Glossary

This glossary defines every term, acronym, and ProxPanel-specific concept that appears across the documentation. Use it when a screen or runbook mentions a phrase you don’t recognise. Entries are alphabetical; ProxPanel-specific terms (FUP tier, mt-exporter, QuotaSync, PCQ direction) sit alongside general ISP / RADIUS / MikroTik vocabulary so you don’t have to guess where to look.

A

ACS (Auto Configuration Server)

The server endpoint that TR-069-capable CPE routers contact for provisioning. ProxPanel embeds an ACS on /acs (proxied to port 7547) for Cudy / TP-Link / generic TR-069 devices. See TR-069 / ACS.

Acct-Input-Octets / Acct-Output-Octets

RADIUS accounting attributes carrying upstream / downstream byte counters from the BNG. Stored in radacct.acctinputoctets and radacct.acctoutputoctets. ProxPanel sums these for daily and monthly usage.

Activation

A license-server record binding one customer license key to one hardware fingerprint and one server IP. Each install creates an activation row on license.proxrad.com.

Address-List (MikroTik)

A named set of IPs maintained on the router (e.g. cdn-netflix). ProxPanel pushes CDN address-lists per Service so traffic to those IPs can bypass FUP or get a different speed.

Anti-Replay HMAC

Mechanism that signs each /validate response with a nonce + Ed25519 signature so a captured response can’t be replayed by an attacker.

API container

The proxpanel-api Docker container — the Go binary that serves HTTP on port 8080, hosts the TR-069 ACS on 7547, and runs background services (QuotaSync, FUP enforcement, backups).

Audit log

Append-only record of operator actions (login, subscriber edit, reseller add-balance). Stored in audit_logs. Visible at Logs.

Auto-Renew

Per-subscriber flag that automatically renews the plan on expiry_date if the reseller balance covers the price. See Subscriber Lifecycle.

B

Balance

Money held by a reseller, credited via admin / collector top-ups and debited each time a renewal / new subscription is processed. Stored as resellers.balance (decimal 15,2).

Bandwidth Rule

Time-window-based speed adjustment applied to a Service or single subscriber. Multiplier expressed as a percentage of base speed. See Bandwidth Rules.

BNG (Broadband Network Gateway)

The router that terminates subscriber PPPoE or IPoE sessions and talks RADIUS. In ProxPanel deployments this is usually a MikroTik (CCR, RB5009, CHR), Cisco ASR, or Juniper MX. Equivalent to “NAS” in RADIUS terminology.

Bonus quota

Extra GB granted manually by admin / reseller. Tracked separately from auto-renewal quota so resets don’t wipe it.

Burst

RouterOS queue feature giving subscribers a short period of higher speed before falling back to the configured rate. ProxPanel configures it via burst-limit, burst-threshold, and burst-time on the queue or in Mikrotik-Rate-Limit.

C

Cache (Redis)

Used by ProxPanel for dashboard counters (30 s TTL), subscriber cache (5 min TTL), session tokens, rate-limit counters, and CDN sync state.

CDN (Content Delivery Network)

A grouping of IP subnets / address-lists representing one service like Netflix, YouTube, or a national IX. ProxPanel applies per-CDN address-lists, FUP, and speed rules. See CDN.

CHR (Cloud Hosted Router)

MikroTik’s virtual RouterOS image. Used as a transit router in the Acme deployment (<bgp-private>:5003). Free up to 1 Mbps, paid licenses unlock higher rates.

CIDR

Classless Inter-Domain Routing notation (e.g. 10.0.0.0/24). Used for NAS allowed-pools, CDN subnets, address-lists.

Cluster

Optional HA setup: two ProxPanel nodes (main + secondary) with PostgreSQL streaming replication + RADIUS hot-standby. See Cluster.

CoA (Change of Authorization)

RFC 5176 RADIUS extension for pushing live updates to active sessions: change Mikrotik-Rate-Limit, force disconnect, etc. ProxPanel sends CoA to UDP port 1700 (MikroTik default) or 3799 (RFC default).

Collector

User type. A field agent who visits subscribers in person to collect cash payments. Limited permission set focused on payment recording and PDF invoice generation.

Communication Rule

Automated WhatsApp / SMS / email message tied to a trigger (expiry_warning, FUP applied, payment received). See Communication Rules.

CPE (Customer Premises Equipment)

The router / ONT at the subscriber’s home. Managed via TR-069 ACS if it supports CWMP. See CPE Devices.

CSV (Comma-Separated Values)

Used for Bulk Import of subscribers and the exported reports.

CWMP (CPE WAN Management Protocol)

The full name of TR-069. The protocol routers use to talk to an ACS over SOAP/XML.

D

Daily quota

FUP usage budget reset every 24 h at the configured Reset Time. Stored in subscribers.daily_quota_used.

Daily Reset Time

System-wide hour:minute (e.g. 00:05) when daily counters reset. Set in Settings → RADIUS. Honours the system timezone.

DSCP (Differentiated Services Code Point)

6-bit field in the IPv4 / IPv6 header used to mark packets for QoS. ProxPanel CDN Port Rules can stamp DSCP via MikroTik mangle for upstream-prioritisation deals with carriers.

dump-radacct

Background job that moves stop-time-set radacct rows older than N days to radacct_archive. Prevents radacct from growing unbounded.

E

Ed25519

Elliptic-curve signature algorithm. Used to sign /validate responses (anti-replay) and for SSH-key recovery on the admin SSH lockdown.

Expiry date

Subscriber-level: the date the plan runs out. License-level: the date the customer’s license bundle expires (controlled by tier duration_days).

F

Failover

Promotion of the secondary cluster node to main when the main becomes unreachable. ProxPanel’s failover monitor triggers automatically after 2 minutes of missed heartbeats.

Framed-IP-Address

RADIUS attribute carrying the IP address to be assigned to the subscriber. Stored in radreply for static-IP users; pool-allocated for the rest.

Framed-Pool

RADIUS attribute telling the BNG which named IP pool to allocate from. ProxPanel sends it per-service if services.pool_name is set.

FUP (Fair Usage Policy)

The cap-and-shape model: after a subscriber crosses a quota threshold, their speed is reduced. ProxPanel supports up to 6 daily + 6 monthly FUP tiers per Service. See FUP.

FUP tier

One step of the FUP ladder. fup_level = 0 is normal; 1..6 are progressively slower steps. monthly_fup_level is the parallel monthly counter.

G

GORM

The Go ORM ProxPanel uses for database operations.

Grace period

Window (currently 5 minutes) during which the customer binary continues running if it can’t reach the license server. After the grace period it shuts down.

H

Hardware ID

Stable fingerprint of the customer’s server: sha256(stable|MAC||). License is bound to this value; changes require an admin reset.

Heartbeat

Periodic (30 s) message from customer → license server reporting subscriber count, version and hardware ID. Failures past the grace period block validation.

Hot-Standby RADIUS

HA pattern where a passive proisp-radius-standby container runs alongside the primary, takes over on failure, and synchronises auth state via Redis. Introduced in v1.0.530 / v1.0.531 / v1.0.532.

Hotspot

RouterOS / generic captive-portal mode. Less common in ProxPanel deployments than PPPoE but supported via the same RADIUS code path.

I

Idle Timeout

RADIUS Idle-Timeout attribute; how long the BNG keeps an inactive session before dropping. ProxPanel does not set this by default — MikroTik’s PPPoE profile default applies.

Impersonation

Admin feature to log in as a reseller (or sub-reseller). Audit-logged, preserves admin’s true identity in audit_logs.actor_id while serving the reseller’s UI.

IPoE (IP over Ethernet)

Subscriber-on-Ethernet without PPP encapsulation. Some Cisco / Juniper / Huawei BNGs prefer it. Supported via the Generic-RADIUS server path (v1.0.518 – v1.0.525).

IP pool (MikroTik)

A named range of addresses on the router (/ip pool add name=2M ranges=<subscriber-ip>-<subscriber-ip>). ProxPanel mirrors these in ip_pool_assignments to prevent duplicate allocations.

iputils-ping

Linux package providing the ping binary. Required in the API container so the Ping action on subscribers works.

J

JWT (JSON Web Token)

Short-lived bearer token used for API auth. ProxPanel issues an access token (15 min) + refresh token (HttpOnly cookie, 7 days). Tokens can be blacklisted on logout via Redis.

K

Kill switch

License-server-side override that returns status: killed on validate. The customer binary detects this and calls os.Exit(1) immediately. Used for compromised installs.

L

LCP (Link Control Protocol)

The PPP sub-protocol that establishes the link before authentication. LCP echo failures are the most common cause of PPPoE session drops; logged by MikroTik and surfaced in ProxPanel’s flap events table.

License key

30-character string in the form PROXP-XXXXX-XXXXX-XXXXX-XXXXX issued by license.proxrad.com. Bound to one hardware ID once activated.

LUKS (Linux Unified Key Setup)

Disk encryption layer. ProxPanel’s optional boot-security stack stores the API data volume on a LUKS container whose key is fetched from the license server at boot.

M

mangle (MikroTik)

The /ip firewall mangle chain. ProxPanel uses it for CDN packet-marking and DSCP stamping. PCQ requires mangle marks because the queue matches by packet-mark.

MAC binding

RADIUS feature: lock a subscriber username to one Calling-Station-Id (their CPE MAC). Reset via Subscriber Edit → Reset MAC.

Acme (Middle East Sat)

One of ProxPanel’s production customers (<customer-server> / private ). Largest active subscriber base.

MikroTik API

The proprietary binary protocol on TCP 8728 (plain) / 8729 (SSL). ProxPanel uses it for queue management, PPPoE-active queries, torch, ping, pool reads.

Monthly Reset Time

First-of-month event that resets monthly_quota_used, monthly_fup_level, and clears any monthly FUP tier on the subscriber.

MRR (Monthly Recurring Revenue)

Sum of new + renewal transactions. Distinguished from “Total Income” (which adds add-ons, top-ups, etc.). Shown on the Dashboard.

mt-exporter

Prometheus exporter for MikroTik routers. Bundled in the optional LGTM observability stack; scrapes via the RouterOS REST API. Default port 5060.

N

NAS (Network Access Server)

RADIUS term for the BNG. In ProxPanel’s UI the term NAS and Router are used interchangeably; the table is nas_devices.

nginx

The reverse proxy in front of the API + frontend. Terminates TLS, rate-limits the login endpoint (5 req/min), and proxies /acs to the TR-069 ACS.

nonce

One-time random number embedded in /validate signed responses. Prevents replay of captured success messages.

node_exporter

Prometheus exporter for host metrics (CPU, memory, disk, network). Bundled in the LGTM stack on port 9100.

O

Online flag

subscribers.is_online boolean. Set by QuotaSync when an active radacct row exists; cleared when the session stops or is swept by Stale Session Cleanup.

Override price

Per-subscriber price that overrides the Service’s default. Marked with an orange star in the Subscribers list.

P

PAP (Password Authentication Protocol)

The simplest PPP authentication: plaintext password over the (already-encrypted) PPPoE link. MikroTik’s default. Used alongside MS-CHAPv2 by ProxPanel’s RADIUS.

PCQ (Per Connection Queue)

RouterOS queue type that automatically subdivides bandwidth among each unique source / destination address pair. ProxPanel uses PCQ for CDN port rules.

PCQ direction

src-address (per upstream user), dst-address (per downstream user), or both. ProxPanel exposes this on the CDN Port Rules edit form.

PEP (Policy Enforcement Point)

Generic RADIUS term for the device that applies the policy decided by the RADIUS server. Same as BNG / NAS in this context.

Permission group

Named bundle of permissions assignable to a reseller / support / collector user. Out-of-the-box examples: SALES, READONLY, COLLECTOR.

PgBouncer

Optional connection pooler in transaction mode for >25 k subscribers. ProxPanel ships an opt-in PgBouncer for the 60K capacity tier.

pool (IP)

See IP pool.

PPPoE (Point-to-Point Protocol over Ethernet)

The most common subscriber protocol in ProxPanel deployments. Username / password authenticated via RADIUS.

proxpanel-admin (SSH key)

The single SSH key authorised on all 5 production servers (dev box, Acme, Acme ISP, SaaS, license main + backup). Password authentication is disabled.

proxrad.com

The product brand and license-server domain. license.proxrad.com is the public licensing endpoint; the SaaS panel runs on saas.proxrad.com.

Q

Quota

Bytes of data allowed before FUP throttling. Daily and monthly are tracked separately.

QuotaSync

The 30-second background loop in the API container that polls MikroTik for active sessions, increments daily_quota_used, applies FUP transitions, and clears stale online flags.

R

radacct

The RADIUS accounting table. One row per session, updated by interim Accounting-Update packets and closed by Accounting-Stop. The hot table for ProxPanel; archived to radacct_archive after 90 days.

radcheck

RADIUS check items (password, expiry attributes). ProxPanel writes Cleartext-Password here for PAP auth.

radgroupreply / radgroupcheck

Group-level RADIUS attributes. Rarely used by ProxPanel — subscriber-level radreply usually suffices.

radreply

Per-username reply attributes returned on Auth-Accept (e.g. Framed-IP-Address, Mikrotik-Rate-Limit).

radusergroup

Maps a username → group. Used for FUP tier groups when the radgroupreply path is preferred over per-user radreply.

refresh token

Long-lived (7-day) token stored in an HttpOnly cookie that mints new access tokens. Introduced in v1.0.540 (Phases 1-3 in 540 / 541).

Reseller

User type that can own subscribers, hold a balance, and (optionally) have sub-resellers under them.

RouterOS

MikroTik’s operating system. ProxPanel is most heavily tested against versions 7.13+.

S

SaaS mode

Build flavour of ProxPanel that runs as a multi-tenant platform (schema-per-tenant in proxpanel_saas). Hosted at saas.proxrad.com.

SCRAM-SHA-256

The default Postgres password scheme. ProxPanel sets this in the install script’s pg_hba.conf.

Soft delete

deleted_at IS NOT NULL pattern. ProxPanel soft-deletes subscribers, invoices, services, NAS — actual rows are kept for audit / restore.

Stale Session Cleanup

Background sweeper that closes radacct rows with no acctupdatetime for 30+ minutes (caused by missed Accounting-Stop packets). Runs every 5 minutes.

Static IP

A reserved IP address assigned via radreply (Framed-IP-Address). Optionally rented monthly via Static IP Rentals.

Switch

Hierarchy device above a NAS in the topology map. Used purely for organising customer infrastructure visually.

sub-reseller

A reseller whose parent_id points at another reseller. Inherits the parent’s NAS pool and (optionally) is invisible above.

T

Tenant (SaaS)

One isolated customer in SaaS mode. Each tenant has its own Postgres schema (tenant_<id>), its own subdomain (<tenant>.saas.proxrad.com), and its own subscribers / billing.

Tier (license)

Sales bundle on the license server (Starter, Pro, Enterprise). Sets max_subscribers and duration_days.

Tier (FUP)

See FUP tier.

Top-up

Buying extra GB on an existing subscription. Recorded as a subscriber_topup transaction.

Torch (MikroTik)

RouterOS live traffic analyser. ProxPanel uses /tool/torch for per-subscriber live download/upload graphs and CDN traffic measurement.

TR-069

The standard for ACS ↔ CPE communication. ProxPanel’s ACS speaks it on port 7547 (or 80 via nginx proxy).

Transit router

A router that forwards RADIUS / API traffic across an intermediate network (the Acme-CHR transit router at <bgp-private>:5003).

Trigger (Communication Rule)

The event that fires a Communication Rule: expiry_warning, expired, fup_applied, payment_received, quota_warning, subscriber_created, etc.

U

Ultramsg

Third-party WhatsApp gateway integrated for SMS / WhatsApp notifications. Tenant-configurable.

Update package

A .tar.gz produced by the license server’s build pipeline. Contains the API binary, RADIUS binary, frontend dist, and docker-compose.yml. Distributed via the Updates page.

UPX

Executable packer. Tested and dropped for ProxPanel — measured 78× cold-start slowdown for a few MB savings.

Uptime Kuma

Self-hosted monitoring dashboard. Runs on the dev box (127.0.0.1:3001) for the ProxRad fleet.

V

VLAN

802.1Q tagged virtual LAN. ProxPanel allows the BNG side to be VLAN-segmented; tags are not stored by ProxPanel but appear in MikroTik PPP / Ethernet config.

VRF (Virtual Routing and Forwarding)

Separate routing tables on the BNG. Cisco / Juniper deployments often place subscribers in a VRF; ProxPanel passes through but doesn’t manage VRFs.

W

WAN check

Periodic background scan that pings each subscriber’s public IP and records reachability. Useful for spotting customers whose CPE has rebooted into a bad firmware.

WireGuard

The VPN protocol used by ProxPanel’s SaaS relay for tunnelling tenant RADIUS back into ProxPanel’s central cluster. UDP 51820.

X / Y / Z

XML-RPC

Not used. ProxPanel’s API is JSON only.

Zender

The Linux-based WhatsApp gateway running on <sample-host>. Used for the cheaper-than-Ultramsg WhatsApp channel; updates pulled from raw.titansystems.ph/wa/linux.zip.

Related pages

• Concepts — long-form explanations of the most important entities (Subscriber, Service, FUP, Reseller).
• RADIUS — the wire-level view of how the attributes above are sent.
• Database Schema — every table the glossary references.
• Default Ports — protocol numbers next to their service names.