diff --git a/machines/vault01/k-radius/module.nix b/machines/vault01/k-radius/module.nix
index 060f142..ac83bc0 100644
--- a/machines/vault01/k-radius/module.nix
+++ b/machines/vault01/k-radius/module.nix
@@ -7,9 +7,14 @@
 
 let
   inherit (lib)
+    attrsToList
+    getExe'
+    imap0
+    mapAttrsToList
     mkEnableOption
     mkIf
     mkOption
+    optionalString
     types
     ;
 
@@ -44,6 +49,32 @@ in
       description = "File to the auth token for the service account.";
     };
 
+    extra-mods = mkOption {
+      type = types.attrsOf types.path;
+      default = { };
+      description = "Additional files to be linked in mods-enabled.";
+    };
+
+    extra-sites = mkOption {
+      type = types.attrsOf types.path;
+      default = { };
+      description = "Additional files to be linked in sites-enabled.";
+    };
+
+    dictionary = mkOption {
+      type = types.attrsOf (
+        types.enum [
+          "abinary"
+          "date"
+          "ipaddr"
+          "integer"
+          "string"
+        ]
+      );
+      default = { };
+      description = "Declare additionnal attributes to be listed in the dictionary.";
+    };
+
     radiusClients = mkOption {
       type = types.attrsOf (
         types.submodule {
@@ -77,6 +108,12 @@ in
     };
 
     privateKeyPasswordFile = mkOption { type = types.path; };
+
+    checkConfiguration = mkOption {
+      type = types.bool;
+      description = "Check the configuration before starting the deamon. Useful for debugging.";
+      default = false;
+    };
   };
 
   config = mkIf cfg.enable {
@@ -104,8 +141,11 @@ in
       wantedBy = [ "multi-user.target" ];
       after = [ "network.target" ];
       wants = [ "network.target" ];
+      startLimitIntervalSec = 20;
+      startLimitBurst = 5;
 
       preStart = ''
+        rm -rf ${cfg.configDir}
         mkdir -p ${cfg.configDir}
 
         cp -R --no-preserve=mode ${cfg.freeradius}/etc/raddb/* ${cfg.configDir}
@@ -164,8 +204,31 @@ in
         sed -i ${cfg.configDir}/mods-available/eap \
           -e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/"
 
+        # Link the dictionary
+        ln -nsf ${
+          pkgs.writeText "radius-dictionary" (
+            builtins.concatStringsSep "\n" (
+              imap0 (i: { name, value }: "ATTRIBUTE ${name} ${builtins.toString (3000 + i)} ${value}") (
+                attrsToList cfg.dictionary
+              )
+            )
+          )
+        } ${cfg.configDir}/dictionary
+
+        # Link extra-mods
+        ${builtins.concatStringsSep "\n" (
+          mapAttrsToList (name: path: "ln -nsf ${path} ${cfg.configDir}/mods-enabled/${name}") cfg.extra-mods
+        )}
+
+        # Link extra-sites
+        ${builtins.concatStringsSep "\n" (
+          mapAttrsToList (
+            name: path: "ln -nsf ${path} ${cfg.configDir}/sites-enabled/${name}"
+          ) cfg.extra-sites
+        )}
+
         # Check the configuration
-        # ${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout
+        ${optionalString cfg.checkConfiguration "${getExe' pkgs.freeradius "radiusd"} -C -d ${cfg.configDir} -l stdout"}
       '';
 
       path = [
@@ -187,6 +250,7 @@ in
         LogsDirectory = "radius";
         StateDirectory = "radius";
         RuntimeDirectory = "radius";
+        AmbientCapabilities = "CAP_NET_BIND_SERVICE";
         Environment = [
           "KANIDM_RLM_CONFIG=/var/lib/radius/kanidm.toml"
           "PYTHONPATH=${rlm_python.pythonPath}"
diff --git a/machines/vault01/networking.nix b/machines/vault01/networking.nix
index 661dcb4..54c7de9 100644
--- a/machines/vault01/networking.nix
+++ b/machines/vault01/networking.nix
@@ -1,4 +1,5 @@
 {
+  pkgs,
   lib,
   meta,
   name,
@@ -18,7 +19,7 @@ let
   mkNetwork =
     name:
     {
-      address,
+      address ? [ ],
       extraNetwork ? { },
       ...
     }:
@@ -38,15 +39,51 @@ let
   mkUserVlan =
     id:
     let
-      vlan = 3245 + id;
-      prefix24nb = id / 32;
-      prefix29nb = (id - prefix24nb * 32) * 8;
+      # on alloue 10.0.0.0/17 aux thurnés, avec un /27 chacun, on garde 10.0.0.0/27 pour nous (routeur et autres)
+      vlan = 4094 - id;
+      prefix24nb = (id + 1) / 8;
+      prefix27nb = (id + 1 - prefix24nb * 8) * 32;
+      netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}";
+      servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}";
+      interfaceName = "vlan-user-${toString vlan}";
     in
     {
-      name = "vlan-user-${builtins.toString vlan}";
+      name = interfaceName;
       value = {
         Id = vlan;
-        address = [ "10.0.${builtins.toString prefix24nb}.${builtins.toString (prefix29nb + 1)}/29" ];
+        extraNetwork = {
+          networkConfig = {
+            LinkLocalAddressing = "no";
+            DHCPServer = "yes";
+          };
+          linkConfig.Promiscuous = true;
+          addresses = [
+            {
+              addressConfig = {
+                Address = "${servIP}/27";
+                AddPrefixRoute = false;
+              };
+            }
+          ];
+          routes = [
+            {
+              routeConfig = {
+                Destination = "${netIP}/27";
+                Table = "user";
+              };
+            }
+          ];
+          routingPolicyRules = [
+            {
+              routingPolicyRuleConfig = {
+                From = "${netIP}/27";
+                To = "10.0.0.0/27";
+                IncomingInterface = interfaceName;
+                Table = "user";
+              };
+            }
+          ];
+        };
       };
     };
 
@@ -82,27 +119,75 @@ let
 
       extraNetwork.networkConfig.DHCPServer = "yes";
     };
-  } // builtins.listToAttrs (builtins.genList mkUserVlan 300); # 850 when we can
+  } // builtins.listToAttrs (builtins.genList mkUserVlan 850);
 in
 
 {
-  systemd.network = {
-    networks = {
-      "10-enp67s0f0np0" = {
-        name = "enp67s0f0np0";
-        networkConfig = {
-          VLAN = builtins.attrNames vlans;
-
-          LinkLocalAddressing = false;
-          LLDP = false;
-          EmitLLDP = false;
-          IPv6AcceptRA = false;
-          IPv6SendRA = false;
+  systemd = {
+    network = {
+      config.routeTables."user" = 1000;
+      networks = {
+        "10-lo" = {
+          name = "lo";
+          address = [
+            "::1/128"
+            "127.0.0.1/8"
+            "10.0.0.1/27"
+          ];
+          routes = [
+            {
+              routeConfig = {
+                Destination = "10.0.0.0/27";
+                Table = "user";
+              };
+            }
+          ];
+          routingPolicyRules = [
+            {
+              routingPolicyRuleConfig = {
+                IncomingInterface = "lo";
+                Table = "user";
+              };
+            }
+          ];
         };
-      };
-    } // (mapAttrs' mkNetwork vlans);
+        "10-enp67s0f0np0" = {
+          name = "enp67s0f0np0";
+          linkConfig.Promiscuous = true;
+          networkConfig = {
+            VLAN = builtins.attrNames vlans;
 
-    netdevs = mapAttrs' mkNetdev vlans;
+            LinkLocalAddressing = false;
+            LLDP = false;
+            EmitLLDP = false;
+            IPv6AcceptRA = false;
+            IPv6SendRA = false;
+          };
+        };
+      } // (mapAttrs' mkNetwork vlans);
+
+      netdevs = mapAttrs' mkNetdev vlans;
+    };
+
+    services = {
+      ethtoolConfig = {
+        wantedBy = [ "systemd-networkd.service" ];
+        after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
+        bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
+        script = builtins.concatStringsSep "\n" (
+          builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [
+            "rxvlan"
+            "txvlan"
+            "rx-vlan-filter"
+            "rx-vlan-offload"
+            "tx-vlan-offload"
+            "tx-vlan-stag-hw-insert"
+          ]
+        );
+      };
+
+      systemd-networkd.serviceConfig.LimitNOFILE = 4096;
+    };
   };
 
   networking.firewall.allowedUDPPorts = [ 67 ];