NAS / Routers

A NAS (Network Access Server) in RADIUS terminology is the device that terminates PPPoE / hotspot / IPoE sessions and asks the RADIUS server to authenticate them. In ProxPanel this is almost always a MikroTik RouterOS device, but the system supports any RFC-compliant BNG (Cisco / Juniper / Huawei) via the Generic-RADIUS code path.

Every subscriber session in radacct is tagged with the NAS IP that asked for it. CoA Disconnect, Live Torch, IP Pool sync, NAS dashboard, and Diagnostic Tools all act on the NAS rows configured here.

How to get here

Sidebar → NAS / Routers (router icon). Direct URL: /nas.

Visible to anyone with nas.view. Resellers only see NAS devices assigned to them via the reseller_nas table; admins see all.

Layout

Section	What it shows
NAS table	Name, IP, Type, Status (online/offline), Active sessions, Secret badge, API badge, Version, Actions
Add NAS button	Opens the create form
Action column	Edit, Sync pools, Test connection, Diagnostic Tools (wrench icon → links to Diagnostic Tools with `?nas_id=X` pre-selected), Delete

The Secret badge shows green “Set” if secret != "" and grey “No Secret” otherwise. The API badge shows green if api_password != "". Actual values are never sent to the frontend (hidden by json:"-" on the model); the computed has_secret and has_api_password booleans drive the display.

Form fields

Identification

Field	Notes
Name*	Display name.
Short Name	Optional alternate label used in tight UI spots.
IP Address*	The NAS’s interface IP from which it sends RADIUS packets (not necessarily the management IP). RADIUS rejects “unknown NAS” if this doesn’t match the source IP of an incoming Access-Request.
Type	`mikrotik` (default) or `generic`. Determines whether ProxPanel sends MikroTik-Rate-Limit or the standard Framed-Bandwidth + Filter-Id attributes.
Description	Free text.
Is Active	Master enable/disable. Disabling does NOT remove the secret from RADIUS — to fully shut a NAS out you must also delete the row.

RADIUS

Field	Default	Notes
Secret*	—	RADIUS shared secret. Must match `/radius add ... secret=...` on the MikroTik. Hidden from the API.
Auth Port	1812	UDP.
Acct Port	1813	UDP.
CoA Port	1700	MikroTik’s default (changed from 3799 in earlier versions to match `/radius incoming` config).

MikroTik API (optional, but strongly recommended)

When configured, ProxPanel uses the API for live operations — pool listing, Torch, CoA fallback (force-remove session), CDN PCQ sync, ping/traceroute via the router, WiFi readout for CPE management.

Field	Default
API Username	Required if API is used. Recommend a dedicated user with `full` group.
API Password	Hidden from API responses.
API Port	8728
API SSL Port	8729 (used when Use SSL is enabled)
Use SSL	Off by default. Turn on if you’ve enabled `/ip service set api-ssl` on the router and have a valid cert.

IP Pools

Field	Notes
Subscriber Pools	Comma-separated list of MikroTik pool names this NAS owns. Used as a hint by the CDN page when filtering pool dropdowns.
Allowed Realms	Comma-separated list of `@domain` realms accepted on this NAS. If set, RADIUS rejects users whose realm isn’t in the list. Useful when multiple resellers share one BNG.

Status (read-only, set by background services)

Field	Source
Is Online	Heartbeat: `last_seen` within last 5 minutes
Last Seen	Last successful API ping or accounting packet
Version	RouterOS version reported via `/system resource print`
Active Sessions	`SELECT COUNT(*) FROM radacct WHERE nasipaddress = ? AND acctstoptime IS NULL`
Total Users	All subscribers assigned to this NAS

Test Connection

The Test Connection button (lightning icon) does three checks and returns a per-check result:

RADIUS reachability — UDP probe to auth_port from the API container. Note: not a full Access-Request, just a port-open check.
MikroTik API auth — Tries to log in with the supplied API credentials. Returns the version, identity, uptime.
CoA reachability — UDP probe to coa_port.

All three should be green before a NAS is considered ready. The most common failure is API auth fail because the MikroTik’s /ip service access list doesn’t allow the ProxPanel server IP.

Auto-Import IP Pools

When you save a new NAS with API credentials (or update an existing NAS to add credentials), ProxPanel runs an asynchronous import:

Connects via API
Calls /ip pool print
For each pool, parses the ranges (e.g. <subscriber-ip>-<subscriber-ip>) and inserts one row per IP into ip_pool_assignments
Calls /ppp active print and marks IPs currently in use as status = 'in_use'

This happens in a background goroutine so the create/update request returns quickly. Logs to look for in proxpanel-api:

NAS Create: Auto-importing IP pools from NAS RouterName (<bng-private>)
NAS Create: Auto-imported 500 IPs from RouterName
NAS Create: Synced 50 active sessions from RouterName

You can also re-run this on demand with the Sync pools button on each row.

Sync

The Sync action triggers a full re-import of IP pools from the NAS, including:

Adding any new IPs from new pools
Marking IPs as available if no live session uses them
Marking IPs as in_use if a radacct Active or a MikroTik /ppp active session has them

Use this after manually changing pool ranges on the MikroTik.

Version + Online detection

A background service polls the API every 5 minutes (when configured):

Updates version from /system resource print
Updates last_seen timestamp
Sets is_online = true if the API responded; false if last_seen > 5 minutes

If your NAS lacks API credentials, only the RADIUS-side last_seen is updated (when accounting packets arrive). Online status falls back to “any active session in the last 5 minutes”.

Reseller assignment

The reseller_nas table maps NAS rows to resellers. Resellers without any rows in this table see an empty NAS list. Use this to keep reseller A from accidentally adding subscribers to reseller B’s router.

Admins manage assignments from the reseller’s detail page in Resellers.

Common workflows

Add a brand-new MikroTik to ProxPanel

On the MikroTik, add ProxPanel as a RADIUS server:

/radius add service=ppp address=PROXPANEL_IP secret=YOURSECRET timeout=3s
/radius incoming set accept=yes port=1700
/ppp aaa set use-radius=yes

Make sure /ip service set api address=PROXPANEL_IP/32 allows ProxPanel.
In ProxPanel: NAS → Add NAS.
Fill Name, IP (the MikroTik’s source IP), Secret, API username + password.
Click Test Connection. All three checks should be green.
Save. IP pools auto-import in the background — refresh in 30 seconds to see them.

Add a Cisco BNG (Generic-RADIUS)

Add the row with Type = generic, fill IP and Secret.
Leave API fields blank — generic devices don’t expose RouterOS API.
On the Cisco / Juniper / Huawei, pre-configure class-maps / policies named to match your services’ Filter-Id Normal / FUP1 / FUP2 / FUP3 fields. Without these the BNG ignores ProxPanel’s Filter-Id.
Test Connection — only RADIUS / CoA checks will run; API will be skipped.

NAS shows offline despite traffic flowing

Open the NAS row. Look at last_seen — when did ProxPanel last hear from it?
Run Test Connection. If RADIUS check passes but API fails, the API password or IP whitelist is wrong.
SSH the MikroTik and run /log print where topics~"radius". Look for the ProxPanel IP. If absent, ProxPanel hasn’t received any accounting traffic — check the firewall.

Permissions

Permission	Effect
`nas.view`	Page loads.
`nas.create`	Add NAS button.
`nas.edit`	Edit + Sync buttons.
`nas.delete`	Delete. Refused if active sessions exist for this NAS IP.

Sessions — filtered by the NAS column to see who’s currently up where.
Services & Plans — assigns a default NAS + pool per service.
Diagnostic Tools — Ping / Traceroute / NSLookup that run through a chosen NAS.
CDN Management — uses NAS pool data to scope PCQ queues.
Resellers — assign NAS rows to resellers via reseller_nas.