https://github.com/itconnectge/netfleet
Open-source multi-vendor network fleet management for MSPs — MikroTik today, FortiGate/Cisco next.
https://github.com/itconnectge/netfleet
docker fastapi mikrotik mikrotik-api msp network-management nextjs open-source rbac routeros self-hosted
Last synced: 12 days ago
JSON representation
Open-source multi-vendor network fleet management for MSPs — MikroTik today, FortiGate/Cisco next.
- Host: GitHub
- URL: https://github.com/itconnectge/netfleet
- Owner: ITConnectGE
- License: apache-2.0
- Created: 2026-05-26T20:21:31.000Z (17 days ago)
- Default Branch: main
- Last Pushed: 2026-05-27T00:46:49.000Z (17 days ago)
- Last Synced: 2026-05-27T01:02:00.245Z (17 days ago)
- Topics: docker, fastapi, mikrotik, mikrotik-api, msp, network-management, nextjs, open-source, rbac, routeros, self-hosted
- Language: Python
- Homepage: https://itconnectge.ge
- Size: 267 KB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Roadmap: docs/ROADMAP.md
Awesome Lists containing this project
README
# NetFleet
### Multi-vendor network fleet management for MSPs
**Open-source, self-hosted central management** for your routers, firewalls and edge
devices — with granular RBAC, delegated IT-support access, real-time monitoring,
in-app updates, and one-command Ubuntu install.
> **Shipping now**: MikroTik RouterOS driver.
> **Roadmap**: FortiGate · Cisco IOS-XE · Ubiquiti UISP · Aruba · MIST.
[](LICENSE)
[](https://fastapi.tiangolo.com)
[](https://nextjs.org)
[](https://docs.docker.com/compose/)
[](CONTRIBUTING.md)
[**Why NetFleet?**](#-why-netfleet) · [**Quick Start**](#-quick-start) · [**Features**](#-features) · [**Architecture**](#-architecture) · [**Roadmap**](#-roadmap) · [**Docs**](docs/)
*An open-source project by* **[ITConnectGE](https://itconnectge.ge)** — built by MSP engineers, for MSP engineers.
---
## 🎯 The Problem
If you run an IT outsourcing company, you probably manage **dozens to hundreds of network
devices across many client sites**, often from **multiple vendors** — MikroTik routers
at one client, FortiGate firewalls at another, a stray Cisco somewhere.
The tools you have all fall short:
- **WinBox / WebFig / FortiGate GUI / etc.** = one device at a time. Vendor silos.
- **The Dude / FortiManager / Cisco Prime** = vendor-locked. You need N tools.
- **Zabbix / LibreNMS** = monitoring only — you still SSH in to make changes.
- **Splynx / UISP** = ISP-billing platforms, not MSP fleet management.
- **Ansible / Salt** = great for engineers, terrible for L1 support staff.
**None of them let you say:**
> *"Junior support engineer Nika can read DHCP leases and edit NAT rules — only on
> Client A's MikroTik routers and Client B's FortiGate — and every action is logged."*
That's what **NetFleet** does.
## ✨ Why NetFleet?
| | The Dude | Splynx | Zabbix | UISP | FortiManager | **NetFleet** |
|---------------------------------------|:---:|:---:|:---:|:---:|:---:|:---:|
| **Multi-vendor** central management | ⌠| âš ï¸ | âš ï¸ | ⌠| ⌠| ✅ |
| Central read **and write** management | âš ï¸ | ✅ | ⌠| ⌠| ✅ | ✅ |
| **Per-section** RBAC (DHCP / NAT / FW …) | ⌠| ⌠| ⌠| ⌠| âš ï¸ | ✅ |
| **Multi-client / multi-site** structure | ⌠| ✅ | âš ï¸ | ⌠| âš ï¸ | ✅ |
| Granular delegated **IT-support** access | ⌠| ⌠| ⌠| ⌠| âš ï¸ | ✅ |
| Full **audit log** (who did what, where) | ⌠| âš ï¸ | âš ï¸ | ⌠| ✅ | ✅ |
| **Entra ID OIDC** + Local + TOTP | ⌠| âš ï¸ | âš ï¸ | âš ï¸ | ✅ | ✅ |
| **In-app updates** (no SSH dance) | ⌠| ⌠| ⌠| âš ï¸ | âš ï¸ | ✅ |
| **Open Source** (Apache 2.0) | âš ï¸ | ⌠| ✅ | âš ï¸ | ⌠| ✅ |
| **Self-hosted**, one-command install | ⌠| âš ï¸ | ✅ | ✅ | ⌠| ✅ |
| **Built for MSPs** | ⌠| âš ï¸ | ⌠| ⌠| âš ï¸ | ✅ |
> ✅ = first-class · âš ï¸ = partial / awkward · ⌠= not supported
## 🚀 Features
### Authentication & access
- **Microsoft Entra ID (OIDC)** single sign-on with MFA
- **Local authentication** with Argon2 password hashing and TOTP (Authenticator, Authy, etc.)
- **JWT** access tokens + httpOnly refresh cookies
### Multi-vendor device fleet
- Plug-in **vendor driver** architecture — a single API surface across vendors
- **Site → Device** hierarchy (one tenant = one MSP)
- Encrypted credential storage (Fernet, KEK from `.env`)
- Connection pooling with keepalives
- Real-time **status monitoring** (CPU, memory, uptime, link state)
- Historic metrics with 30-day retention
### Granular RBAC
- Roles scoped to **sites or specific devices**
- Permissions per **functional section** (`dhcp`, `firewall.nat`, `qos`, `vpn`, …)
- **Read / write / execute** as separate verbs
- Casbin enforcer — policy-as-code, auditable
### Operations (MikroTik MVP)
- **DHCP** servers, leases, networks
- **IP / Firewall / NAT / Mangle** rules
- **Interfaces, addresses, routes, ARP, pools**
- **Queues** (simple + tree)
- **PPP** secrets, profiles
- **System**: identity, resource, clock, reboot, config backup
- **Tool**: ping, traceroute, fetch
### Platform
- **Audit log** of every action (user, device, section, payload, outcome, IP, UA)
- **In-app updates**: see when a new release is out, click Update, done — automatic pre-update DB backup and rollback on failure
- **Open REST API** with full OpenAPI / Swagger docs
- **WebSocket** push for real-time status
- **Webhooks** for integration with helpdesk / Slack / Teams
## ðŸ Quick Start
### One-command install (Ubuntu 22.04 / 24.04)
```bash
curl -fsSL https://raw.githubusercontent.com/ITConnectGE/netfleet/main/install.sh | sudo bash
```
The installer will:
1. Install Docker & Docker Compose if missing
2. Pull the latest `netfleet` images from `ghcr.io/itconnectge`
3. Generate secrets and write `/opt/netfleet/.env`
4. Start the stack and wait for healthchecks
5. Print the URL + initial setup token
Then open `https://your-server` and follow the setup wizard.
### Manual install (any Docker host)
```bash
git clone https://github.com/ITConnectGE/netfleet.git
cd netfleet
cp .env.example .env
# Edit .env — set secrets, OIDC config if you want SSO
docker compose up -d
```
### Configuration
All configuration is environment-variable driven — see [`.env.example`](.env.example).
Key sections:
- `NETFLEET_JWT_SECRET`, `NETFLEET_FERNET_KEY` — secrets (autogenerated by `install.sh`)
- `NETFLEET_OIDC_*` — Microsoft Entra ID (or any OIDC IdP) setup
- `NETFLEET_UPDATE_CHANNEL` — `stable` / `beta` / `manual`
- `NETFLEET_SMTP_*` — for invite emails & update notifications
## 🗠Architecture
```
┌──────────────────────────────────────────────────â”
│ Host: Ubuntu + Docker │
│ │
Admin ───HTTPS──┼──▶ caddy ─┬──▶ web (Next.js) │
IT Support │ └──▶ api (FastAPI + Casbin) ──▶ postgres │
│ │ ↑ ↑ │
│ ▼ │ │ │
│ vendor drivers ▼ │
│ ┌──────────┠redis │
│ │ mikrotik │ │
│ │ fortigate│ (cache + pubsub) │
│ │ cisco … │ │
│ └────┬─────┘ │
│ │ │
│ worker updater (docker.sock) │
│ (polling) (in-app updates) │
└────────────────┼──────────────┼──────────────────┘
│ │
┌────────▼─┠┌────────▼──────────â”
│ Device │ │ ghcr.io + GitHub │
│ fleet │ │ (image + releases)│
│ (multi- │ └───────────────────┘
│ vendor) │
└──────────┘
```
📠**Full architecture diagrams**: see [`docs/architecture.drawio`](docs/architecture.drawio)
(6 pages: system overview, Docker layout, auth flows, RBAC model, update flow, vendor-driver call flow).
## 🔌 Vendor Driver Model
NetFleet abstracts vendor differences behind a stable `VendorDriver` interface. Each device
declares its `vendor` field; the API routes calls through the matching driver:
```python
class VendorDriver(Protocol):
async def connect(self, device: Device) -> Connection: ...
async def system_info(self, conn) -> SystemInfo: ...
async def dhcp_leases(self, conn) -> list[DhcpLease]: ...
async def firewall_nat_list(self, conn) -> list[NatRule]: ...
async def firewall_nat_add(self, conn, rule: NatRule) -> str: ...
# ... per-section methods
capabilities: set[Capability] # what this driver supports
```
A driver only needs to implement the sections relevant to its platform. The UI auto-hides
sections that the active device's driver doesn't expose.
| Driver | Status | Library / API |
|---|---|---|
| **MikroTik (RouterOS 7.x)** | 🟢 MVP — in active development | `librouteros` + REST fallback |
| **MikroTik (RouterOS 6.x)** | 🟡 planned | legacy API |
| **FortiGate (FortiOS)** | 🔵 roadmap | FortiOS REST API |
| **Cisco (IOS-XE / NX-OS)** | 🔵 roadmap | RESTCONF / NETCONF |
| **Ubiquiti (UISP / UniFi)** | 🔵 roadmap | UISP API |
| **Aruba / HPE** | 🔵 roadmap | AOS-CX REST |
> Want to contribute a driver? See [`docs/vendor-drivers.md`](docs/vendor-drivers.md) (writing in progress).
## 🔠RBAC Philosophy — a concrete example
Say you have a junior support engineer "Nika" who should handle DHCP & NAT for Client A only.
```yaml
# In NetFleet UI: Settings → Roles → New Role
role: dhcp-nat-l1
scope:
type: site
id: client-a
permissions:
- section: dhcp
actions: [read, write]
- section: firewall.nat
actions: [read, write]
- section: system.identity
actions: [read] # so Nika can see which device is which
# In Users → Nika → Assign role
user: nika@example.com
role: dhcp-nat-l1
```
Nika now sees only Client A's devices, only DHCP/NAT/identity tabs are visible,
and every action is recorded in the audit log with the request payload. She literally
**cannot** see other clients or other sections — the API rejects with 403 and audits the attempt.
The same policy works the same way whether Client A runs MikroTik or FortiGate; the
driver translates `firewall.nat` to the right vendor-native call.
## 🧱 Tech Stack
| Layer | Choice | Why |
|---|---|---|
| Backend | **Python 3.12 · FastAPI** | Async, OpenAPI-native, Pydantic v2 |
| Vendor drivers | **Pluggable Protocol-based** | Add new vendors without touching API code |
| Authorization | **Casbin** | Policy-as-code RBAC with scopes |
| DB | **PostgreSQL 16** | RBAC ergonomics, JSONB audit, row-level security |
| Cache / Pub-sub | **Redis 7** | Status cache + WebSocket fan-out |
| Frontend | **Next.js 15 · shadcn/ui · Tailwind** | Polished, accessible, fast |
| Reverse proxy | **Caddy 2** | Auto HTTPS, zero config |
| Deploy | **Docker Compose** | One-command self-host |
| CI/CD | **GitHub Actions → ghcr.io** | Free public images |
## 🗺 Roadmap
- [x] Phase 0 — Architecture & branding
- [ ] Phase 1 — **Skeleton** (Docker, FastAPI, Next.js, DB) ↠*we are here*
- [ ] Phase 2 — Auth (local + TOTP + Entra OIDC)
- [ ] Phase 3 — Sites & devices CRUD + encrypted creds + connection test
- [ ] Phase 4 — RBAC engine + roles UI + audit log
- [ ] Phase 5 — **MikroTik driver** complete: DHCP, IP, Firewall/NAT, Interfaces, System
- [ ] Phase 6 — Real-time status (worker + WebSocket)
- [ ] Phase 7 — In-app updater + GitHub Releases integration
- [ ] Phase 8 — Audit UI, exports, webhooks
- [ ] **v1.0** — production-ready (MikroTik fully supported)
- [ ] Phase 9 — **FortiGate driver** (FortiOS REST)
- [ ] Phase 10 — Config backup/restore, scheduled jobs
- [ ] Future — Cisco IOS-XE driver, Ubiquiti driver, multi-tenant SaaS mode, OpenTelemetry, Grafana dashboards, Ansible-compatible export
See [open issues](https://github.com/ITConnectGE/netfleet/issues) for tracked work.
## 🤠Contributing
We welcome contributions — bug reports, PRs, docs, translations, **new vendor drivers**.
Start with [`CONTRIBUTING.md`](CONTRIBUTING.md). All contributors agree to the [Code of Conduct](CODE_OF_CONDUCT.md).
## 📜 License
Apache License 2.0 — see [LICENSE](LICENSE). Patent grant included; safe for commercial and MSP-internal use.
## â¤ï¸ By ITConnectGE
NetFleet is built and maintained by **[ITConnectGE](https://itconnectge.ge)**, a Georgian IT
outsourcing company. We built it because we needed it ourselves — and we believe the MSP
community deserves an open, modern, vendor-agnostic alternative to expensive proprietary tools.
If NetFleet saves you time, â the repo, [tell us](https://github.com/ITConnectGE/netfleet/discussions), or contribute back.
---
MikroTik® and RouterOS® are registered trademarks of MikroTīkls SIA. FortiGate® is a registered trademark of Fortinet, Inc. Cisco® is a registered trademark of Cisco Systems, Inc. NetFleet is an independent, community-driven project and is not affiliated with or endorsed by any of these companies. Vendor names are used solely for descriptive interoperability purposes.