iDesk NetManager

Internet Access & Voucher Management

◆ iDeskHubs.com

First-Time Setup

No admin account exists yet. Create one to get started.

Skip to main content
📡

iDesk NetManager

Internet Access & Voucher Management

◆ iDeskHubs
Connecting...
🛰️ — / 1TB
admin admin
MAIN
OPERATIONS
◆ iDeskHubs
v3.0.0
🏢

0

Sites

🎫

0

Active Vouchers

📦

0

Unused Vouchers

📊

0 GB

Data Used (Total)

Sync Health

Online (≤10m)
–
Stale (10–60m)
–
Offline (>60m)
–

Network Overview

Loading site data...

Recent Voucher Activity

No recent activity

0 selected
Code Site Usage Status Assigned Created Expires Last Sync Actions
Loading vouchers...

Daily Data Consumption

Select a site or view all sites to load daily consumption data.

Per-Voucher Daily Breakdown

Site Management

🌐
Each site has its own internet plan. Users get data access via the voucher system. Equipment on management LAN (192.168.88.x) bypasses the voucher system.

Loading sites...

Site Details

🔑 Sync API Key

Confirm Action

Usage Analytics

📊

0 GB

Total Data Used

🛰️

0%

Starlink 1TB Used

🎫

0

Total Vouchers

📈

0%

Avg Usage per Voucher

📊 Usage by Site

Loading analytics...

🏆 Top Data Consumers

# Voucher Code Site Assigned To Used (GB) Quota (GB) Usage % Status
Loading...

📋 Voucher Status Distribution

Loading...

Cycle Reset History

⚠️
Cycle Reset will expire all active/unused vouchers for the selected site and generate fresh vouchers. Use this when starting a new billing cycle.
Site Location Date Expired Data Used New Vouchers
Loading cycle reset history...

User Management

🔒
Role-Based Access: Admin — full access to all sites, configuration, and user management. User — can only view/manage vouchers for assigned sites.
Username Display Name Role Company Assigned Sites Status Last Login Actions
Loading users...

Deployment Guide & Reference

📥 Download Blank Template

New Site Deployment

⚠️
RouterOS 7.13+ — Unlock Device-Mode FIRST (RB4011)
Fresh installations of RouterOS 7.13 and above lock hotspot, fetch, and scheduler by default. Without unlocking these, the captive portal won't work, fleet-sync will fail, and the scheduler cannot be added. This must be done before importing the config file — it requires physical access to the router.

Step 1: Connect to the router terminal (WinBox → New Terminal) and run:
/system/device-mode/update scheduler=yes fetch=yes hotspot=yes

Step 2: A countdown appears. Immediately press the MODE/RES button on the front of the RB4011 once (use a pin/paperclip — it is a small recessed button). The router will reboot automatically.

Step 3: After reboot, verify:
/system/device-mode/print
Must show scheduler: yes, fetch: yes, hotspot: yes.

✅ This is a one-time operation per router. It persists across reboots.
✅
Deployment steps (after device-mode is unlocked):
1. Factory reset router (hold reset 5s)
2. Upgrade to RouterOS 7.16+ (required for User Manager)
3. Install User Manager package: run /system resource print on the router to find your exact RouterOS version and architecture (e.g. 7.22.1, arm). Go to mikrotik.com/download/archive → select your version → download "Extra packages" for your architecture → extract user-manager-<version>-<arch>.npk. Version AND architecture must match exactly or the package is silently discarded on reboot. Upload via WinBox → Files → Reboot
4. After reboot, verify: /user-manager print (should show "enabled: no")
5. Unlock device-mode as described above (orange box) — do this before importing the config
6. Connect laptop to ether2, Starlink to ether1
7. Open WinBox → connect to 192.168.88.1
8. On this dashboard: Sites → Add Site (auto-creates 30GB + 40GB profiles)
9. Click 🔗 Sync Key on the site card to generate the API key
10. (Optional) Click Manage in site detail → Profiles to add/remove quota tiers
11. Click 📥 Config on the site card — downloads an .rsc with all profiles + API key baked in
12. Load the config into MikroTik (use /import — do NOT paste):
    a. Open WinBox → Files
    b. Drag the downloaded .rsc file from your computer into the WinBox Files window
    c. Open WinBox → New Terminal and run: /import file-name=filename.rsc (replace with actual filename)
    d. Wait for it to finish — you will see each command echoed
    ⚠️ Do NOT paste the script into the terminal. WinBox terminal silently truncates long pastes, which causes the fleet-sync script (~130 lines at the end of the file) to be cut off. The /import method reads the file from disk and has no character limit.
13. After import, set RADIUS: /radius set 0 require-message-auth=no
14. Verify: /system script print (must show "fleet-sync"), then /system script run fleet-sync and /log print where message~"FleetSync"
15. Upload custom login page: drag login.html and logo into the router's hotspot/ folder via WinBox Files
16. (If using U7 Pro AP) Set up the UniFi AP — see the UniFi U7 Pro Setup section below
17. Go to Vouchers → Generate, pick the site & profile — vouchers auto-provision within 5 min
Router: MikroTik RB4011iGS+5HacQ2HnD | RouterOS 7.16+
Management: ether2-5 (192.168.88.x, unrestricted, no voucher)
Guest: ether6-10 + WiFi → VLAN 10, voucher required via boat.wifi
Profiles: Configured per-site (default: 30GB + 40GB, 30-day) | FastTrack disabled
Sync: Every 5 min, single HTTP round-trip, auto-provisioning
🔗 MikroTik Downloads (User Manager .npk)

Network Architecture

  Starlink Dish (1TB Marine) → ether1 (WAN)
           │
  MikroTik RB4011 (VLAN Filtering ON)
           │
  ├── Management (VLAN 1) ─ ether2-5
  │   192.168.88.0/24 │ No voucher
  │   Equipment, Admin, GPS, CCTV
  │
  └── Guest Hotspot (VLAN 10) ─ ether6-10 + WiFi
      10.0.0.0/24 │ boat.wifi │ dns-server=10.0.0.1
      Open WiFi → Voucher Login (multiple quota tiers)
      User Manager + RADIUS + Fleet Sync (5min)
           │
           └── ether6 → PoE → UniFi U7 Pro (Bridge Mode)
               Same SSID │ Open │ No DHCP │ No Guest Portal
               Hotspot IP binding: bypass AP by MAC address

MikroTik Quick Commands

Run sync: /system script run fleet-sync
Sync log: /log print where message~"FleetSync"
Hotspot users: /ip hotspot active print
Voucher users: /user-manager user print
RADIUS / VLAN: /radius print   /interface bridge vlan print
Import config file: /import file-name=vessel-config.rsc
Bypass AP (hotspot): /ip hotspot ip-binding add mac-address=AA:BB:CC:DD:EE:FF type=bypassed comment="U7 Pro AP"
Bypass TP-Link AP: /ip hotspot ip-binding add mac-address=AA:BB:CC:DD:EE:FF type=bypassed comment="TP-Link AP"
Device-mode unlock: /system/device-mode/update scheduler=yes fetch=yes hotspot=yes (then press MODE button)
RADIUS fix: /radius set 0 require-message-auth=no
Factory reset: Hold reset 5+ sec. Vouchers survive reset.

Troubleshooting

RADIUS not responding: 1. Run /user-manager print → check enabled: yes. 2. Run /user-manager/router/print → should not show X-DISABLED. 3. Check shared secret matches: remove and re-add with /user-manager/router/remove 0 then /user-manager/router/add address=127.0.0.1 name="vessel-router" shared-secret=fleet2026. 4. Run /radius set 0 require-message-auth=no secret=fleet2026
Sync POST failed: Caused by device-mode fetch: no. Run /system/device-mode/print and check. Fix: /system/device-mode/update fetch=yes scheduler=yes hotspot=yes + press MODE button.
Script I-INVALID: Script source corruption from /import on RouterOS 7.x. The sync still runs despite this flag once device-mode is correct. Cosmetic only.
Scheduler blocked: Device-mode restriction. Run /system/device-mode/update scheduler=yes fetch=yes hotspot=yes and press the physical MODE button on the RB4011.

UniFi U7 Pro AP Setup

📡
Overview: The U7 Pro extends WiFi coverage (e.g. to cabins/galley). It connects to ether6 (Guest VLAN 10) via PoE and must operate as a transparent bridge — all authentication, DHCP, and routing is handled by the MikroTik.
⚠️
Prerequisites: The MikroTik config must be fully loaded first (hotspot, VLAN 10, DHCP on 10.0.0.x). You need the UniFi controller software installed on your laptop.
✅
Step 1 — MikroTik: Bypass the AP in hotspot
The AP needs unrestricted network access (no captive portal). On the MikroTik terminal, add a hotspot IP binding using the AP's MAC address:
/ip hotspot ip-binding add mac-address=AA:BB:CC:DD:EE:FF type=bypassed comment="U7 Pro AP"
Replace AA:BB:CC:DD:EE:FF with the actual MAC (printed on the AP label or found via UniFi controller).
✅
Step 2 — Connect laptop to a guest port for adoption
Your laptop (with UniFi controller) must be on the same network as the AP.
1. Plug your laptop into ether7, 8, 9, or 10 (any guest port, same VLAN as the AP on ether6)
2. Also bypass your laptop temporarily: /ip hotspot ip-binding add address=YOUR_LAPTOP_IP type=bypassed comment="Temp laptop"
3. Open the UniFi controller — the AP should appear in the device list
✅
Step 3 — Adopt the AP
1. If the AP was previously managed, factory reset it first (hold reset button ~10 sec until LED changes)
2. Click Adopt in the UniFi controller and wait 1-2 minutes for provisioning
3. The AP should show status "Up to date" with a GbE uplink
✅
Step 4 — Create WiFi network
Go to Settings → WiFi → Create New and configure:
• Name (SSID): Same as MikroTik hotspot WiFi (e.g. "MV D8")
• Security: Open / None (under Advanced → Manual to find this option)
• Network: Native Network (default)
• Application: Standard (do NOT select "Hotspot" — that enables UniFi's portal which conflicts with MikroTik)
• Radio Band: Enable 2.4 GHz, 5 GHz, and 6 GHz
• VLAN: Leave empty / untagged (MikroTik assigns VLAN at port level)
✅
Step 5 — Verify network settings
Go to Settings → Networks and confirm:
• Router type shows "Third-party Gateway"
• DHCP server is disabled (MikroTik handles DHCP)
• Guest Portal is OFF everywhere in UniFi settings
✅
Step 6 — Test and clean up
1. Connect a phone to the WiFi SSID
2. Confirm it gets a 10.0.0.x IP address
3. Browser should redirect to boat.wifi captive portal
4. Enter a voucher code — internet should work
5. Move laptop back to a management port (ether2-5)
6. Remove ALL temp laptop/IP bypasses, keep only MAC-based AP bypasses (see cleanup section below)
7. Keep the AP MAC bypass — it must remain permanent
🔧
Troubleshooting: AP Stuck at "Adopting"
If the U7 Pro shows "Adopting" in the UniFi controller for more than 5 minutes after a factory reset, the AP has lost the controller's address and needs to be told manually.

Step 1 — Verify the AP is reachable. From the laptop (on the guest network), open Command Prompt:
ping <AP_IP>   (e.g. ping 10.0.0.249)

Step 2 — SSH into the AP and set the inform URL manually:
ssh ubnt@<AP_IP>   (default password after reset: ubnt)
Once logged in, run:
set-inform http://<LAPTOP_IP>:8080/inform
Replace <LAPTOP_IP> with the laptop's current IP on the 10.0.0.x subnet (check with ipconfig).

Step 3 — Wait 1–2 minutes. Status should change to "Provisioning" then "Connected". If it reverts, run set-inform again — UniFi sometimes requires it twice.

Step 4 — If SSH is refused: Add temporary firewall pass-through rules on the MikroTik terminal:
/ip firewall filter add chain=forward action=accept src-address=<AP_IP> place-before=0 comment="Temp AP adopt"
/ip firewall filter add chain=forward action=accept dst-address=<AP_IP> place-before=0 comment="Temp AP adopt"
After adoption completes, remove them:
/ip firewall filter remove [find comment="Temp AP adopt"]
🧹
Cleanup: Remove all temporary IP bindings
During adoption, you add temporary IP bypasses for laptops. These should be removed once done. The correct permanent bypasses are MAC-address based (for the U7 Pro and TP-Link) and should never be removed.

Remove all IP-only (temporary) bypasses — keeps MAC bypasses intact:
/ip hotspot ip-binding remove [find type=bypassed and mac-address=""]

This safely removes entries like "Temp laptop", "Temp Laptop2" etc. while preserving the U7 Pro MAC bypass (84:78:...) and TP-Link MAC bypass.

Verify what remains:
/ip hotspot ip-binding print

You should only see MAC-address based entries. If any old IP entries remain with wrong comments, remove by comment:
/ip hotspot ip-binding remove [find comment~"Temp"]

Sync Key Migration (URL → Header)

🔐
The web backend now accepts the vessel sync API key in an X-Vessel-Key HTTP header instead of in the URL/body. This stops the key from leaking into web-server access logs and proxy logs. The legacy transport still works (dual-support), so nothing breaks until you proactively roll out the new script.

To upgrade a vessel: download fleet-sync-header-key.rsc, fill in PASTE_YOUR_API_KEY + PASTE_YOUR_VESSEL_ID + PASTE_YOUR_VESSEL_NAME, upload to the router, then run /import file-name=fleet-sync-header-key.rsc verbose=yes. Within 5 minutes the vessel will appear as migrated below.
Header (24h)
–
Legacy (24h)
–
Unknown (24h)
–
Vessel Status Last Transport Header / Legacy / Unknown (24h) Last Sync
Loading…

© 2025-2026 iDesk NetManager v3.0

Powered by ◆ iDeskHubs.com
Network Access Technology

🎫 Generate Vouchers

💡
Vouchers are created in the web app. After generating, the sync script on the MikroTik router will automatically create matching User Manager accounts.

✅ Generated Codes

🔄 Cycle Reset

Recycle Mode: All active/unused/exhausted/expired vouchers for this site will be reset to 0 GB used and reactivated with their existing profiles. No data is lost — codes stay the same.
Warning: This will expire ALL active and unused vouchers for the selected site and generate new ones. This action cannot be undone.

Cycle Reset Complete

🏢 Add New Site

💡
After adding a site, generate a sync key and configure the MikroTik sync script to enable live router monitoring.

Site Profiles

💡
Profiles map quota tiers to MikroTik User Manager. The sync script auto-matches voucher quota to the right profile. After adding a new profile here, re-download the site config (.rsc) to include it on the router.

Loading profiles...

Add Profile

Create User

Loading sites...

Edit User

Loading sites...

🔑 Change Password