diff --git a/machines/vault01/networking.nix b/machines/vault01/networking.nix
index 54c7de9..db31c60 100644
--- a/machines/vault01/networking.nix
+++ b/machines/vault01/networking.nix
@@ -37,16 +37,13 @@ let
     };
 
   mkUserVlan =
-    id:
-    let
-      # on alloue 10.0.0.0/17 aux thurnés, avec un /27 chacun, on garde 10.0.0.0/27 pour nous (routeur et autres)
-      vlan = 4094 - id;
-      prefix24nb = (id + 1) / 8;
-      prefix27nb = (id + 1 - prefix24nb * 8) * 32;
-      netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}";
-      servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}";
-      interfaceName = "vlan-user-${toString vlan}";
-    in
+    {
+      vlan,
+      netIP,
+      servIP,
+      interfaceName,
+      ...
+    }:
     {
       name = interfaceName;
       value = {
@@ -87,6 +84,15 @@ let
       };
     };
 
+  userVlans = builtins.genList (id: rec {
+    vlan = 4094 - id;
+    prefix24nb = (id + 1) / 8;
+    prefix27nb = (id + 1 - prefix24nb * 8) * 32;
+    netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}";
+    servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}";
+    interfaceName = "vlan-user-${toString vlan}";
+  }) 850;
+
   vlans = {
     vlan-uplink-cri = {
       Id = 223;
@@ -110,7 +116,16 @@ let
 
     vlan-admin-ap = {
       Id = 3001;
-      address = [ "fd26:baf9:d250:8010::1/60" ];
+      address = [ "fd26:baf9:d250:8001::1/64" ];
+      extraNetwork.ipv6Prefixes = [
+        {
+          ipv6PrefixConfig = {
+            AddressAutoconfiguration = false;
+            OnLink = false;
+            Prefix = "fd26:baf9:d250:8001::/64";
+          };
+        }
+      ];
     };
 
     vlan-apro = {
@@ -119,7 +134,7 @@ let
 
       extraNetwork.networkConfig.DHCPServer = "yes";
     };
-  } // builtins.listToAttrs (builtins.genList mkUserVlan 850);
+  } // builtins.listToAttrs (map mkUserVlan userVlans);
 in
 
 {
@@ -187,8 +202,52 @@ in
       };
 
       systemd-networkd.serviceConfig.LimitNOFILE = 4096;
+
+      net-checker = {
+        path = [
+          pkgs.iputils
+          pkgs.systemd
+        ];
+        script = ''
+          if ping -c 1 8.8.8.8 > /dev/null || ping -c 1 1.1.1.1 > /dev/null; then
+            ${
+              lib.concatMapStringsSep "\n  " ({ interfaceName, ... }: "networkctl up ${interfaceName}") userVlans
+            }
+          else
+            ${
+              lib.concatMapStringsSep "\n  " (
+                { interfaceName, ... }: "networkctl down ${interfaceName}"
+              ) userVlans
+            }
+          fi
+        '';
+      };
+    };
+
+    timers.net-checker = {
+      wantedBy = [ "timers.target" ];
+      timerConfig.OnCalendar = "*-*-* *:*:42";
     };
   };
 
-  networking.firewall.allowedUDPPorts = [ 67 ];
+  networking = {
+    nftables = {
+      enable = true;
+      tables.nat = {
+        family = "ip";
+        content = ''
+          chain postrouting {
+            type nat hook postrouting priority 100;
+            ip saddr 10.0.0.0/16 snat ip to 129.199.195.130-129.199.195.158
+          }
+        '';
+      };
+    };
+    firewall = {
+      allowedUDPPorts = [ 67 ];
+      checkReversePath = false;
+    };
+  };
+
+  boot.kernel.sysctl."net.ipv4.ip_forward" = true;
 }
diff --git a/meta/network.nix b/meta/network.nix
index 91da1cb..d4ce6c2 100644
--- a/meta/network.nix
+++ b/meta/network.nix
@@ -98,17 +98,7 @@
           {
             # see also machines/vault01/networking.nix
             address = "129.199.195.129";
-            prefixLength = 27;
-          }
-        ];
-        gateways = [ ];
-        enableDefaultDNS = true;
-      };
-      enp130s0f0 = {
-        ipv4 = [
-          {
-            address = "192.168.42.7";
-            prefixLength = 24;
+            prefixLength = 32;
           }
         ];
         gateways = [ ];