SAMM
Sign in Register
A SecuryTik product

ISP management for MikroTik,
done right.

SecuryTik Active Mikrotik Manager

SAMM (SecuryTik Active Mikrotik Manager) is a full-stack platform for PPPoE & Hotspot networks — FreeRADIUS + PostgreSQL backbone, polished admin and customer portals, double-entry accounting, and a Telegram self-service bot.

Runs everywhere — bare Linux, Docker, MikroTik containers, or the cloud.

Create an account See all features
Free up to 3 routers · unlimited on Pro · cloud or on-prem
Architecture

Database-native accounting. No round-trips on the AAA path.

Byte accumulation, limit evaluation, and CoA enqueue happen inside PostgreSQL functions called by unlang + rlm_sql on every Interim-Update. No Python round-trip on the AAA hot path.

2
Notification channels
11
Themes shipped
2
Access modes — PPPoE & Hotspot
70k
RADIUS users load-tested on one server
What you get

Six capability areas. One installer.

Every layer below ships in the same install script — no DIY integrations, no bolt-on plugins.

AAA core

FreeRADIUS 3 + PostgreSQL with PAP/CHAP, dynamic NAS clients (no restart), and hybrid CoA — CoA-Update with automatic fallback to Disconnect-Request.

Plans & limits

Speed (Mbps) + Framed-Pool. Four independent limits — expiration, quota, daily, uptime — each configurable to throttle, switch plan, or disconnect on exhaust.

Accounting

Built-in double-entry engine, invoices, expenses, resellers, assets, depreciation. Automatic overdue-invoice detection. Bill the way an ISP actually bills.

Admin portal

Customers, plans, live MikroTik inventory, firewall backups, WiFi/cAPsMAN, Hotspot voucher cards, role-based per-page permissions, ticket queue.

Customer self-service

Customer portal for usage / plan / invoices / tickets. Telegram bot — customers verify once, then everything from chat: plan, quota, change password, download invoice PDFs.

Multilingual & themeable

English, Arabic (RTL), Turkish, French, Spanish, German out of the box. Live in-portal translation editor — no restart needed. 11 visual themes per user.

Admin portal

Your whole network visible from one screen.

Every layer of your ISP operation — live sessions, CoA routing, router health, staff access, and the full audit trail — in a single panel. No SSH, no Winbox, no spreadsheets.

Live sessions

247 subscribers online. See them all.

A live RADIUS session table — user, plan, effective speed, bytes down/up, and time online — auto-refreshed every 30 s. Filter by router, search by username or IP, or filter to throttled-only to spot quota exhaustion fast.

  • User, framed IP, router, plan, effective speed, down/up bytes
  • Throttled badge — spot exhausted plans at a glance
  • CoA-Disconnect per row — kick a session without touching the router
  • Auto-refresh every 30 s — no manual reload
Online
247
live
Active
1,842
of 2,100 total
Throttled
14
quota exhausted
Live sessions
User Plan Speed Online
ppp-hassan Pro 50M 50 Mbps 3h 14m
hotspot-201 HS 5M 5 Mbps 18m
ppp-khalil Pro 10M 2 Mbpsthrottled 7h 52m
247 active sessions · auto-refresh 30 s
CoA outbox

Plan changes reach the router. No reconnect.

When a subscriber's limit changes — quota exhausted, plan upgraded, manual disconnect — SAMM enqueues a CoA-Update or Disconnect-Request and delivers it to the router live. Subscribers experience the change instantly, mid-session.

  • CoA-Update — speed or plan attribute change without disconnect
  • Automatic fallback to Disconnect-Request if CoA-Update is NACK'd
  • Retry up to 3× with configurable CoA port per NAS
  • Full outbox visible — pending, sent, NACK, done, failed
Pending
3
Sent
1
Done
418
Failed
0
CoA outbox
User Action Status Reason
ppp-khalil update pending quota exhaust
ppp-samir update done plan upgrade
hotspot-088 disconnect done expiry
MikroTik monitor

Every router. Health-checked every 30 s.

SAMM polls each registered MikroTik via the RouterOS API and surfaces version, CPU, memory, uptime, ping latency, and active user count per device — so your NOC sees a router going down before the support calls start.

  • RouterOS version, board identity, uptime, active users
  • CPU % and memory % — catch overloaded core routers early
  • Ping latency — reachable / unreachable indicator
  • Firewall backup + scheduled revert, WiFi & cAPsMAN management
Router inventory
Core-Router-01
192.168.1.1
CPU
12%
Mem
38%
Ping
2 ms
RouterOS 7.14.3 · hAP ax³ · up 14 d · 247 users
Branch-02
10.0.0.254
CPU
74%
Mem
51%
Ping
8 ms
RouterOS 7.12.1 · CCR2004 · up 6 d · 89 users
Fiber-Node-03
unreachable
API offline · last seen 4 min ago · 10.10.1.1
Roles & permissions

Staff access, scoped to the page.

Create admin roles with per-page View / Edit / None permissions. A billing clerk sees invoices but never touches router config. A NOC operator sees sessions but never exports financial reports.

  • View / Edit / None per section — granular per page
  • Scope option: see all customers or only own-created
  • Unlimited admin accounts — one per staff member
  • Last login tracked per admin — spot dormant accounts
Role permission matrix
Page Superadmin NOC Billing
Dashboard edit view view
Customers edit edit none
Financials edit none edit
MikroTik routers edit view none
Settings edit none none
Audit log edit view none
Audit log

Every admin action. Timestamped.

Every change made by any admin — plan edit, password reset, manual disconnect, setting change — is recorded with actor, target, full JSON payload, and applied timestamp. Searchable, filterable, exportable.

  • Actor, action, target, created, applied — all recorded
  • Full JSON payload modal — see exactly what changed
  • Filter by actor, action type, or applied state
  • Retention managed by built-in history cleaner
Recent audit entries
Actor Action Target When
admin plan_change ppp-khalil 2 min ago
noc-ali disconnect hotspot-201 14 min ago
admin password_reset ppp-hassan 1 h ago
billing-reem invoice_paid INV-2025-041 2 h ago
admin settings_update system 3 h ago
Telegram bot · Customer portal

Customers self-serve from chat.
You get fewer support calls.

A full web portal for usage, invoices, and tickets — and a Telegram bot that goes further. Customers verify once, then run everything from a chat message, in their own language.

  • Live plan, quota, and expiry — always current
  • Download invoice PDFs without logging in to the portal
  • Change password and open support tickets from chat
  • Responds in English, Arabic, Turkish, French, Spanish, German
SAMM Bot
online
Welcome, Ahmad. Send /plan to check your account.
/plan
Pro 50 Mbps
Quota 42 GB / 100 GB · 12 days left
/invoice
INV-2025-0041  ·  $12.00
↓  invoice-may-2025.pdf
Accounting

Full ISP books. No separate tool needed.

Double-entry accounting built into SAMM — not bolted on. Invoices, expenses, resellers, assets, and cash accounts all live in the same database as your subscribers.

  • Cash & bank accounts, capital accounts, P&L
  • Invoices with auto-overdue detection and server-side PDF export
  • Resellers — buy card groups on invoice, track what they owe
  • Fixed assets with straight-line depreciation schedules
  • Expense categories: Bandwidth, Salaries, Rent, Equipment…
Cash on hand
$4,820
balance
Profit this month
$1,240
net income
Owed to you
$680
receivable
You owe
$340
payable
Recent invoices
Invoice Customer Amount Status
INV-2025-041 Ahmad Hassan $12.00 paid
INV-2025-040 Khalil Nader $8.00 overdue
INV-2025-039 Hotspot Reseller $45.00 paid
Interface Monitor

Live per-interface traffic. No Winbox needed.

SAMM polls every MikroTik interface via the RouterOS API and shows TX/RX rates, link state, and error counters refreshed every 30 seconds — across every router on your network.

  • TX/RX Mbps auto-refreshed every 30 s per interface
  • Link state: up / down / disabled with live indicator
  • Error and drop counters per physical port
  • Filter by router, interface type, or running state
  • History graphed per interface — spot saturation trends
Core-Router-01 interfaces
live
Interface State TX RX
ether1
WAN · 1 Gbps
 up
450 Mbps
128 Mbps
bridge
LAN bridge
 up
312 Mbps
389 Mbps
pppoe-out1
PPPoE uplink
 up
147 Mbps
92 Mbps
ether5
Fiber-Node-03
 down
Total TX
909 Mbps
Total RX
609 Mbps
Interfaces
3 / 4 up
Web & App Monitoring

See exactly what your network is carrying.

Layer-7 traffic classification breaks your bandwidth down by app — streaming, social media, messaging, gaming — so you know where your upstream goes before you buy more.

  • Top social & streaming platforms ranked by bandwidth
  • Active session counts and peak-hour heatmap per service
  • Daily and monthly totals — today, 7 d, 30 d views
  • Drill down to per-subscriber app usage
  • Export as PDF or CSV for capacity planning
App bandwidth today
128 GB total
YouTube
48.6 GB 38%
TikTok
28.2 GB 22%
Facebook
21.8 GB 17%
Instagram
15.4 GB 12%
Other
14.0 GB 11%
Top users by app · today
User Top app Used
ppp-hassan YouTube 4.2 GB
ppp-khalil TikTok 3.8 GB
hotspot-201 Instagram 2.1 GB
Interface Scheduler

Automate your network. Set it once, let it run.

Build time-based rules that fire directly on your MikroTik interfaces — off-peak bandwidth boosts, scheduled maintenance windows, or policy enforcement during business hours. No scripting required.

  • Day-of-week + time-range rules with midnight-crossing support
  • Actions: enable / disable interface, set speed limit, queue apply
  • Rules pushed directly to MikroTik via API — no config file editing
  • Per-router scope — target one device or apply fleet-wide
  • Run log — every trigger timestamped in the audit trail
Active schedule rules
Night Bandwidth Boost enabled
Applies toether1 (WAN) — Core-Router-01
ScheduleMon–Fri 22:00 → 08:00
ActionSet max-limit 1G/1G
Business Hours Policy enabled
Applies tobridge (LAN) — All routers
ScheduleMon–Fri 08:00 → 18:00
ActionApply queue tree — 20 Mbps social cap
Weekly Maintenance next: Sun
Applies topppoe-out1 — Core-Router-01
ScheduleSunday 03:00 → 04:00
ActionDisable interface (1 h window)
MikroTik Wizard

Push RADIUS to any MikroTik in four clicks.

The in-panel wizard connects to your router via API, pushes the RADIUS client config, creates the PPPoE service and IP pools, and runs the auth test — no terminal, no Winbox.

  • Register router with IP, API port, and credentials
  • One-click RADIUS push — auth/acct/CoA config applied via API
  • PPPoE server + IP pool created automatically in RouterOS
  • Discover neighbor routers and add your whole fleet at once
  • Auth test runs from the admin panel — no radtest command needed
MikroTik setup wizard
Add router
Core-Router-01 · 192.168.1.1:8728
Push RADIUS config
Auth :1812 · Acct :1813 · CoA :3799 ✓
3
Create PPPoE profile current
IP pool 10.10.0.0/20 · DNS 1.1.1.1, 8.8.8.8
4
Test authentication
Auth test from admin panel — no CLI needed
Backed by SecuryTik

Built by people who deploy ISPs for a living

SAMM is the operational platform SecuryTik uses on its own ISP deployments — from MikroTik core routing to FTTH/GPON fiber rollouts and NOC operations. You get the same tool, with the team behind it for support.

See ISP services Need a full ISP buildout?

Frequently asked questions

What people ask before deploying SAMM.

What is SAMM?

SAMM (SecuryTik Active Mikrotik Manager) is a full-stack ISP management platform for MikroTik networks. It bundles FreeRADIUS + PostgreSQL, an admin portal, a customer portal, double-entry accounting, and a Telegram self-service bot into a single installer.

Who is SAMM for?

ISPs and network operators running MikroTik routers — anyone authenticating PPPoE or Hotspot subscribers, managing plans and limits, and billing customers. SAMM is used worldwide and ships with a multilingual UI (English, Arabic with RTL, Turkish, French, Spanish, German) and 11 visual themes, so teams in any region can operate it in their own language.

Does SAMM work with my MikroTik router?

Yes. SAMM uses standard RADIUS, so any MikroTik device running RouterOS that supports a RADIUS client works — from a small hAP through to a CCR. No special board or RouterOS feature flag is required. SAMM additionally uses the MikroTik API for inventory, firewall backups, and Hotspot voucher cards.

What does SAMM need to run?

A Linux server with root access — Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, or Debian 12. One install script sets up FreeRADIUS, PostgreSQL, the FastAPI portals, the notification and Telegram workers, and (optionally) a Cloudflare Zero Trust tunnel.

Is SAMM free?

Yes — fully featured, free for up to 3 routers, forever. The Pro tier removes the device cap and adds priority support; contact [email protected] to upgrade.

Try SAMM free for up to three routers.

No payment integration to set up. Create an account, register your first device, and you're authenticating subscribers in minutes.

Create account See pricing Read the docs