diff --git a/machines/nixos/vault01/ulogd/nat-request-daddr.nix b/machines/nixos/vault01/ulogd/nat-request-daddr.nix
index 522f8c1..df28554 100644
--- a/machines/nixos/vault01/ulogd/nat-request-daddr.nix
+++ b/machines/nixos/vault01/ulogd/nat-request-daddr.nix
@@ -10,8 +10,13 @@ writeShellApplication {
   name = "nat-request-daddr";
   runtimeInputs = [ postgresql ];
   text = ''
-    TARGET_TIMESTAMP=$2
-    TARGET_PREFIX=$1
+    TARGET_TIMESTAMP=$3
+    TARGET_PREFIX=$2
+    SRC_PREFIX=$1
+    if [ -z "$TARGET_TIMESTAMP" ] || [ -z "$TARGET_PREFIX" ] || [ -z "$SRC_PREFIX" ]; then
+      echo "$(basename "$0") SOURCE_IP DISTANT_IP TIMESTAMP"
+      exit 1
+    fi
     psql -d ulogd -U ulogd -c "
       select
         vlan_id,
@@ -21,8 +26,12 @@ writeShellApplication {
         orig_l4_dport as dport,
         flow_start_sec, flow_end_sec
       from ulog2_ct
-      join vlan_prefixes on ulog2_ct.orig_ip_saddr_str <<= vlan_prefixes.prefix
+      join kea_log on ulog2_ct.orig_ip_saddr_str <<= kea_log.ip_addr
         where
+        lease_start_sec <= $TARGET_TIMESTAMP
+        and
+        $TARGET_TIMESTAMP <= lease_end_sec
+        and
         -- if we don't have conn start, we considered it started before the target time
         ( flow_start_sec IS NULL or flow_start_sec <= $TARGET_TIMESTAMP )
         and
@@ -30,6 +39,8 @@ writeShellApplication {
         ( flow_end_sec IS NULL or flow_end_sec >= $TARGET_TIMESTAMP )
         and
         orig_ip_daddr_str <<= inet '$TARGET_PREFIX'
+        and
+        reply_ip_daddr_str <<= inet '$SRC_PREFIX'
       ;"
   '';
 }