diff --git a/machines/nixos/vault01/ulogd.nix b/machines/nixos/vault01/ulogd/default.nix
similarity index 81%
rename from machines/nixos/vault01/ulogd.nix
rename to machines/nixos/vault01/ulogd/default.nix
index 357da5b..026f0db 100644
--- a/machines/nixos/vault01/ulogd.nix
+++ b/machines/nixos/vault01/ulogd/default.nix
@@ -57,4 +57,13 @@
       fi
     '';
   };
+  environment.defaultPackages = [
+    (pkgs.callPackage ./fill-vlan_prefixes.nix {
+      inherit (config.networking) vlans-info;
+      postgresql = config.services.postgresql.package;
+    })
+    (pkgs.callPackage ./nat-request-daddr.nix {
+      postgresql = config.services.postgresql.package;
+    })
+  ];
 }
diff --git a/machines/nixos/vault01/ulogd/fill-vlan_prefixes.nix b/machines/nixos/vault01/ulogd/fill-vlan_prefixes.nix
new file mode 100644
index 0000000..5286c08
--- /dev/null
+++ b/machines/nixos/vault01/ulogd/fill-vlan_prefixes.nix
@@ -0,0 +1,39 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  lib,
+  writeShellApplication,
+  writeText,
+  vlans-info,
+  postgresql,
+}:
+let
+  inherit (lib) concatMapStringsSep;
+  sql-script = writeText "vlan-filling.sql" ''
+    DROP TABLE IF EXISTS vlan_prefixes;
+    CREATE TABLE vlan_prefixes (
+      vlan_id smallint PRIMARY KEY UNIQUE NOT NULL,
+      prefix inet NOT NULL
+    );
+    INSERT INTO vlan_prefixes VALUES
+      ${concatMapStringsSep ",\n  " (
+        {
+          vlan,
+          netIP,
+          prefixLen,
+          ...
+        }:
+        "(${toString vlan}, inet '${netIP}/${toString prefixLen}')"
+      ) vlans-info}
+    ;
+  '';
+in
+writeShellApplication {
+  name = "fill-vlan_prefixes";
+  runtimeInputs = [ postgresql ];
+  text = ''
+    psql -d ulogd -U ulogd -f ${sql-script}
+  '';
+}
diff --git a/machines/nixos/vault01/ulogd/nat-request-daddr.nix b/machines/nixos/vault01/ulogd/nat-request-daddr.nix
new file mode 100644
index 0000000..522f8c1
--- /dev/null
+++ b/machines/nixos/vault01/ulogd/nat-request-daddr.nix
@@ -0,0 +1,35 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  writeShellApplication,
+  postgresql,
+}:
+writeShellApplication {
+  name = "nat-request-daddr";
+  runtimeInputs = [ postgresql ];
+  text = ''
+    TARGET_TIMESTAMP=$2
+    TARGET_PREFIX=$1
+    psql -d ulogd -U ulogd -c "
+      select
+        vlan_id,
+        reply_ip_daddr_str as used_ip,
+        reply_l4_dport as used_port,
+        orig_ip_daddr_str as daddr,
+        orig_l4_dport as dport,
+        flow_start_sec, flow_end_sec
+      from ulog2_ct
+      join vlan_prefixes on ulog2_ct.orig_ip_saddr_str <<= vlan_prefixes.prefix
+        where
+        -- if we don't have conn start, we considered it started before the target time
+        ( flow_start_sec IS NULL or flow_start_sec <= $TARGET_TIMESTAMP )
+        and
+        -- similar for conn end
+        ( flow_end_sec IS NULL or flow_end_sec >= $TARGET_TIMESTAMP )
+        and
+        orig_ip_daddr_str <<= inet '$TARGET_PREFIX'
+      ;"
+  '';
+}