diff --git a/machines/vault01/k-radius/site-dhcp.nix b/machines/vault01/k-radius/site-dhcp.nix
new file mode 100644
index 0000000..bab8739
--- /dev/null
+++ b/machines/vault01/k-radius/site-dhcp.nix
@@ -0,0 +1,70 @@
+let
+  listen = vlan: ''
+    listen {
+      type = dhcp
+      ipaddr = 10.0.0.1
+      src_ipaddr = 10.0.0.1
+      port = 67
+      interface = vlan-user-${vlan}
+      broadcast = no #?
+      performance {
+        skip_duplicate_checks = no
+      }
+      # we store servIP so that latter modules can know with wich IP reply
+      update control {
+        &Client-Vlan = ${vlan}
+      }
+    }
+  '';
+  dhcpCommon = ''
+    update reply {
+      &DHCP-Domain-Name-Server = 10.0.0.1
+      &DHCP-Subnet-Mask = 255.255.128.0 # /17 ?????????
+      &DHCP-Router-Address = &control:Server-IP
+      &DHCP-Broadcast-Address = 10.0.127.255 # ???????
+      &DHCP-IP-Address-Lease-Time = 7200
+      &DHCP-DHCP-Server-Identifier = 10.0.0.1
+    }
+  '';
+  dhcpDiscover = ''
+    dhcp DHCP-Discover {
+      ${dhcpCommon}
+      update control {
+        &Pool-Name := "pool-%{&control:Client-Vlan}"
+      }
+      dhcp_sqlippool
+      if (notfound) {
+        do_not_respond #TODO not silent
+      }
+      ok
+    }
+  '';
+  dhcpRequest = ''
+    dhcp DHCP-Request {
+      if (&request:DHCP-DHCP-Server-Identifier && \
+          &request:DHCP-DHCP-Server-Identifier != &control:Server-IP) {
+        do_not_respond
+      }
+      ${dhcpCommon}
+      update control {
+        &Pool-Name := "pool-%{&control:Client-Vlan}"
+      }
+      dhcp_sqlippool_request
+      if (notfound) {
+        do_not_respond #TODO not silent
+      }
+      ok
+    }
+  '';
+in
+''
+  server dhcp {
+
+    ${builtins.concatStringsSep "\n\n" (map listen [ ])}
+
+    ${dhcpDiscover}
+
+    ${dhcpRequest}
+
+  }
+''
diff --git a/machines/vault01/networking.nix b/machines/vault01/networking.nix
index 661dcb4..f506dfe 100644
--- a/machines/vault01/networking.nix
+++ b/machines/vault01/networking.nix
@@ -38,15 +38,24 @@ let
   mkUserVlan =
     id:
     let
-      vlan = 3245 + id;
-      prefix24nb = id / 32;
-      prefix29nb = (id - prefix24nb * 32) * 8;
+      # on alloue 10.0.0.0/17 aux thurnés, avec un /27 chacun, on garde 10.0.0.0/27 pour nous (routeur et autres)
+      vlan = 4094 - id;
+      prefix24nb = (id + 1) / 8;
+      prefix27nb = (id + 1 - prefix24nb * 8) * 32;
     in
     {
       name = "vlan-user-${builtins.toString vlan}";
       value = {
         Id = vlan;
-        address = [ "10.0.${builtins.toString prefix24nb}.${builtins.toString (prefix29nb + 1)}/29" ];
+        extraNetwork.routes = [
+          {
+            routeConfig = {
+              Destination = "10.0.${builtins.toString prefix24nb}.${builtins.toString prefix27nb}/27";
+              Source = "10.0.0.1/17";
+            };
+          }
+        ];
+        address = [ "10.0.0.1/17" ];
       };
     };