInfo) SupportPrflxOverRelay() bool {
+	return !c.isFirefox()
 }
 
 // CompareVersion compares two semver versions
diff --git a/pkg/rtc/config.go b/pkg/rtc/config.go
index 48a6be22b..93ab523b9 100644
--- a/pkg/rtc/config.go
+++ b/pkg/rtc/config.go
@@ -32,6 +32,7 @@ type WebRTCConfig struct {
 	TCPMuxListener *net.TCPListener
 	Publisher      DirectionConfig
 	Subscriber     DirectionConfig
+	ExternalIP     string
 }
 
 type ReceiverConfig struct {
@@ -83,6 +84,7 @@ func NewWebRTCConfig(conf *config.Config, externalIP string) (*WebRTCConfig, err
 		s.SetIPFilter(filter)
 	}
 
+	var confExternalIP string
 	// force it to the node IPs that the user has set
 	if externalIP != "" && (conf.RTC.UseExternalIP || (conf.RTC.NodeIP != "" && !conf.RTC.NodeIPAutoGenerated)) {
 		if conf.RTC.UseExternalIP {
@@ -92,6 +94,7 @@ func NewWebRTCConfig(conf *config.Config, externalIP string) (*WebRTCConfig, err
 			}
 			logger.Debugw("using external IPs", "ips", ips)
 			s.SetNAT1To1IPs(ips, webrtc.ICECandidateTypeHost)
+			confExternalIP = externalIP
 		} else {
 			s.SetNAT1To1IPs([]string{externalIP}, webrtc.ICECandidateTypeHost)
 		}
@@ -237,6 +240,7 @@ func NewWebRTCConfig(conf *config.Config, externalIP string) (*WebRTCConfig, err
 		TCPMuxListener: tcpListener,
 		Publisher:      publisherConfig,
 		Subscriber:     subscriberConfig,
+		ExternalIP:     confExternalIP,
 	}, nil
 }
 
diff --git a/pkg/rtc/transport.go b/pkg/rtc/transport.go
index bdcf853ff..cc2539e5d 100644
--- a/pkg/rtc/transport.go
+++ b/pkg/rtc/transport.go
@@ -231,6 +231,7 @@ func newPeerConnection(params TransportParams, onBandwidthEstimator func(estimat
 
 	se := params.Config.SettingEngine
 	se.DisableMediaEngineCopy(true)
+
 	//
 	// Disable SRTP replay protection (https://datatracker.ietf.org/doc/html/rfc3711#page-15).
 	// Needed due to lack of RTX stream support in Pion.
@@ -256,6 +257,11 @@ func newPeerConnection(params TransportParams, onBandwidthEstimator func(estimat
 	se.SetDTLSRetransmissionInterval(dtlsRetransmissionInterval)
 	se.SetICETimeouts(iceDisconnectedTimeout, iceFailedTimeout, iceKeepaliveInterval)
 
+	// if client don't support prflx over relay, we should not expose private address to it, use single external ip as host candidate
+	if !params.ClientInfo.SupportPrflxOverRelay() && params.Config.ExternalIP != "" {
+		se.SetNAT1To1IPs([]string{params.Config.ExternalIP}, webrtc.ICECandidateTypeHost)
+	}
+
 	lf := serverlogger.NewLoggerFactory(params.Logger)
 	if lf != nil {
 		se.LoggerFactory = lf