Architecture
Containers
Section titled “Containers”A single ProxPanel install runs 5 Docker containers:
| Container | Image | Port | Purpose |
|---|---|---|---|
proxpanel-db | postgres:16-alpine | 5432 (localhost) | PostgreSQL 16 — all persistent data |
proxpanel-redis | redis:7-alpine | 6379 (localhost) | Cache, JWT blacklist, rate-limit counters |
proxpanel-api | proisp-api (custom) | 8080 (localhost) | Go REST API + admin frontend |
proxpanel-radius | proisp-radius (custom) | 1812 / 1813 / 3799 (UDP) | RADIUS auth, accounting, CoA |
proxpanel-frontend | nginx:alpine | 80 / 443 (public) | TLS termination + static asset serving |
Network ports
Section titled “Network ports”| Port | Protocol | Direction | Purpose |
|---|---|---|---|
| 80 / 443 | TCP | inbound | Admin panel + customer portal (HTTP/HTTPS) |
| 1812 | UDP | inbound | RADIUS authentication |
| 1813 | UDP | inbound | RADIUS accounting |
| 3799 | UDP | outbound | CoA (Change-of-Authorization) to NAS |
| 8728 / 8729 | TCP | outbound | MikroTik API + TLS variant |
| 7547 | TCP | inbound | TR-069 ACS (optional) |
| 22 | TCP | inbound | SSH (operator access only) |
Data flow — subscriber authentication
Section titled “Data flow — subscriber authentication”1. Customer router opens PPPoE session to BNG (MikroTik/Cisco/etc.)2. BNG sends RADIUS Access-Request to ProxPanel :1812 with username + password3. ProxPanel validates credentials against `subscribers` table (MS-CHAPv2 / PAP)4. Returns Access-Accept with: - Mikrotik-Rate-Limit (or Filter-Id for generic RADIUS) - Framed-IP-Address (static) OR Framed-Pool (dynamic) - Session-Timeout, etc.5. BNG creates queue, assigns IP, brings interface up6. BNG sends RADIUS Accounting-Start to :18137. Every 30s: QuotaSync polls MikroTik /ppp/active for per-session byte counters - Updates daily/monthly quota in DB - If threshold crossed: triggers FUP tier change via CoA-Request to BNG :37998. Customer disconnects → BNG sends Accounting-Stop → session closed in radacctData flow — admin / reseller / customer
Section titled “Data flow — admin / reseller / customer”Browser ──► nginx :443 ──► API :8080 ──► Postgres / Redis │ ├──► MikroTik API :8728 (for live actions) └──► License server (heartbeat every 30s)External dependencies
Section titled “External dependencies”- License server (
license.proxrad.com) — validates license every 30 seconds. 4-hour grace period if unreachable. See License Activation. - Cloud backup target (optional) — license server can store encrypted backups for you.
- SMTP / SMS / WhatsApp (optional) — for customer notifications.