My home network routes everything through a WireGuard tunnel to a remote endpoint by way of pfSense. Most of the time this is a feature — clean exit IP, consistent geolocation, no surprises. The trouble is that "everything" includes traffic that really shouldn't go through a tunnel, and game servers are the worst offender. Steam matchmaking gets unhappy when your apparent location keeps shifting around, and a few titles flat-out refuse to connect when they see a datacenter IP on the client side.

The fix is a policy route — match game traffic by destination, push it out the WAN instead of the tunnel. The hard part has always been what to match against. Game publishers don't publish a tidy list of their server IPs, and the lists you find on forums go stale within a few months. I've been maintaining lists like that by hand for years and it's the kind of low-grade chore that just never quite gets automated.

Until I remembered I built the automation already.


The Realisation

asn.ipinfo.app — the ASN lookup tool I've been running for over a decade — exposes a plain-text endpoint that returns every CIDR a given autonomous system announces, one per line. It was built for firewall rules and blocklist generation, but a "list of every CIDR an ASN announces" is exactly what a pfSense alias wants.

Steam runs on AS32590 (Valve Corporation), which serves the matchmaking, content, and game traffic directly. So the entire problem reduces to:

https://asn.ipinfo.app/api/text/list/AS32590

One URL. That's the list.

The same trick won't work for every publisher — some game traffic actually lives on third-party CDNs or hosting providers rather than the publisher's own ASN, and you'll need to look at packet captures to find what they're really using. But when an ASN does cleanly correspond to the service, this is as low-effort as it gets.


pfSense URL Table Aliases

pfSense has an alias type built specifically for this kind of remote source: URL Table (IPs). You give it a URL, an update frequency, and pfSense will fetch the list, parse every CIDR, and treat it as a normal alias for use in firewall and NAT rules. No cron jobs, no scripts, no manual sync.

Setting one up:

  1. Firewall → Aliases → URLs → Add
  2. Type: URL Table (IPs)
  3. Name: Steam_Servers
  4. URL: https://asn.ipinfo.app/api/text/list/AS32590
  5. Update Frequency: 1 (day) — note: the dropdown to the right of the URL is labeled Subnet mask in the pfSense UI, but for URL Table aliases that field is repurposed as the refresh interval in days. Same widget, different meaning.
  6. Save and Apply Changes

Once the alias exists it's available in any rule's source/destination field. My setup uses it on a policy route under Firewall → Rules → LAN that matches destination = Steam_Servers and forces the gateway to WAN instead of the WireGuard tunnel. Steam traffic exits directly; everything else stays inside the tunnel.


Mixed v4 and v6, Handled

One thing worth calling out — the ASN lists include both IPv4 and IPv6 prefixes. pfSense's URL Table alias handles that natively. It sorts the entries into the right rule contexts automatically based on address family, so you don't need separate aliases or any pre-filtering on the URL side. One alias, both stacks, no extra work.


What Changes vs the Old Hand-Curated List

There was never a realistic way to maintain a usable static list for Steam by hand — Valve runs CDN edges and matchmaking infrastructure across a wide IP footprint, and the prefixes shift more often than a forum-sourced CIDR list can keep up with. Anything I'd built that way would have been out of date inside a month.

The ASN-backed alias replaces that wholesale. AS32590 captures Valve's announced ranges directly, and the daily refresh keeps the policy route current without any intervention from me.


Why This Felt Good to Build

This is one of those moments where a tool I built for one purpose turned out to solve a completely different problem in my own house. I wrote asn.ipinfo.app for network operators doing abuse work and firewall rule generation. I didn't think about pfSense once. But the same data shape — "give me every CIDR for ASN X, in plain text, one per line" — is exactly what a homelab needs to keep a policy route current without babysitting it.

The endpoint has been there the whole time. It just took getting frustrated enough at a Steam connection error to remember I was sitting on the answer.

If you're running pfSense (or OPNsense, or anything with a URL-fetched IP set — ipset, nftables sets, MikroTik address lists) and you've been maintaining game-server CIDR lists by hand, swap them out. The endpoint is free, the format is stable, and the maintenance burden goes to zero.

https://asn.ipinfo.app/api/text/list/AS<number>

That's the whole interface. Pick your ASN, paste the URL, walk away.