Documentation

MTBS ISP Cloud

Enterprise-grade multi-tenant SaaS platform for ISP network management

This documentation covers every feature of MTBS ISP Cloud — from first login to advanced API usage. Use the sidebar to navigate between sections.

What Is MTBS ISP Cloud?

MTBS ISP Cloud is a complete network management platform built specifically for Internet Service Providers. It runs as a multi-tenant SaaS — each ISP gets its own isolated workspace, user accounts, and data.

The platform handles everything an ISP operations team needs daily:

OLT & ONU management — provision, monitor, and control fiber equipment from ZTE, Huawei, and Fiberhome
Switch management — full port/VLAN/MAC visibility and port-level control via SNMP
WireGuard VPN — manage VPN tunnels and peers for your team and devices
Alarm monitoring — real-time alerts with NOC workflow (acknowledge → assign → resolve)
Billing & finance — customer accounts, packages, invoicing, payments
Multi-tenant RBAC — each ISP is an isolated tenant; roles control what each user can do
REST API — all features accessible via /api/v1 for integrations and automation
Flutter mobile app — iOS & Android app for on-the-go network management

Platform Architecture

Layer	Technology	Purpose
Backend	`PHP 8.3` (Custom MVC)	Web & API server, no Laravel/Symfony bloat
Database	`MySQL 8.4`	All data with per-tenant row-level isolation
Web UI	`Bootstrap 5`	Responsive dark-theme admin interface
REST API	`/api/v1` (JSON)	JWT-authenticated, versioned API
Mobile	`Flutter / Dart`	Cross-platform iOS & Android app
State Mgmt	`Riverpod`	Flutter state management
Navigation	`GoRouter`	Flutter declarative routing
Network	`Dio`	HTTP client with interceptors
Auth	JWT (API) + PHP Sessions (web)	Stateless auth for API & mobile
VPN	WireGuard + OpenVPN	VPN server & peer/client management

Key Concepts

Tenant

Each ISP is a separate "tenant". Data is fully isolated — users in Tenant A never see Tenant B's data.

Role

Every user has a role (e.g., ISP Admin, NOC Engineer, Billing Manager). Roles define exactly what pages and actions they can access.

OLT

An Optical Line Terminal — the central device at your exchange or data centre that connects to many customer ONUs via fiber PON ports.

ONU

An Optical Network Unit — the device installed at the customer's premises. Each customer typically has one ONU connected to your OLT.

Alarm

An alert generated when a monitored condition is met (e.g., ONU signal below threshold, port going down, device unreachable).

Job

A background task (e.g., ONU provisioning, OLT sync). Long operations run as async jobs so the web UI stays fully responsive.

OpenVPN

A VPN tunnel technology used to give your field engineers, remote staff, and automation scripts secure encrypted access to the management network.

Security Dashboard

A one-page overview of 12 server security checks — SSL validity, firewall state, fail2ban, disk encryption, and more — with a score card so you can see your security posture at a glance.

Platform Stages — How to Use the Software

If you are new to MTBS ISP Cloud, follow these stages in order. Each stage builds on the previous one. You don't have to complete everything in one day — you can return and continue at any time.

1

Tenant Setup

A Platform City Admin creates your ISP tenant and sends you your first Admin credentials. You log in, change your password, and your account is ready.

2

Add Sites

Create a Site record for every physical location you operate from (e.g., "Karachi-North Exchange", "Lahore Data Centre"). Sites are used to group your equipment geographically.

3

Add OLTs & Switches

Register your OLTs and switches by entering their IP addresses, SNMP community strings, and SSH credentials. The system immediately pulls port and card data.

4

Discover & Provision ONUs

Scan each OLT's PON ports to find newly connected customer ONUs. For each discovered ONU, run the provisioning wizard to assign a customer name, service profile, and VLAN.

5

Configure VPN Access

Set up WireGuard and/or OpenVPN servers so your field engineers and remote staff can securely access the management network from anywhere. Create one client or peer config per person. Use WireGuard for fast always-on tunnels; use OpenVPN for staff connecting through strict firewalls.

6

Set Up Billing

Create service packages (e.g., "20 Mbps Home – PKR 2,500/month"), add customer records, and let the system auto-generate monthly invoices. Record payments as they come in.

7

Build Your Team

Add user accounts for your NOC engineers, billing staff, and managers. Assign each person the right role so they only see what they need. Everyone logs in with their own email and password.

8

Monitor & Respond to Alarms

The alarm engine runs continuously. When an ONU goes offline, a switch port flaps, or an optical signal degrades below your threshold, an alarm is raised. Your NOC team acknowledges and resolves alarms from the web UI or mobile app.

9

Review Your Security Posture

Visit the Security Dashboard to see 12 automated checks (SSL, firewall, fail2ban, disk encryption, PHP config, and more). Fix any red checks to keep your server hardened.

Quick Start Guide

Follow these steps to get your ISP up and running on MTBS ISP Cloud from zero to fully operational.

Estimated time to first ONU provisioned: under 30 minutes if you have your OLT credentials ready.

Step 1 — Tenant Account Setup

1

Contact MTBS to create your tenant

A Platform City Admin creates your ISP tenant in the system, assigns you a subdomain, and sends you your initial Admin credentials via a secure channel.

2

Log in as ISP Admin

Go to isp.mtbs.cloud/login, enter your email and password. You will land on the Dashboard.

3

Change your password

Go to Profile → Change Password immediately. Use a strong password (12+ chars, mixed case, numbers, symbols).

Step 2 — Add Your Infrastructure

4

Create Sites

Go to Sites in the sidebar and click Add Site. Create one site per physical location (e.g., "Karachi-North", "Lahore-Central").

5

Add OLTs

Go to OLTs and click Add OLT. Select your vendor (ZTE / Huawei / Fiberhome), enter the management IP, SNMP community, SSH credentials, and assign a site. Click Save & Sync to pull card/port data immediately.

6

Add Switches

Go to Switches and click Add Switch. Enter IP, SNMP credentials, and select L2 or L3 type. The system will poll port status automatically every 5 minutes.

Step 3 — Provision Your First ONU

7

Run ONU Discovery

Go to ONUs → Discover, select your OLT and PON port, click Discover Rogue ONUs. Any unprovisioned ONUs on that port appear in the list.

8

Provision the ONU

Click Provision next to the discovered ONU. Fill in: customer name, service profile, VLAN ID, WAN mode, and PPPoE credentials. A provisioning job is created and runs in the background.

9

Verify the Job

Go to Jobs to watch the provisioning job progress. When it shows COMPLETED, the ONU is live on the network.

Step 4 — Set Up Your Team

10

Invite users

Go to Users → Add User. Fill in name, email, and assign a role. NOC Engineers get OLT/ONU/switch access. Billing Managers get billing access. Viewers get read-only access.

11

Configure alarm rules

Go to Alarms → Rules and set thresholds for optical power levels, port state changes, and device uptime. The monitoring engine will generate alarms automatically.

12

Install the mobile app

Field engineers can download the MTBS ISP Cloud Flutter app for iOS or Android. They log in with their web credentials — the same account works across both platforms.

Logging In

Access MTBS ISP Cloud at isp.mtbs.cloud/login from any modern web browser.

isp.mtbs.cloud / login

MTBS

ISP Cloud Management

Sign In

Enter your credentials to access the platform

Email Address

admin@myisp.com

Password

••••••••••••

Sign In

Forgot your password? Reset it here

Login page — dark-themed, accessible from any browser. No app install required for the web interface.

Login Process

Navigate to isp.mtbs.cloud/login
Enter your Email Address and Password
Click Sign In
You will be redirected to the Dashboard

Forgot Password

Click the "Forgot your password? Reset it here" link on the login page. Enter your email address and check your inbox for a reset link.

Sessions expire after a period of inactivity. You will be automatically redirected to the login page when your session expires. Your work is always saved before expiry.

Security Notes

All connections use HTTPS — your credentials are always encrypted in transit
Passwords are hashed with bcrypt — even database admins cannot read them
The web UI uses CSRF tokens on every form to prevent cross-site request forgery
The API uses JWT tokens — access tokens expire in 15 minutes, refresh tokens in 7 days

Dashboard

The dashboard is your main operational hub. It shows real-time KPIs, active alarms, and a summary of your network health at a glance.

isp.mtbs.cloud / dashboard

Dashboard Overview

48

OLTs Online

1,240

Active ONUs

7

Active Alarms

312

Switches

Recent Alarms

OLT-03 port down

ONU signal weak

Switch SW-11 high CPU

Job Queue

Provision ONU ZTEG4421DONE

Sync OLT-07RUNNING

Billing reportQUEUED

Main dashboard — KPI cards at top, recent alarms (left) and job queue status (right). Sidebar shows navigation with unread alarm count badge.

Dashboard Sections

Widget	What It Shows	Where It Links
OLTs Online	Count of OLTs currently reachable	OLT list page
Active ONUs	ONUs with status = active/online	ONU list page
Active Alarms	Unresolved alarms across all devices	Alarms page
Switches	Total switches in inventory	Switch list page
Recent Alarms	Last 5 unacknowledged alarms with severity colour	Each alarm's detail
Job Queue	Last 5 background jobs with status	Jobs list page

NOC Dashboard

Navigate to /dashboard/noc or click NOC View in the dashboard header. This is a full-screen, auto-refreshing display designed for wall-mounted TV monitors in your NOC.

The NOC dashboard requires the dashboard.noc permission. Only NOC Engineers and above can access it.

OLT Management

OLTs (Optical Line Terminals) are the central devices in your fiber network. MTBS ISP Cloud supports ZTE, Huawei, and Fiberhome OLTs via SNMP and SSH.

isp.mtbs.cloud / olts

OLT Devices

Name	Vendor	IP Address	Site	PON Ports	Status
OLT-01-KHI	ZTE C300	10.10.1.1	Karachi-North	16	Online
OLT-02-KHI	ZTE C680	10.10.1.2	Karachi-South	32	Online
OLT-03-LHR	Huawei MA5800	10.20.1.1	Lahore-Central	24	Offline
OLT-04-LHR	Fiberhome AN6000	10.20.1.2	Lahore-East	16	Online

OLT list — shows all OLTs with vendor, IP, site assignment, port count, and live status. Click View for full detail.

Adding an OLT

Go to OLTs in the sidebar
Click Add OLT
Fill in the form:

Name: A descriptive name (e.g., "OLT-01-Karachi")
Vendor: Select ZTE, Huawei, or Fiberhome
Model: Select the specific model (e.g., C300, MA5800)
Management IP: The OLT's reachable IP address
SNMP Community: Read-only SNMP community string
SSH Username / Password: For configuration push operations
Site: Assign to a physical site

Click Save & Sync to save and immediately pull card/port data

OLT Detail Page

Click View on any OLT to see its detail page with tabs:

Tab	Contents
Overview	Status, uptime, last sync time, card inventory
PON Ports	All PON ports with ONU count and status per port
ONUs	All ONUs on this OLT (links to ONU detail)
Alarms	Active alarms associated with this OLT

Syncing an OLT

Click Sync on the OLT list or the Sync Now button on the detail page. This creates a background job that pulls the latest card, port, and ONU data from the device via SNMP. Watch the job progress on the Jobs page.

OLTs are automatically synced on a schedule. Manual sync is available for immediate updates after network changes.

Required Permissions

olts.view to view OLTs olts.manage to add, edit, sync, and delete OLTs

ONU Provisioning

ONUs (Optical Network Units) are the customer-premises devices. This section covers discovery, provisioning, and day-to-day management.

isp.mtbs.cloud / onus

ONU Devices

Serial Number	Customer	OLT / PON	RX Power	Profile	Status
ZTEG44218812	Ali Hassan	OLT-01 / PON2	-18.5 dBm	20Mbps-PPPoE	Provisioned
HWTC9A3B21F	Sara Ahmed	OLT-01 / PON3	-20.1 dBm	50Mbps-DHCP	Provisioned
ZTEG88AABB11	— Unassigned —	OLT-02 / PON1	-27.3 dBm	—	Discovered
FHTT1234ABCD	Zara Khan	OLT-04 / PON5	-19.8 dBm	10Mbps-PPPoE	Provisioned

ONU list — shows serial numbers, customer assignments, optical power (RX), service profile, and status. Unprovisioned (Discovered) ONUs show a Provision button.

ONU Discovery

When a customer plugs in a new ONU, it appears on the PON port as a "rogue" (unprovisioned) ONU.

Click Discover on the ONU list page
Select the OLT and the PON Port to scan
Click Discover Rogue ONUs
Any unprovisioned ONUs appear in the list with status Discovered

Provisioning an ONU

isp.mtbs.cloud / onus / provision

Provision ONU — ZTEG88AABB11

Customer Name

Ahmad Raza

Service Profile

20Mbps-PPPoE ▾

VLAN ID

100

WAN Mode

PPPoE ▾

PPPoE Username

ahmad@isp

PPPoE Password

••••••••

Cancel

Submit & Provision

ONU provisioning form — fill in customer details, service profile, VLAN, and WAN mode then submit. A background job handles the rest.

Provisioning Form Fields

Field	Required	Description
Customer Name	Yes	The subscriber's name for identification
Service Profile	Yes	The pre-configured bandwidth and QoS profile (e.g., 20Mbps-PPPoE)
VLAN ID	Yes	The service VLAN for this customer (1–4094)
WAN Mode	Yes	`pppoe`, `dhcp`, or `static`
PPPoE Username	If PPPoE	The username for the PPPoE session
PPPoE Password	If PPPoE	The password for the PPPoE session
ONU Index	Auto	Auto-assigned by the system from the OLT

ONU Actions

Reboot — Sends a reboot command to the ONU via the OLT. Takes effect in ~30 seconds.
Suspend — Blocks the ONU's service without removing its configuration.
Factory Reset — Resets the ONU to factory defaults and removes it from the OLT config.
Edit — Change the customer name, profile, or VLAN assignment.

Required Permissions

onus.view to view ONUs onus.manage to provision, reboot, suspend, and delete

Switch Management

The switch management module gives you complete visibility and control over your L2 and L3 switches via SNMP.

isp.mtbs.cloud / switches / 5

SW-05 — 10.10.5.1 Online

Ports

VLANs

MAC Table

ARP Table

Port	Description	Speed	Status	VLAN
Gi0/0/1	Uplink-Core	1G	Up	Trunk
Gi0/0/2	OLT-01	1G	Up	100
Gi0/0/3	AP-Rooftop	100M	Down	200
Gi0/0/4	— unused —	—	Down	1

Switch detail — Ports tab showing port list with status, speed, VLAN, and per-port shutdown/enable action. Tabs at top switch between Ports, VLANs, MAC Table, and ARP Table.

Switch Detail Tabs

Tab	Contents	Key Actions
Ports	All physical ports with status, speed, description, VLAN	Shutdown / Enable per port
VLANs	VLAN table: ID, name, status, tagged/untagged ports	View only
MAC Table	MAC address table: MAC, VLAN, port, type	View only, searchable
ARP Table	IP-to-MAC mappings (L3 switches only)	View only, searchable
Routes	Routing table (L3 switches only)	View only

Use Shutdown carefully. Shutting down an uplink port will disconnect all downstream devices. There is no confirmation prompt — the action is immediate.

Required Permissions

switches.view to view switches.manage to add, edit, and control ports

Alarms & Monitoring

The alarm system continuously monitors your network and generates alerts when conditions breach configured thresholds.

isp.mtbs.cloud / alarms

Active Alarms

CRITICAL 2

MAJOR 3

MINOR 2

Sev	Device	Message	Site	Time
CRIT	OLT-03	PON port 4 — all ONUs down	Lahore-Central	2 min ago
CRIT	OLT-03	Management reachability lost	Lahore-Central	3 min ago
MAJ	ONU ZTEG882	RX power -30.1 dBm (threshold -28)	Karachi-North	12 min ago
MAJ	SW-11	CPU utilisation 94% for 10+ min	Karachi-South	22 min ago

Alarms list — severity badges (CRIT / MAJ / MINOR / INFO), device, message, site, and time. ACK to acknowledge, Detail for full alarm view.

Alarm Severity Levels

Severity	Colour	Meaning	Typical Cause
Critical	Red	Service-affecting outage or complete failure	OLT unreachable, ONU offline for >10 min
Major	Orange	Degraded service; action required soon	High packet loss on uplink, SNMP timeout
Minor	Yellow	Performance degradation; monitor closely	Optical power near threshold
Info	Blue	Informational, no action required	ONU rebooted successfully

Alarm Workflow

!

Active (Unacknowledged)

The alarm is active and no one has looked at it yet. It appears at the top of the list and increments the sidebar alarm badge.

✓

Acknowledged

A NOC engineer clicked ACK, confirming they have seen the alarm and are investigating. The badge count decreases.

✓✓

Resolved

The engineer confirmed the issue is fixed. The alarm moves to the history view and is no longer counted as active.

Required Permissions

alarms.view to view alarms.manage to acknowledge, assign, and resolve

Billing & Finance

The billing module manages your customers, service packages, invoices, and payments all in one place.

isp.mtbs.cloud / billing

Billing Overview

PKR 842K

Revenue This Month

38

Unpaid Invoices

1,240

Active Customers

Recent Invoices

Invoice #	Customer	Package	Amount	Due Date	Status
INV-2410-001	Ali Hassan	20Mbps Home	PKR 2,500	Oct 31	Paid
INV-2410-002	Sara Ahmed	50Mbps Pro	PKR 4,500	Oct 31	Unpaid
INV-2410-003	Zara Khan	10Mbps Basic	PKR 1,200	Oct 31	Overdue

Billing dashboard — monthly revenue, unpaid invoice count, customer total. Invoice list with status badges (Paid / Unpaid / Overdue).

Billing Modules

Module	Description
Customers	All subscribers with contact info, active package, and billing history
Packages	Service tiers with name, speed, price, and billing cycle
Invoices	Monthly invoices auto-generated or manually created; downloadable PDF
Payments	Record payments received (cash, bank transfer, online); link to invoices
Reports	Revenue by month, overdue accounts, package distribution charts

Required Permissions

Only users with the Billing Manager role or ISP Admin role can access billing. The billing.view and billing.manage permissions control granular access within the module.

WireGuard VPN

The WireGuard module lets you manage VPN servers and peers directly from the web UI — useful for securing remote management access to your network equipment.

isp.mtbs.cloud / wireguard

WireGuard Servers & Peers

VPN-Server-01 · 10.8.0.1/24 · Port 51820 · Running

Peer Name	Allowed IPs	Last Handshake	Endpoint	Status
field-eng-01	10.8.0.2/32	2 min ago	203.x.x.10:54312	Connected
noc-laptop	10.8.0.3/32	15 min ago	202.x.x.44:49201	Connected
remote-backup	10.8.0.4/32	Never	—	Inactive

WireGuard page — server status bar at top, peer list with last handshake time and connection status. Config button generates the WireGuard config file or QR code for that peer.

Adding a Peer

Enter a peer name (e.g., "field-eng-john") and allowed IP (e.g., 10.8.0.10/32)
Enter a peer name (e.g., "field-eng-john") and allowed IP (e.g., 10.8.0.10/32)
The system generates a key pair and creates the peer config automatically
Click Download Config or Show QR Code to get the WireGuard config for the client device
Import the config into the WireGuard app on the client (mobile, laptop, or router)

Private keys are generated server-side and stored encrypted. The Config download gives the peer its private key — this is the only time the private key is shown. Store it securely.

Required Permissions

wireguard.view to view servers and peers wireguard.manage to add, edit, and remove peers

Sites & Devices

Sites are physical locations (data centres, exchange buildings, field cabinets). Devices are any network equipment at a site that doesn't have its own dedicated management module.

isp.mtbs.cloud / sites

Sites

Karachi-North

F.B Area Exchange

4 OLTs 8 Switches 12 Devices

Karachi-South

Korangi Industrial

2 OLTs 6 Switches 8 Devices

Lahore-Central

Gulberg Data Centre

6 OLTs 9 Switches 15 Devices

Lahore-East

DHA Hub

2 OLTs 4 Switches 6 Devices

Sites list — cards showing each site with location, OLT count, switch count, and total device inventory.

How to Use Sites

Create sites first, then assign OLTs and switches to them when adding those devices
Each site shows a summary of all equipment assigned to it
Alarms are tagged with site information for quick geographic triage

Required Permissions

sites.view to view sites devices.view to view devices devices.manage to manage

Users & Roles

Every person who uses MTBS ISP Cloud needs their own user account. Each account has exactly one Role. The role determines what pages the user can see and what actions they can perform.

ISP Admins manage users for their own ISP. Platform City Admins (MTBS staff) manage the ISP tenants themselves. The two hierarchies are completely separate.

Creating a User

Go to Users → Add User in the sidebar
Enter the person's First Name, Last Name, and Email address
Set a temporary Password — the person should change it on first login
Select the appropriate Role from the dropdown (see table below)
Click Create User
Share the email and temporary password with the person through a secure channel (not plain email)

Understanding Roles

A role is a named group of permissions. When you assign a role to a user, they automatically get all the permissions that role includes.

MTBS Platform Roles (MTBS Staff Only)

Role	Who Uses It	Key Access
Super Admin	MTBS engineering leads	Unrestricted access to everything across all tenants
Platform City Admin	MTBS city operations staff	Create & manage ISP tenants, users, billing in assigned city
Platform Finance Admin	MTBS finance team	Platform-level billing, invoices, payment records
Platform Tech Admin	MTBS network engineers	All technical modules — OLTs, ONUs, switches, WireGuard, OpenVPN, security, health
System Administrator	MTBS server/infra team	Operating system, database, services, but not billing or customer data
Database Administrator	MTBS DBA team	Database management, backups, query runner
DevOps SRE	MTBS DevOps engineers	Infrastructure, deployments, CI/CD pipelines
Complaint Centre Dev	MTBS support developers	Complaint and support ticketing system only

ISP Tenant Roles (Your Team)

Role	Who Uses It	Key Access
Tenant Admin (ISP Admin)	Your IT/ops lead	Everything within their tenant — full admin for their ISP
Manager	Department or operations manager	All modules within the tenant except system health and security
Sub-Manager	Team leads, shift supervisors	Same as Manager but cannot manage other users' accounts
Finance Assistant	Billing and accounts staff	Billing module only — view and record payments
Dealer	Reseller partners	Create customer accounts and record payments; cannot edit packages
Sub-Dealer	Sub-reseller partners	Create customers only; cannot touch payments or packages

Platform roles (Super Admin, City Admin, etc.) are for MTBS staff only and should never be assigned to ISP tenant staff. Only the ISP tenant roles (Tenant Admin through Sub-Dealer) should be used when managing your team.

Permission Reference

Behind the scenes, every role contains a set of permission slugs — short codes that unlock specific features. You don't manage slugs directly — you manage roles — but understanding them helps when reading the docs.

Permission Slug	Controls Access To
`dashboard.view`	Main dashboard page
`olts.view` / `olts.manage`	OLT list, detail, sync; add/edit/delete OLTs
`onus.view` / `onus.manage`	ONU list, discovery; provision, reboot, suspend, delete ONUs
`switches.view` / `switches.manage`	Switch list, ports, VLAN/MAC/ARP tables; port shutdown/enable
`alarms.view` / `alarms.manage`	Alarm list; acknowledge and resolve alarms
`sites.view` / `sites.manage`	Site list; add, edit, and delete sites
`devices.view` / `devices.manage`	Generic device list under sites; add, edit, delete
`wireguard.view` / `wireguard.manage`	WireGuard servers and peers; add, edit, delete peers, download configs
`openvpn.view` / `openvpn.manage`	OpenVPN servers and clients; create server, add/revoke clients
`billing.view` / `billing.manage`	Customers, invoices, payments, packages, revenue reports
`users.view` / `users.manage`	User list; add, edit, deactivate users within your tenant
`tenants.view` / `tenants.manage`	Tenant list and management (Platform City Admin only)
`inventory.view` / `inventory.manage`	Hardware inventory records; add, edit, retire equipment
`expenses.view` / `expenses.manage`	Operational expense records; add, categorise, export expenses
`audit.view`	Audit log — who did what and when (read-only by design)
`security.view` / `security.manage`	Security Dashboard; view checks; trigger SSL renewal
`system.health`	System Health page and Server Monitoring (start/stop services)
`jobs.view` / `jobs.manage`	Job queue; view job status, retry failed jobs

Tenant Management

Tenants are the top-level organisational unit — each ISP customer of MTBS is a separate tenant. Tenant management is only available to Platform-level roles.

ISP Admins and NOC Engineers do not see the tenant management section. It is only visible to Platform City Admin accounts.

Creating a New Tenant

Log in as a Platform City Admin
Go to Tenants → Add Tenant
Enter the ISP name, contact email, and plan details
Click Create Tenant
Go to Tenants → Add Tenant

Tenant Isolation Guarantee

All database queries are automatically scoped to the active tenant's ID
There is no way for a user in Tenant A to access Tenant B's data through the web UI or API
WireGuard peers are isolated per tenant
Billing data is isolated per tenant

Job Queue

Long-running operations (ONU provisioning, OLT sync, bulk operations, report generation) run as background jobs so the web interface stays responsive. You can monitor all jobs from the Job Queue page.

isp.mtbs.cloud / jobs

Background Jobs

Type	Description	Created By	Duration	Status
ONU Provision	Provision ZTEG88AABB11	noc@isp.com	8s	Completed
OLT Sync	Sync OLT-07 Karachi-South	System	running...	Running
Billing Report	October 2024 revenue report	billing@isp.com	—	Queued
ONU Reboot	Reboot HWTC9A3B21F	noc@isp.com	3s	Completed
OLT Sync	Sync OLT-03 Lahore-Central	System	12s	Failed

Job queue — all background jobs with type, description, who triggered it, duration, and status (Completed / Running / Queued / Failed).

Job Statuses

Status	Meaning
Queued	Job is waiting to be picked up by a worker
Running	Job is currently executing
Completed	Job finished successfully
Failed	Job encountered an error. Click to view the error message and stack trace. Failed jobs can be retried.

Retrying a Failed Job

Click on a Failed job to see the error detail. If the issue is transient (e.g., device temporarily unreachable), click Retry to re-queue the job. The system automatically retries jobs up to 3 times with exponential backoff before marking them as permanently failed.

Flutter Mobile App

The MTBS ISP Cloud mobile app for iOS and Android gives your field engineers and NOC staff full network management capability from anywhere. Built with Flutter for a native feel on both platforms.

MTBS

ISP Cloud

admin@isp.com

••••••••

Sign In

Login Screen

Sign in with your web credentials — same account across web and mobile.

MTBS ISP

48

OLTs

1.2K

ONUs

7

Alarms

312

Switches

ALARMS

OLT-03 port down

ONU signal weak

Dashboard Screen

Live KPI cards, alarm feed, and job status overview.

OLT Devices

OLT-01

ZTE C300

OLT-02

ZTE C680

OLT-03

Huawei MA5800

OLT-04

Fiberhome AN6000

OLT List Screen

Browse all OLTs, see status, tap for full detail and ONU list.

Active Alarms

OLT-03 port down

CRIT

ONU signal -30dBm

MAJ

SW-11 high CPU

MAJ

Peer reconnected

INFO

Acknowledge All

Alarm List Screen

View and acknowledge alarms from the field in seconds.

App Screens

Screen	What You Can Do
Login	Sign in with your web credentials (same email & password). Session persists with JWT refresh tokens.
Dashboard	Live KPI cards (OLTs, ONUs, Alarms, Switches), recent alarm feed, job queue summary
OLT List	Browse all OLTs, see online/offline status, tap to see ONU list and PON port breakdown
OLT Detail	Card inventory, PON port list with ONU counts, trigger a sync
ONU List	Filter by OLT, search by serial number or customer, see optical power levels
ONU Detail	Full ONU status, RX/TX power, reboot and suspend actions
Switch List	All switches with online/offline status, tap for detail
Switch Detail	4-tab view: Ports, VLANs, MAC Table, ARP Table. Port shutdown/enable from mobile.
Alarms	Full alarm list with severity filter, acknowledge from mobile
WireGuard	Peer list with last handshake time and connection status
Profile	Your user info, role, permissions list, change password, logout

Session & Security

JWT tokens are stored in Flutter Secure Storage (iOS Keychain / Android Keystore)
Access tokens refresh automatically in the background — no re-login required
If your session expires (e.g., device offline for 7+ days), you are redirected to the login screen
Logout clears all tokens from secure storage

API — Authentication

All API requests (except login) require a valid JWT access token in the Authorization header.

Base URL

https://isp.mtbs.cloud/api/v1

Login

POST /api/v1/auth/login Content-Type: application/json { "email": "admin@myisp.com", "password": "yourpassword" } → 200 OK { "data": { "user": { "id": 1, "name": "Admin", "email": "admin@myisp.com", "role": "isp_admin" }, "tokens": { "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." } } }

Using the Access Token

# Add to every API request Authorization: Bearer <access_token> Example: GET /api/v1/olts Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Refresh Token

POST /api/v1/auth/refresh Content-Type: application/json { "refresh_token": "eyJhbGci..." } → 200 OK { "data": { "access_token": "eyJhbGci...new...", "refresh_token": "eyJhbGci...new..." } }

Access tokens expire in 15 minutes. Refresh tokens expire in 7 days. Always implement token refresh in your integration — a 401 response means the access token has expired.

Get Current User

GET /api/v1/auth/me Authorization: Bearer <access_token> → Returns user profile, role, and permissions array

Change Password

POST /api/v1/auth/change-password Authorization: Bearer <access_token> { "current_password": "old", "new_password": "new", "confirm_password": "new" }

Error Responses

HTTP Status	Meaning
`401 Unauthorized`	Missing token, expired token, or invalid credentials
`403 Forbidden`	Valid token but insufficient permissions for this action
`422 Unprocessable`	Validation error — check the `errors` field in the response
`500 Server Error`	Unexpected server error — report to MTBS support

API — OLT Endpoints

GET/api/v1/oltsList all OLTs for your tenant. Returns id, name, vendor, model, ip, status, site_id, last_synced_at.

GET/api/v1/olts/{id}Full detail for one OLT including cards and PON port list.

POST/api/v1/oltsCreate a new OLT. Body: name, vendor, model, ip, snmp_community, ssh_username, ssh_password, site_id.

PUT/api/v1/olts/{id}Update OLT fields.

POST/api/v1/olts/{id}/syncTrigger a background sync job for this OLT. Returns job_id.

GET/api/v1/olts/{id}/onusList all ONUs on this OLT.

GET/api/v1/olts/{id}/cardsCard inventory for this OLT.

DELETE/api/v1/olts/{id}Delete OLT and all associated data. Requires olts.manage permission.

ONU Discovery & Provisioning

GET/api/v1/onusList all ONUs. Filter with ?olt_id=&status=&search= query params.

GET/api/v1/onus/{id}Full ONU detail: serial number, customer, profile, VLAN, RX/TX power, status.

POST/api/v1/onus/discoverDiscover rogue ONUs. Body: olt_id, pon_port. Returns list of unprovisioned serial numbers.

POST/api/v1/onus/provisionProvision an ONU. Body: olt_id, pon_port, onu_index, serial_number, service_profile, vlan_id, wan_mode, customer_name, pppoe_username, pppoe_password. Returns job_id.

POST/api/v1/onus/{id}/rebootReboot ONU via the OLT. Returns job_id.

POST/api/v1/onus/{id}/suspendSuspend ONU service.

DELETE/api/v1/onus/{id}Remove ONU from OLT and database.

API — Other Endpoints

Switches

GET/api/v1/switchesList all switches with status.

GET/api/v1/switches/{id}/portsPort list with status, speed, VLAN, description.

GET/api/v1/switches/{id}/vlansVLAN table for this switch.

GET/api/v1/switches/{id}/macsMAC address table (filterable by VLAN or port).

GET/api/v1/switches/{id}/arpsARP table for L3 switches.

POST/api/v1/switches/{id}/ports/{port}/shutdownShutdown a specific switch port. Immediate effect.

POST/api/v1/switches/{id}/ports/{port}/enableEnable a previously shutdown port.

Alarms

GET/api/v1/alarms/{id}Full alarm detail with history and assignment.

POST/api/v1/alarms/{id}/acknowledgeAcknowledge alarm. Body: note (optional string).

POST/api/v1/alarms/{id}/resolveMark alarm resolved. Body: resolution_note (optional string).

WireGuard

GET/api/v1/wireguard/serversList WireGuard servers and their status.

GET/api/v1/wireguard/peersList peers with last handshake and connection status.

POST/api/v1/wireguard/peersCreate peer. Body: name, server_id, allowed_ips. Returns config with private key.

DELETE/api/v1/wireguard/peers/{id}Delete peer and revoke its keys.

Sites & Devices

GET/api/v1/sitesList all sites with device counts.

GET/api/v1/devicesList all devices. Filter by site_id or type.

Notifications

GET/api/v1/notificationsList notifications for current user. Returns is_read boolean (from read_at timestamp), message, type, created_at.

POST/api/v1/notifications/{id}/readMark a notification as read.

POST/api/v1/notifications/read-allMark all notifications as read.

Jobs

GET/api/v1/jobsList jobs for tenant. Filter by status, type.

GET/api/v1/jobs/{id}Job detail including error message and stack trace for failed jobs.

POST/api/v1/jobs/{id}/retryRe-queue a failed job.

OpenVPN

OpenVPN is a VPN (Virtual Private Network) technology that creates an encrypted tunnel between your team members' devices and your ISP management network. This allows field engineers, NOC staff, and administrators to securely access internal systems from anywhere.

OpenVPN vs WireGuard: Both are VPN technologies. WireGuard is modern, very fast, and ideal for field engineers needing constant low-latency connectivity. OpenVPN is older but extremely well supported — many corporate firewalls block WireGuard (UDP) but allow OpenVPN (which can run over TCP port 443). Use OpenVPN when your team connects from restrictive networks (hotels, mobile data, corporate Wi-Fi).

OpenVPN Servers

An OpenVPN Server is the central endpoint your clients connect to. You will typically have one server per city or data centre.

isp.mtbs.cloud / openvpn

OpenVPN Servers

Server Name	IP / Port	Protocol	VPN Subnet	Clients	Status
KHI-VPN-01	203.0.113.10 : 1194	UDP	10.200.0.0/24	8 / 50	Running
LHR-VPN-01	203.0.113.20 : 443	TCP	10.201.0.0/24	4 / 50	Running
ISB-VPN-01	203.0.113.30 : 1194	UDP	10.202.0.0/24	0 / 50	Stopped

OpenVPN server list — each server shows its public IP, port, protocol (UDP or TCP), the VPN subnet it uses, how many clients are connected out of the maximum, and current status.

Adding a Server

Click Add Server on the OpenVPN page
Fill in the form:

Name — A descriptive label (e.g., "KHI-VPN-01")
Public IP — The server's public internet IP address that clients will connect to
Port — Typically 1194 (default) or 443 (to bypass firewalls)
Protocol — UDP (faster) or TCP (more reliable through strict firewalls)
VPN Subnet — The IP range for VPN clients (e.g., 10.200.0.0/24). Must not overlap with your management network.
DNS Server — Optional internal DNS to push to clients (e.g., your management network DNS)

Click Save Server
The system generates the OpenVPN server configuration and CA certificate automatically

The OpenVPN server software (openvpn package) must already be installed on the server where MTBS ISP Cloud is hosted. The web interface manages the configuration files but does not install the OpenVPN binary. Run sudo apt install openvpn on the server before adding your first VPN server.

OpenVPN Clients

A "client" in OpenVPN terms is one device (or one person) that connects to the VPN server. You create a client config for each person or device that needs VPN access.

isp.mtbs.cloud / openvpn / 1 / clients

KHI-VPN-01 — Clients

Client Name	VPN IP	Common Name (CN)	Connected	Last Seen	Status
field-eng-ali	10.200.0.2	field-eng-ali	Yes	now	Active
noc-laptop-01	10.200.0.3	noc-laptop-01	No	2h ago	Active
remote-script	10.200.0.4	remote-script	No	3 days ago	Active
ex-staff-sara	10.200.0.5	ex-staff-sara	No	14 days ago	Revoked

Client list — shows each client name, their assigned VPN IP, whether they are currently connected, when they last connected, and whether their certificate is Active or Revoked. Download gives the .ovpn file; Revoke immediately blocks that client.

Adding a Client (Creating a VPN Config for a Staff Member)

Click Clients next to the appropriate server on the server list
Click Add Client
Enter a Client Name — use a descriptive slug (e.g., "field-eng-john", "noc-laptop-01"). No spaces.
Optionally enter a Static IP from the VPN subnet if you need the person to always get the same IP (useful for firewall rules)
Click Create Client
The system generates a unique certificate and builds the .ovpn configuration file automatically
Click Download to get the .ovpn file and send it to the staff member

Installing the Client Config (Staff Member's Steps)

Windows / macOS / Linux: Install the free OpenVPN Community Client, import the .ovpn file, and connect
iOS / Android: Install OpenVPN Connect from the App Store / Play Store, tap the + button, import the .ovpn file
Linux CLI: sudo openvpn --config staff-member.ovpn

Server Health Page

Click Health next to any server to see real-time statistics: connected client count, bytes sent/received, uptime.

Revoking a Client (When Someone Leaves)

When a staff member leaves or a device is lost, click Revoke next to their client. This immediately adds their certificate to the CRL and they cannot reconnect.

Good practice: Create one client per person (never share a config between people). This way you can revoke individually without affecting others, and you get accurate per-client connection logs.

Required Permissions

Use openvpn.view to view servers and clients openvpn.manage to create servers, add/revoke clients

Security Dashboard

The Security Dashboard is a single page that gives you an instant overview of how secure your server is. It runs 12 automated checks and produces a security score.

You do not need to be a security expert to use this page. Each check has a plain-language explanation of what it is checking and what to do if it fails.

isp.mtbs.cloud / security

Security Dashboard

83

Security Score

GOOD

10

Passing

1

Warning

1

Failing

SSL Certificate

UFW Firewall

Fail2Ban

SSH Root Login

PHP display_errors

Disk Space

File Permissions

CSP Header

MySQL Remote Access

Unattended Upgrades

Rate Limiting

.env File Access

Security Dashboard — score card on the left (83/100, GOOD) with pass/warn/fail counts. Below are 12 check cards. Green = passing, amber = warning, red = failing.

Understanding the Score

Score Range	Rating	What It Means
90 – 100	Excellent	Almost everything is correctly configured. Fix any remaining issues as time permits.
70 – 89	Good	Most checks are passing. Address warning and failed checks at your earliest opportunity.
50 – 69	Fair	Several security items need attention. Schedule fixes within the next two weeks.
Below 50	Poor	The server has significant security gaps. Address critical items immediately.

The 12 Security Checks — Explained Simply

Check	What It Checks	What to Do If It Fails
SSL Certificate	Checks that your website has a valid HTTPS certificate (the padlock icon in the browser address bar).
UFW Firewall	Checks that the Ubuntu Uncomplicated Firewall (UFW) is enabled and running. Without a firewall all server ports are publicly accessible.
Fail2Ban	Checks that fail2ban is installed and active. Fail2ban monitors your SSH and web server logs and automatically blocks IPs that repeatedly fail authentication.
SSH Root Login Disabled	Checks that the root user cannot directly log into the server via SSH. Disabling root login forces attackers to know both a valid username and password.
PHP display_errors Off	Checks that PHP is not showing error messages to website visitors. Error messages can reveal server paths, database names, and code structure.
Disk Space	Available disk space on the root filesystem	Low disk space causes database write failures and log rotation issues
File Permissions	Checks that critical application files (like the `.env` config file) are not world-readable or world-writable.
Content Security Policy (CSP)	Checks that the application sends a `Content-Security-Policy` header. CSP prevents cross-site scripting (XSS) attacks.
MySQL Remote Access Disabled	Checks that your MySQL database is not listening on a public network interface. Your database should only be accessible from localhost.
Unattended Upgrades	Checks that Ubuntu's automatic security update service is enabled. Security patches are released regularly and auto-updates ensure you are always protected.
API Rate Limiting	Checks that your API has rate limiting configured to prevent abuse. Without rate limiting, automated scripts could hammer your API.
.env File Not Publicly Accessible	Checks that the `.env` configuration file (which contains database credentials and secret keys) is not publicly accessible via your web server.

Renewing Your SSL Certificate

SSL certificates expire every 90 days (when using Let's Encrypt, the most common free provider). The Security Dashboard shows the days remaining.

Click Renew SSL (only visible to users with security.manage permission)
A confirmation modal appears explaining that certbot will be run and Apache will need a manual reload
Click Proceed
The system runs sudo certbot renew on the server
After it completes, reload Apache: SSH in and run sudo systemctl reload apache2

SSL renewal requires that your domain DNS points to the server and that port 80 (HTTP) is open in the firewall. Certbot verifies domain ownership by serving a challenge file over plain HTTP.

Required Permissions

Use security.view to view the Security Dashboard and all 12 check results security.manage to trigger SSL renewal

System & Health

The System section gives platform administrators (MTBS staff) visibility into the server's health and the ability to manage running services.

System Health Page

The System Health page shows the current status of the core infrastructure components that MTBS ISP Cloud depends on. Each component is checked automatically every few minutes.

isp.mtbs.cloud / system / health

System Health

Database

MySQL 8.4 — 12ms response

Disk Space

74% used — 26% free

Job Worker

Running — 3 jobs/min

SNMP Poller

Running — 48 OLTs

PHP Version

PHP 8.3.10

Cron Jobs

5 tasks scheduled

Server Services

Service	Status	Memory
Apache 2	Active	148 MB
MySQL 8.4	Active	512 MB
OpenVPN	Stopped	—

System Health page — six component status cards at the top (database, disk, job worker, SNMP poller, PHP version, cron). Below is the server services table with start/stop/restart controls.

Health Checks Explained

Component	What It Monitors	Impact If Unhealthy
Database	MySQL connectivity and response time	If the database is down, the entire application is unavailable
Disk Space	Available disk space on the root filesystem	Low disk space causes database write failures and log rotation issues
Job Worker	Whether the background job worker process is running	If stopped, no OLT syncs, ONU provisioning, or billing jobs will run
SNMP Poller	Whether the scheduled SNMP polling service is running and how many OLTs it is monitoring	—
PHP Version	Confirms PHP 8.3+ is running (required for the application)	Older PHP versions cause application errors and security vulnerabilities
Cron Jobs	Whether the cron tasks are scheduled (billing auto-generation, certificate expiry checks)	—

Managing Server Services

The Services sub-page lists the key Linux services that power the platform. From here you can Start, Stop, and Restart individual services.

Apache needs restarting after a configuration change (e.g., SSL renewal)
The OpenVPN service needs to be started after adding a new server
The job worker process has stalled and needs restarting

Stopping MySQL or Apache from this page takes the entire application offline for all users. Only do this during a planned maintenance window. Always Restart rather than Stop unless you specifically need to take the service offline.

API Keys

API Keys allow external systems (scripts, monitoring tools, third-party integrations) to authenticate with the MTBS ISP Cloud REST API without using a username and password.

Creating an API Key

Go to System → API Keys
Click Create API Key
Enter a Name for the key (e.g., "Zabbix Integration", "Billing Export Script")
Select the User account whose permissions the key will inherit
Optionally set an Expiry Date for the key
Click Generate
Copy the key immediately — it is only shown once and cannot be retrieved again

Use API keys for scripts and automation rather than using your personal credentials. If a script is compromised, you can revoke its API key without affecting your own login. Create a dedicated low-privilege service user account (e.g., role: Viewer) for scripts that only need to read data.

Required Permissions

system.health to view System Health, manage services, and manage API keys

Audit Logs

The Audit Log is a chronological record of every significant action taken in the system — who did it, what they did, when they did it, and from where.

Audit logs are essential for:

Security investigations — If something was deleted or changed without authorisation, the audit log tells you who, what, and when
Compliance — Many regulatory frameworks (ISO 27001, PCI-DSS, local telecom regulations) require that you keep records of who accessed what
Troubleshooting — If a device was accidentally misconfigured, the audit log shows which user made the change
Staff accountability — Knowing that actions are logged encourages responsible use of admin access

isp.mtbs.cloud / audit

Audit Log

Time	User	Role	Action	Resource	Details	IP Address
12:41:03	ali.hassan	NOC Engineer	CREATE	ONU	Provisioned ZTEG88AABB11 on OLT-01/PON2	10.8.0.2
12:38:17	admin	ISP Admin	UPDATE	User	Changed role of sara.ahmed to Billing Manager	203.x.x.10
12:30:55	billing.team	Finance Asst.	UPDATE	Invoice	Marked INV-2410-002 as Paid (PKR 4,500)	10.8.0.5
12:15:22	admin	ISP Admin	DELETE	VPN Client	Revoked OpenVPN client ex-staff-sara on KHI-VPN-01	203.x.x.10
11:52:08	noc.ops	NOC Engineer	ACTION	ONU	Rebooted ONU HWTC9A3B21F (customer: Sara Ahmed)	10.8.0.3

Audit Log — every entry shows timestamp, the user who acted, their role, the action type (CREATE / UPDATE / DELETE / ACTION), what resource was affected, a human-readable description, and the user's IP address at the time.

Understanding Each Column

Column	What It Tells You
Time	Time
User	User
Role	Role
Action	Action column values: CREATE — a new record was created; UPDATE — an existing record was modified; DELETE — a record was removed; LOGIN/LOGOUT — authentication events
Resource	Resource
Details	Details
IP Address	The IP address the request came from — useful for identifying whether the action came from the office, a remote worker, or an unexpected location

Filtering the Audit Log

The audit log can be filtered by:

Date range — view logs from a specific period
User — see all actions performed by a specific person
Action type — filter to only show DELETEs (useful for investigating accidental deletions)
Resource type — e.g., show only ONU-related events

Exporting Logs

Click Export CSV to download the current filtered view as a CSV file. This is useful for submitting to compliance auditors or doing offline analysis.

Audit logs are retained for 12 months by default. Contact MTBS support if you need a longer retention period for compliance purposes.

Required Permissions

audit.view to view and export audit logs (read-only — no write permission exists by design)

By default this permission is granted to: Tenant Admin (ISP Admin), Platform City Admin, System Administrator, and DevOps SRE roles.

Manage Your Entire NetworkFrom One Platform

Built for Modern ISPs

OLT Management

ONU Provisioning

Switch Management

WireGuard VPN

Sites & Devices

Alarm Management

Billing & Finance

Background Job Queue

RBAC & Multi-Tenancy

Up and Running in Minutes

Create Your Tenant Account

Add Your OLTs & Devices

Provision Your ONUs

Set Up Billing

Manage from Web & Mobile

API-First Architecture

Take Control of YourISP Network Today

MTBS ISP Cloud

What Is MTBS ISP Cloud?

Platform Architecture

Key Concepts

Platform Stages — How to Use the Software

Quick Start Guide

Step 1 — Tenant Account Setup

Contact MTBS to create your tenant

Log in as ISP Admin

Change your password

Step 2 — Add Your Infrastructure

Create Sites

Add OLTs

Add Switches

Step 3 — Provision Your First ONU

Run ONU Discovery

Provision the ONU

Verify the Job

Step 4 — Set Up Your Team

Invite users

Configure alarm rules

Install the mobile app

Logging In

Login Process

Forgot Password

Security Notes

Dashboard

Dashboard Sections

NOC Dashboard

OLT Management

Adding an OLT

OLT Detail Page

Syncing an OLT

Required Permissions

ONU Provisioning

ONU Discovery

Provisioning an ONU

Provisioning Form Fields

ONU Actions

Required Permissions

Switch Management

Switch Detail Tabs

Required Permissions

Alarms & Monitoring

Alarm Severity Levels

Alarm Workflow

Active (Unacknowledged)

Acknowledged

Resolved

Required Permissions

Billing & Finance

Billing Modules

Required Permissions

WireGuard VPN

Adding a Peer

Required Permissions

Sites & Devices

How to Use Sites

Required Permissions

Users & Roles

Creating a User

Manage Your Entire Network
From One Platform

Take Control of Your
ISP Network Today