diff --git a/machines/vault01/networking.nix b/machines/vault01/networking.nix
index 8a3b6ea..b20afc7 100644
--- a/machines/vault01/networking.nix
+++ b/machines/vault01/networking.nix
@@ -1,10 +1,19 @@
 let
   vlanName = "vlan-uplink-cri";
+
+  linkIp = "10.120.33.250";
+  linkPrefix = "30";
+
+  upstreamRouterIp = "10.120.33.249";
+
+  publicIp = "129.199.195.129"; # sync with meta
+
+  linkPrefixedIp = "${linkIp}/${linkPrefix}";
 in
 {
   systemd.network = {
     networks = {
-      "10-sfp-right" = {
+      "10-enp67s0f0np0" = {
         name = "enp67s0f0np0";
         networkConfig = {
           VLAN = [ vlanName ];
@@ -16,16 +25,21 @@ in
           IPv6SendRA = false;
         };
       };
-      "20-vlan-uplink-cri" = {
+      "10-${vlanName}" = {
         name = vlanName;
-        address = [ "10.120.33.250/30" ];
-        networkConfig = {
-          Gateway = "10.120.33.249";
-        };
+        address = [ linkPrefixedIp ];
+        routes = [
+          {
+            routeConfig = {
+              PreferredSource = publicIp;
+              Gateway = upstreamRouterIp;
+            };
+          }
+        ];
       };
     };
     netdevs = {
-      "20-vlan-uplink-cri" = {
+      "10-vlan-uplink-cri" = {
         netdevConfig = {
           Name = vlanName;
           Kind = "vlan";
diff --git a/meta/network.nix b/meta/network.nix
index 460cda7..70e0222 100644
--- a/meta/network.nix
+++ b/meta/network.nix
@@ -89,6 +89,17 @@
 
   vault01 = {
     interfaces = {
+      vlan-uplink-cri = {
+        ipv4 = [
+          {
+            # see also machines/vault01/networking.nix
+            address = "129.199.195.129";
+            prefixLength = 27;
+          }
+        ];
+        gateways = [ ];
+        enableDefaultDNS = true;
+      };
       enp130s0f0 = {
         ipv4 = [
           {
@@ -96,8 +107,7 @@
             prefixLength = 24;
           }
         ];
-
-        gateways = [ "192.168.42.1" ];
+        gateways = [ ];
         enableDefaultDNS = true;
       };
     };