Every capability, in detail
SecuryTik Active Mikrotik Manager
AAA core, plans & limits, accounting, admin portal, customer portal, Telegram self-service, multilingual UI — all in one installer.
FreeRADIUS at the core
PAP/CHAP-based authentication with PostgreSQL on the hot path — limit evaluation and CoA queueing happen inside the database on every Interim-Update.
Authentication & accounting
- FreeRADIUS 3 + PostgreSQL backbone
- PAP and CHAP authentication
- PPPoE and Hotspot support
- Per-user static IP override
- Dynamic NAS registration — no restart on add/remove
Hybrid CoA
- Single coa_outbox queue, one drainer
- CoA-Update first; auto-fallback to Disconnect-Request on NACK
- Originated from samm-radius, not FreeRADIUS
- Retry counts & default port configurable in samm.settings
Four limit types, infinite combinations
Speed (Mbps) + Framed-Pool plus up to four independent limits — each with its own exhaustion behaviour.
Expiration
- Days since activation or assignment
- On exhaust: throttle / next plan / disconnect
Quota
- Total bytes — configurable: both, download only, or upload only
- On exhaust: throttle / next plan / disconnect
Daily
- Bytes since the last daily reset
- Reset time configurable per-environment
- On exhaust: throttle / next plan / disconnect
Uptime
- Cumulative session seconds
- Independent of bytes consumed
- On exhaust: throttle / next plan / disconnect
Speed windows
- Scheduled speed boosts by day-of-week + clock range
- Midnight-crossing fully supported
- Throttled / exhausted users excluded — speed never lifts while a limit is in force
Two usage counters
- user_limit_state — resettable per-limit counters
- user_usage_totals / user_usage_daily — non-resettable billing counters, never zeroed
- Admin resets only touch limit state — billing stays accurate
Double-entry accounting, built in
Bill the way an ISP actually bills — no spreadsheet bridges, no separate tool.
Invoices & expenses
- Renewal-driven invoicing tied to plan changes
- PDF rendering (server-side) for portal & Telegram bot
- Automatic overdue-invoice detection
- Expense tracking and categorization
Resellers, assets, depreciation
- Reseller accounts with commission tracking
- Asset inventory with depreciation schedules
- Real chart of accounts, real double-entry — every transaction balances
Run the whole network from one screen
Customers, plans, devices, vouchers, tickets, audit trail — all role-aware so each admin sees only what they need.
Customers & plans
- Create, edit, suspend, reactivate customers
- Plan management with multi-limit configuration
- Plan switch (queued via audit log; live CoA refresh)
- Per-customer credit, balance, and payment history
MikroTik inventory
- Live ping monitoring of every router
- RouterOS version & identity sync
- Interface statistics & history
- Firewall backup, scheduled revert
- WiFi / cAPsMAN management
- Monitor-only mode for non-NAS MikroTiks
Application-aware QoS
- Drag the apps and sites your subscribers use into eight download-priority slots
- Optional per-app speed caps and a total download ceiling
- Auto-distribute by category — messaging, conferencing, social, streaming, downloads and more
- Compiled into a MikroTik queue tree with packet-mark rules and pushed in one click
- Built on the same Websites & App filter that powers monitoring
Hotspot voucher cards
- Generate batches of pre-paid voucher cards
- Custom-formatted printable layout
- Per-batch plan, expiry, and pricing
Support tickets
- Customer support ticket queue with status tracking
- Assignment, comments, attachments, history
- Telegram bot integration — customers can open tickets from chat
Role-based permissions
- Three built-in roles — superadmin, manager, viewer
- Per-page block-level permissions
- Signed-cookie sessions with strict SameSite
Live sessions & reports
- Live session view — current online users by NAS
- Usage reports per customer, plan, or NAS
- Time-series traffic charts
Traffic trends and top consumers. Without a query.
Subscriber and session trend charts, daily traffic per NAS, and top-N bandwidth rankings — all pre-computed, no manual SQL.
Subscriber & session trends
- Configurable period: Today / 7d / 14d / 30d / 90d
- Active, online, and expired user curves over time
- Time-series snapshot stored hourly for history
Traffic & top consumers
- Daily up/down bytes chart per NAS
- Top-10 download / upload today and this month
- Per-plan and per-NAS usage breakdowns
Self-service that actually offloads work
Subscribers see their plan, usage, invoices, and tickets — without contacting support.
Account & usage
- Current plan, expiration, daily & total quota
- Real-time usage gauges
- Profile edit & password change (cleartext required for PAP)
Invoices & support
- View & download invoice PDFs
- Open support tickets, reply, attach files
- Ticket history with full audit trail
Self-service from chat
Customers /start the bot, verify once with their SAMM credentials, then do almost everything portal-side from inside Telegram.
Interactive self-service
- One-time verification with SAMM username + password
- Password message auto-deleted on receive
- Check plan, quota, usage, expiration
- Edit profile, change password
- View & download invoice PDFs in chat
- Manage support tickets — inline-keyboard menus
Architecture
- Sole getUpdates poller — no race conditions
- Conversation state in tg_bot_session (locked per chat)
- Reuses portal queries; never forks data access
- File sends happen after transaction commit, off the dispatcher lock
One queue, multiple channels
All outbound customer messaging flows through a single throttled notif_outbox, with per-customer channel priority.
Event types
- Renewal reminder, expiry notice
- Quota warning, plan-renewed receipt
- Payment receipt
- Manual admin broadcasts
Channels & routing
- Email and Telegram channels
- Per-customer channel priority with fallback
- Channel config with Fernet-encrypted secrets
- Throttled delivery — no surprise SMTP bills
Multilingual & themeable
Babel-based i18n with a live in-portal editor, plus eleven shipping themes — every user picks their own.
Languages
- English, Arabic (RTL), Turkish, French, Spanish, German
- Per-user language preference saved to account
- Add new languages at runtime via the admin UI
- Live /admin/translations editor — no restart
- Export / import .xlsx workbooks for translators
Themes
- 11 shipping themes — light and dark variants
- One data-theme axis, 26 CSS custom properties per palette
- CSS logical properties — RTL works automatically
- Preference saved per user account
Run SAMM anywhere — bare OS, Docker, MikroTik, or the cloud
One product, four install paths. Pick the surface that fits your network — they all run the same SAMM, talk to the same license server, and ship from the same release.
Bare OS — one command, one server
- Ubuntu 22.04 / 24.04 or Debian 12, single idempotent shell script
- Auto-generated DB password & signing keys on first run
- Re-runs apply upgrades safely — no state lost, no reconfiguration
- Built-in WireGuard server & optional Cloudflare Zero Trust tunnel
Docker — Ubuntu, Windows, anywhere
- Multi-arch image (linux/amd64 + linux/arm64) — one tag, every CPU
- One-line installer on Ubuntu/Debian, or Docker Desktop on Windows / macOS
- Compose bundle pinned to a sha256 image digest per release — immutable upgrades
- Cron auto-update built in — daily pull, zero downtime when there's nothing new
MikroTik containers — directly on the router
- Paste the compose YAML into RouterOS Container → Apps → New → YAML — done
- Works on arm64 MikroTik (RB5009, hAP ax², CCR2004/2116/2216) and amd64 SKUs
- No external Linux box, no separate hosting — SAMM runs where your network does
- Experimental in v1 — the bare-OS or Docker paths remain the recommended production routes
Cloud — Hetzner, DigitalOcean, AWS, anywhere with a public IP
- Same one-command installer; works on any Ubuntu/Debian VM in any cloud provider
- Cloudflare Tunnel publishes the admin/customer portal without opening firewall ports
- Built-in WireGuard reaches MikroTik routers behind NAT — no public IP needed on the router
- Daily backups encrypt to a single passphrase-protected archive — restore anywhere
Five systemd services
- samm-api — admin + customer portals (FastAPI)
- samm-radius — CoA dispatcher, expiration sweeps
- samm-worker — MikroTik API sync + ping
- samm-notification — channel delivery worker
- samm-telegram — interactive bot
Reach every router — even from the cloud
Host SAMM anywhere. A built-in WireGuard server and a managed Cloudflare Tunnel close the gap between a cloud server and MikroTik routers sitting behind NAT — no public IP, no port forwarding.
WireGuard server
- SAMM creates a WireGuard server in one click — keypair, interface, and listen port generated for you
- Cloud-hosted SAMM reaches MikroTik routers behind CGNAT over an encrypted tunnel
- Each router gets a ready-to-paste peer config — tunnel up without a public IP or port forwarding
- RouterOS API, RADIUS, and CoA traffic all ride the same private link
- Peer list with last-handshake status in the admin panel
Cloudflare Tunnel
- Paste your Cloudflare tunnel token — SAMM installs and runs cloudflared as a managed service
- Bring your own domain; the admin and customer portals go live over HTTPS
- The tunnel dials out — no inbound firewall rules, no exposed public IP
- Start, stop, and check tunnel health from the System tab
- Pairs with WireGuard — control SAMM from anywhere while SAMM reaches the routers
Bulk operations and data control.
History cleaning, bulk plan changes, import/export, and database backups — all from the admin panel, no command line.
Bulk operations
- Bulk plan change — reassign N subscribers in one action
- Bulk delete — remove inactive subscribers with confirmation
- History cleaner — prune old session/audit rows by age
Data portability
- Export / import subscribers and plans via structured file
- Database backup and restore from the admin panel
Pairs with the full SecuryTik stack
SAMM is the operational platform SecuryTik uses on its own ISP rollouts. Use it standalone, or have us deliver the whole environment around it.
Network & ISP services
- Full ISP buildout — wireless + FTTH/GPON fiber
- MikroTik installation, configuration, ISP core routing
- Captive Portal + RADIUS authentication design
- NOC setup and ongoing 24/7 operation
- SecuryTik network services →
Server infrastructure
- Bare-metal or virtualized SAMM deployments
- HA & DR design with VMware / Proxmox
- Backup & retention policies
- SecuryTik server services →
Security hardening
- SAMM running behind defended infrastructure
- SIEM (Wazuh / ELK) integration for AAA event ingestion
- Periodic security audits & pen-testing
- SecuryTik cybersecurity →
Managed operations
- 24/7 NOC monitoring of your SAMM deployment
- Managed patching, backups, capacity planning
- SLA reporting
- SecuryTik managed IT →