Open5GS Network Management System (NMS)

June 10, 2026 Β· View on GitHub

License: AGPL v3 Docker Open5GS Node.js React

Web-based management system for Open5GS 5G Core and 4G EPC networks. Provides complete configuration management, real-time monitoring, subscriber provisioning, and network visualization through an intuitive interface. Please be aware this project is heavily AI-assisted. If you find any issues please let me know β€” I will fix them as fast as I can.


🎯 Overview

Open5GS NMS simplifies the management of Open5GS deployments by providing:

  • Complete Network Function Management - Configure all 16 Open5GS network functions (5G Core + 4G EPC)
  • Visual Network Topology - Interactive real-time visualization of your network infrastructure
  • Subscriber Management - Full CRUD operations with SIM generator and auto-provisioning
  • Real-Time Monitoring - Live service status, logs, and active session tracking
  • Safe Configuration - Automatic backups, validation, and rollback on failure
  • 5G Privacy (SUCI) - Home network key management for subscription concealment
  • Authentication - Session-based login protecting all pages and API endpoints

Dashboard Overview


✨ Key Features

Authentication

  • Login required β€” All pages and API endpoints are protected. A login form is shown automatically to unauthenticated users
  • Session persistence β€” Sessions survive page refresh (24-hour lifetime by default, configurable)
  • Secure cookies β€” HttpOnly, SameSite=lax; Secure flag enabled when behind HTTPS
  • First-run setup β€” Admin account created automatically on first deploy (see First Login)
  • Brute force protection β€” Login endpoint rate-limited to 10 attempts per 15 minutes per IP

Metrics & Monitoring

  • Prometheus Integration β€” Prometheus scrape config auto-generated and live-reloaded on every config apply. No manual prometheus.yml editing needed
  • Grafana Dashboards β€” Pre-built Open5GS dashboard covering AMF, SMF, UPF, PCF, HSS, PCRF and process health. Grafana datasource auto-provisioned on first start
  • Metrics Endpoints Page β€” Dual-mode editor: table view for individual NF address/port editing, or direct Prometheus scrape config YAML editing. Both views stay in sync
  • One-click access β€” Prometheus and Grafana links directly in the Metrics page header

Metrics Endpoint Editor

Metrics Scrape Config Editor

Grafana Open5GS Dashboard

Prometheus Targets

Configuration Management

  • Dual Editor Modes - Form-based editor with 150+ contextual tooltips OR Monaco YAML editor
  • All 16 Network Functions - Complete coverage: NRF, SCP, AMF, SMF, UPF, AUSF, UDM, UDR, PCF, NSSF, BSF (5G) + MME, HSS, PCRF, SGW-C, SGW-U (4G)
  • Real-Time Validation - Zod schema validation with cross-service dependency checking
  • Safe Apply Workflow - Automatic backups, ordered service restarts, automatic rollback on failure
  • YAML Preservation - Maintains comments, formatting, and structure

AMF Configuration Editor

RAN Network Monitoring

  • 4G EPC section β€” S1-MME (control plane) and S1-U (user plane) interface cards with live connected eNodeB IPs
  • 5G NR section β€” N2 (AMF ↔ gNodeB) and N3 (UPF ↔ gNodeB) interface cards with live connected gNodeB IPs
  • UE-to-radio mapping β€” each radio card shows which UEs are connected to it (IMSI, UE IP, CM State) nested directly under the radio row
  • Active UE Sessions table β€” combined 4G + 5G sessions with Generation, CM State, DNN/APN, Security algorithms, AMBR, and Radio IP columns
  • True 4G/5G separation β€” sourced directly from Open5GS internal APIs (AMF, MME, SMF) β€” no packet capture needed
  • All interface IPs sourced from Open5GS YAML configs β€” no hardcoded addresses

RAN Network Page

Network Topology Visualization

  • Interactive Diagram - JointJS-based professional network topology
  • Real-Time Status - Color-coded service indicators (green=active, red=inactive)
  • 5G Radio Network Status box β€” live N2 and N3 gNodeB IPs on the topology canvas
  • Active 5G UE Sessions box β€” UE IP + IMSI pairs sourced from Open5GS AMF/SMF APIs
  • Active 4G UE Sessions box β€” UE IP + IMSI pairs sourced from Open5GS MME API
  • Professional Layout - Manual routing with 90-degree orthogonal connectors

Network Topology Visualization

Service Management

  • Real-Time Monitoring β€” WebSocket-based live status cards for all 16 NFs plus MongoDB
  • Systemd Integration β€” Start, stop, restart, enable and disable services directly from the UI
  • Bulk Operations β€” Control all services at once in correct dependency order
  • MongoDB tracking β€” MongoDB included as a first-class service with status indicator on topology

Service Management

Auto-Configuration Wizard

  • One-Click Setup β€” Generate all 16 NF configurations from minimal input (PLMN, host IPs, UE subnets)
  • Preview Changes β€” YAML diff viewer shows exact changes before applying
  • Persistent NAT β€” iptables rules saved via netfilter-persistent and IP forwarding via sysctl.d β€” survive reboots

Auto-Configuration Wizard

Backup & Restore

  • Automatic Backups β€” Created before every configuration change; configurable retention policy
  • Selective Restore β€” Restore config only, database only, both, or specific NFs
  • Rollback Protection β€” Automatic restore on service restart failure
  • Diff Viewer β€” Compare any backup against current config before restoring
  • Factory Defaults β€” One-click restore to stock Open5GS configuration

Backup & Restore

Backup & Restore Modal

Femtocell Provisioning (Sercomm SCE4255W)

  • Auto-credential derivation β€” derives root SSH and WebUI passwords from MAC address using the calc_f2 algorithm
  • Auto-config pull β€” detects if WebUI is already enabled and pulls current config into the form automatically
  • Full provisioning β€” enables WebUI via SSH if needed, applies all radio and core config, reboots device
  • CBRS Band 48 defaults β€” pre-filled for dual-carrier deployment
  • MME IP auto-populated from your Open5GS configuration
  • Browser geolocation for SAS lat/long coordinates

Femtocell Provisioning

Femtocell Config Loaded

CBRS SAS Server (Citizens Broadband Radio Service)

  • Built-in SAS β€” Lab-only SAS-CBSD protocol emulator for controlled testing. Not an FCC-approved SAS and not suitable for live CBRS authorization. For live CBRS operation, CBSDs must obtain grants from an FCC-approved SAS Administrator.
  • Multi-radio support β€” deterministic per-CBSD channel assignment based on serial number sort order; race-condition-proof, survives re-registrations and Clear DB cycles
  • Interference coordination groups β€” radios in the same group are automatically spread across non-overlapping 20 MHz slots
  • Multi-band support β€” configure multiple frequency bands to serve different radio types (e.g. Baicells on 3560–3620 MHz, Sercomm on 3649–3700 MHz)
  • Band Assignment β€” three-level band policy: per-CBSD override > interference group assignment > global default; pins specific radios or entire groups to specific frequency ranges
  • Unified spectrum view β€” all radios and bands shown on a single 3550–3700 MHz plot alongside per-band detail charts
  • Multi-site scaling β€” independent slot assignment per interference group; two sites can reuse the same frequencies without conflict
  • Spectrum chart β€” visual frequency band display with color-coded slots, EARFCN labels, and per-CBSD assignment table
  • GPS delay enforcement β€” configurable lock delay (default 75 s) before grants are issued, ensuring radios are GPS-locked before transmitting
  • Pause / Resume β€” instantly stops all SAS responses (radios return DEREGISTER and go silent) without deleting any data
  • Clear DB β€” wipes all grants and CBSDs in one click for testing; radios re-register and get fresh deterministic slot assignments on reboot
  • CBRS SAS protocol β€” implements the WInnForum CBRS SAS-CBSD interface (registration, spectrumInquiry, grant, heartbeat, relinquishment, deregistration)
  • HTTPS SAS endpoint β€” TLS endpoint on port 8443 with auto-generated self-signed certificate; required for Sercomm radios which mandate HTTPS
  • Sercomm SCE4255W full integration β€” complete SAS parameter provisioning via GenieACS TR-069 including Method, Category, ChannelType, HeightType, ManufacturerPrefix, CPI settings, lat/long in microdegrees
  • Baicells TR-069 integration β€” full SAS parameter provisioning via GenieACS ACS on the Baicells provisioning page
  • Quiet docker logs β€” per-request SAS protocol noise suppressed; clean 30-second status summary printed to docker compose logs instead

SAS Dashboard

SAS Spectrum Chart

SAS CBSD Table

SAS Configuration

SAS Band Assignment

Baicells eNodeB Provisioning (Beta)

  • GenieACS TR-069 ACS integration β€” radios register automatically via CWMP on port 7547
  • Live RF status β€” per-radio status dot (green = RF on, amber = RF off, red = offline) with 30-second auto-refresh
  • Full config push β€” all parameters sent in a single TR-069 session, followed by automatic reboot and RF enable
  • Editable confirm modal β€” preview the exact GenieACS NBI API calls before anything is sent; edit the JSON if needed
  • Per-radio and global controls β€” Enable RF, Disable RF, Reboot per radio; RF On All, RF Off All, Reboot All from the header
  • Auto-backup β€” full device parameter snapshot saved to disk after every successful provision
  • Audit logging β€” all provision, reboot, and RF actions logged
  • Tested on: Baicells Nova 430i running BaiBLQ_3.0.12 firmware

Baicells Provisioning Overview

Baicells Radio Expanded

Baicells RF Status

Baicells Confirm Modal

GenieACS UI

SUCI Key Management (5G Privacy)

  • Keypair Generation β€” Create X25519 (Profile A) or secp256r1 (Profile B) home network keys
  • Public Key Display β€” Hex format ready for eSIM provisioning
  • pySIM JSON Generator β€” One-click generation of correctly formatted EF.SUCI_Calc_Info JSON for pySIM-shell, in both pretty and single-line formats
  • Automatic Configuration β€” Updates UDM config with new public key on generate/rotate
  • PKI Management β€” Support for multiple PKI values (0–255) with next-ID auto-suggestion, rename without destroying keys

SUCI Key Management

Generate Key Modal

pySIM JSON Generator

Subscriber Management

  • Full CRUD Operations - Create, read, update, delete subscribers via MongoDB
  • SIM Generator - Generate test SIM credentials with country-based MCC selection (65+ countries)
  • Auto-Provisioning - Automatically add generated SIMs to Open5GS database
  • Multi-Slice Support - Configure multiple network slices and sessions per subscriber
  • Search & Pagination - Efficient browsing of large subscriber databases

Subscriber Management

SIM Generator

Time Server (NTP via Chrony)

  • Chrony integration β€” manages Chrony NTP daemon directly from the NMS; start, stop, restart, and configure without touching the CLI
  • Live tracking status β€” reference server, stratum, system offset, RMS offset, frequency, root delay, update interval, and leap status all shown live
  • NTP server & pool management β€” add, remove, and reorder upstream servers and pools with iburst/noselect flags
  • Allowed client networks β€” configure which subnets can query the NTP server (critical for radios and UEs)
  • Advanced options β€” makestep, maxdistance, and other Chrony directives exposed in the UI
  • Save & Restart β€” writes chrony.conf and restarts the daemon in one click

Time Server

FRR / L3 Routing

  • Layer 2 β†’ Layer 3 migration wizard β€” step-by-step guided migration from flat L2 service IPs to routed L3 using FRR + Virtual Service Interfaces (VSIs)
  • Multi-protocol support β€” EIGRP, OSPF, and BGP; each protocol generates correct FRR config with appropriate neighbor/peer setup
  • Live Routing Status β€” real-time neighbor status, EIGRP/OSPF/BGP topology table showing all prefixes, next-hops, interfaces, and metrics
  • Route Filters β€” outbound and inbound prefix-list based filtering with Auto VSI filter button, preview, apply, and rollback
  • Active Configuration β€” read-only summary of protocol, AS number, peer IP, and VSI mappings once migration is complete
  • Pre-flight checklist β€” built-in requirements guide covering the 3 required interfaces, router-side prerequisites, and known FRR 8.4.x EIGRP limitations
  • Full rollback β€” backup taken before any changes; rollback button restores previous state at any phase

FRR / L3 Routing β€” Live Status

FRR / L3 Routing β€” Route Filters

FRR / L3 Routing β€” Active Configuration

Real-Time Logging

  • Dual Log Sources β€” Stream logs from Open5GS systemd services OR Docker containers
  • Live Log Streaming β€” Tail logs from any service via WebSocket
  • Service Filtering β€” Multi-select services or containers to monitor simultaneously

Log Viewer


πŸš€ Quick Start

Prerequisites

  • Ubuntu 24.04 LTS (or compatible Linux distribution)
  • Open5GS 2.7+ installed and configured
  • MongoDB 6.0+ running on localhost
  • Docker Engine 24.0+ and Docker Compose v2.20+

Installation

# Clone the repository
git clone https://github.com/paulmataruso/open5gs-nms
cd open5gs-nms

# Configure environment (required β€” see Authentication section below)
cp .env.example .env
nano .env

# Build and start all services
docker compose up --build -d

# Access the web interface
open http://YOUR_SERVER_IP:8888

For detailed installation instructions, see INSTALL.md.


πŸ” Authentication

First Login

On first startup, an admin account is created automatically.

Option A β€” Set your own password (recommended):

Add this to your .env before running docker compose up:

FIRST_RUN_PASSWORD=your-secure-password-here

Then log in with username admin and the password you set. Clear FIRST_RUN_PASSWORD from .env after your first login.

Option B β€” Auto-generated password:

Leave FIRST_RUN_PASSWORD empty. A random password is generated and printed once to the container logs:

docker logs open5gs-nms-backend 2>&1 | grep -A4 "FIRST RUN"

Expected output:

════════════════════════════════════════════════════
  FIRST RUN β€” Admin account created
  Username : admin
  Password : Xk7mQ2pL9nRv4wYa
  Change this password after first login!
════════════════════════════════════════════════════

Missed the password? Delete the auth database and restart:

docker compose down && rm -f ./data/auth.db && docker compose up -d

Auth Configuration

VariableDefaultDescription
FIRST_RUN_PASSWORD(empty)Initial admin password. Auto-generated if empty. Clear after first login.
SESSION_MAX_AGE86400Session lifetime in seconds (default: 24 hours)
COOKIE_SECUREfalseSet to true only when serving over HTTPS. Setting this to true on plain HTTP silently breaks login.
AUTH_DB_PATH/app/data/auth.dbPath to SQLite auth database inside container. Must match the ./data:/app/data volume mount.

HTTPS Deployments

When running behind HTTPS (nginx + SSL), set COOKIE_SECURE=true in .env:

COOKIE_SECURE=true

See docs/deployment.md for full nginx SSL configuration.


πŸ“‹ System Requirements

Minimum

  • CPU: 2 cores
  • RAM: 4GB
  • Disk: 20GB free space
  • CPU: 4 cores
  • RAM: 8GB
  • Disk: 50GB free space (for logs and backups)

Network

  • Static IP address or DHCP reservation recommended
  • Port 8888 for web interface
  • Internet access for Docker builds

For complete requirements, see docs/requirements.md.


πŸ“– Documentation

Getting Started

User Guides

Administration

Development


πŸ—οΈ Architecture

The Open5GS NMS follows a Clean Architecture pattern with clear separation of concerns:

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚  Browser (React 18 + TypeScript + JointJS)                  β”‚
β”‚  http://YOUR_SERVER:8888                                     β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                β”‚ REST API         β”‚ WebSocket
                β–Ό                  β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚  nginx Reverse Proxy (Alpine)                                β”‚
β”‚  Proxies /api β†’ backend:3001                                 β”‚
β”‚  Upgrades WebSocket β†’ backend:3002                           β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                β”‚                  β”‚
                β–Ό                  β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚  Backend (Node.js 20 + TypeScript + Express)                β”‚
β”‚  Clean Architecture: Domain β†’ Application β†’ Infrastructure   β”‚
β”‚  Auth: Lucia v3 sessions β†’ SQLite (auth.db)                 β”‚
β”‚  Container: privileged, network_mode: host                   β”‚
β””β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”˜
      β”‚          β”‚          β”‚           β”‚                  β”‚
      β–Ό          β–Ό          β–Ό           β–Ό                  β–Ό
 /etc/open5gs  systemd   MongoDB    auth.db           /var/log
 (bind mount)  (via dbus) (host:27017) (./data volume) (bind mount)

Technology Stack

Frontend:

  • React 18.2, TypeScript 5.3, Vite 5.0
  • TailwindCSS 3.4, Zustand 4.4
  • JointJS 3.7 (topology), Monaco Editor 4.6 (YAML)

Backend:

  • Node.js 20 LTS, TypeScript 5.3, Express 4.18
  • Lucia v3 (sessions), better-sqlite3 (auth DB), oslo (bcrypt)
  • Zod 3.22 (validation), MongoDB Native Driver 6.3
  • WebSocket (ws) 8.16, Pino 8.17 (logging)

Infrastructure:

  • Docker + Docker Compose
  • nginx (reverse proxy)
  • systemd (service management)

For detailed architecture documentation, see ARCHITECTURE.md.


πŸ”§ Configuration

The NMS is configured through environment variables. Copy .env.example to .env and customize:

# Authentication (review before first deploy)
FIRST_RUN_PASSWORD=your-password    # Initial admin password
SESSION_MAX_AGE=86400               # Session lifetime in seconds
COOKIE_SECURE=false                 # Set true only for HTTPS deployments

# Backend
PORT=3001
WS_PORT=3002
MONGODB_URI=mongodb://127.0.0.1:27017/open5gs
CONFIG_PATH=/etc/open5gs
LOG_LEVEL=info
HOST_SYSTEMCTL_PATH=/usr/bin/systemctl

Default values work for most deployments. For production, see docs/deployment.md.


πŸ›‘οΈ Security

What's protected

  • All API endpoints require a valid session cookie
  • Login is rate-limited (10 attempts / 15 min per IP)
  • Passwords are bcrypt-hashed
  • Session cookies are HttpOnly (not accessible to JavaScript)
  • Auth data is stored in a separate SQLite database β€” the Open5GS MongoDB is never touched for auth

Production recommendations

  1. Enable HTTPS β€” Configure nginx SSL termination (Let's Encrypt) and set COOKIE_SECURE=true in .env
  2. Network restrictions β€” Deploy behind a VPN or firewall for internet-exposed instances
  3. Regular backups β€” Automate backup jobs and store copies off-site
  4. Monitoring β€” Set up external monitoring (Prometheus, Grafana)

See docs/deployment.md for detailed hardening guidance.


🀝 Contributing

We welcome contributions! Whether it's bug reports, feature requests, or code contributions, please see our Contributing Guide.

Development Setup

# Clone repository
git clone https://github.com/paulmataruso/open5gs-nms
cd open5gs-nms

# Backend development
cd backend
npm install
npm run dev      # Runs on http://localhost:3001

# Frontend development (separate terminal)
cd frontend
npm install
npm run dev      # Runs on http://localhost:5173

For detailed development instructions, see docs/development.md.


πŸ“ Changelog

See CHANGELOG.md for a complete version history.

Latest Release: v2.0-beta_0.3 (2026-06-04)

πŸ› Critical install fix β€” nginx blocked on fresh deploy

  • cert-init was failing with exit code 1 on every fresh install due to Docker Compose interpolating shell variables in the inline entrypoint script as Compose variables. This prevented nginx from starting, making the entire web interface unreachable and blocking all logins.
  • Fixed by moving the cert generation script to nginx/setup-sas-cert.sh and mounting it as a volume. Docker Compose never interpolates file contents.
  • Script rewritten as POSIX sh (Alpine container has no bash), with context detection, skip-if-exists logic, and IP fallback to 127.0.0.1.

Workaround for existing broken installs:

mkdir -p nginx/certs && openssl req -x509 -newkey rsa:4096 \
  -keyout nginx/certs/sas.key -out nginx/certs/sas.crt \
  -days 3650 -nodes -subj '/CN=sas.local' \
  -addext 'subjectAltName=DNS:localhost' && docker compose up -d

πŸ“‘ Baicells SAS β€” AUTHORIZED state fix (radios now transmit)

This release resolves a series of root-cause bugs that prevented Baicells BaiBLQ firmware radios from ever transitioning from GRANTED to AUTHORIZED in SAS mode 2. Radios were stuck heartbeating in GRANTED state indefinitely and never enabling RF.

  • Timestamp format β€” sasFmt() now produces ISO 8601 Z format (2026-06-03T02:54:09Z). Baicells firmware silently ignored the old compact UTC format, leaving SAS_CONFIG_TRANSEXPIRETIME empty on the radio β€” the root cause of the GRANTED loop
  • REM scan disabled β€” Factory default LTE_REM_SCAN_ON_BOOT=1 scanning Band 7 was blocking the OAM state machine (remScanDone never reaching 1), causing all TR-069 writes of SAS_RADIO_ENABLE to be silently reset with Now Nothing To Do For Dynamic Configure. Provision tasks now push ScanOnBoot=false, ScanPeriodically=false, InServiceHandling=Disabled
  • Heartbeat response simplified β€” Removed heartbeatInterval and operationParam fields from heartbeat responses to exactly match the WInnForum reference SAS (fake_sas.py)
  • NTP clock skew β€” transmitExpireTime was always in the radio's past when clocks were offset. Debug log added showing calculated expire time. Time Server page (Chrony) enables NTP sync across all radios
  • SAS.RadioEnable persistence β€” RF On/Off endpoint now sets both X_COM_RadioEnable and SAS.RadioEnable when SAS is enabled. Deployments without SAS are unaffected
  • Spectrum chart Baicells grants β€” Fixed TypeScript type for getSlots that was discarding the bands array, preventing Baicells grants from appearing in the chart
  • EARFCN display β€” Radio card now calculates EARFCN from sasReqLowFrequency/sasReqHighFrequency center point instead of the stale TR-069 EARFCNDL value. All three radios now show distinct EARFCNs
  • GenieACS provisions cleaned β€” default provision no longer declares InternetGatewayDevice.* paths that caused constant 9005 faults. inform provision too_many_commits loop fixed
  • RF All endpoints β€” rf-all now correctly filters to Baicells only (OUI 48BF74); Sercomm RF is handled by rf-sercomm-all only

πŸ“‘ CBRS SAS β€” Multi-Band Support & Sercomm Integration

  • Multi-band frequency configuration β€” configure separate bands for different radio types (Baicells, Sercomm) with independent slot assignment per band
  • Three-level Band Assignment system: per-CBSD override > interference group policy > global default
  • Band Assignment tab in SAS page β€” assign bands to interference groups with slot preview table, and set per-CBSD overrides via compact table with modal editor
  • Unified spectrum chart β€” all radios and bands on a single 3550–3700 MHz CBRS plot alongside individual per-band detail charts
  • HTTPS SAS endpoint (port 8443) β€” auto-generated self-signed TLS certificate on docker compose up via cert-init service; nginx serves HTTPS SAS endpoint required by Sercomm radios
  • Sercomm SCE4255W full TR-069 SAS provisioning β€” all parameters: Method (Direct SAS/DP), Installation Method (Single/Multi-Step), Category (A/B), Channel Type (GAA/PAL), Location Source (Manual/GPS), Height Type (AGL/AMSL), ManufacturerPrefix, CPI settings, lat/long decimal degrees auto-converted to microdegrees
  • Per-CBSD band override modal β€” fixed-position centered modal prevents popover clipping in table rows
  • Quiet docker logs β€” per-request SAS protocol traffic (grant/heartbeat/spectrumInquiry) downgraded to trace level; 30-second summary line shows all active grants with serial, frequency, and EARFCN

πŸ“‘ CBRS SAS Server

  • Full built-in WInnForum SAS-CBSD protocol server (registration, spectrumInquiry, grant, heartbeat, relinquishment, deregistration)
  • Deterministic per-CBSD channel assignment keyed by serial number β€” race-condition-proof, survives re-registrations and Clear DB cycles
  • Interference coordination group support β€” radios in the same group auto-spread across non-overlapping 20 MHz slots
  • Multi-site scaling β€” independent slot assignment per group; two sites can reuse frequencies without conflict
  • GPS delay enforcement (75 s configurable) before grants issued
  • Grants issued as AUTHORIZED immediately (no GRANTEDβ†’heartbeatβ†’AUTHORIZED delay)
  • Pause SAS / Resume SAS button β€” radios return DEREGISTER instantly, no data deleted
  • Clear DB button β€” wipes all grants and CBSDs in one click for testing
  • Spectrum chart β€” visual frequency band with color-coded slots, EARFCN labels, per-CBSD assignment table
  • Baicells TR-069 full SAS parameter provisioning (reqLowFrequency, reqHighFrequency, PreferredFrequency, enableMode, FccId, groupId, groupType, MaxEIRP, LegacyMode, etc.)
  • SAS admin REST API: /sas/admin/reset, /sas/admin/pause, /sas/admin/resume, /sas/admin/status, /sas/admin/slots

πŸ“‘ Baicells eNodeB Provisioning

  • Full Band 42/43/48 band selector with auto-fill defaults
  • EARFCN dropdown per band with SAS mode awareness (EARFCN greyed in SAS mode 2, labeled (SAS))
  • EARFCN mismatch warning when configured EARFCN doesn't match expected SAS-assigned slot
  • SAS mode 2 handling β€” EARFCN not pushed to radio in SAS mode 2 (radio tunes to SAS grant)
  • RF enable sends task twice (queued + connection_request) to ensure immediate effect
  • rfStatus correctly derived from X_COM_RadioEnable AND opState

πŸ”— Remote UPF / SGW-U Architecture (4G + 5G Edge Deployments)

  • Remote UPF generator (UPF config page) β€” generates ready-to-deploy upf.yaml for edge sites; "Add to SMF & Apply" wires it into smf.yaml automatically
  • SMF config page β€” full UPF routing table (DNN, TAC, eNodeB Cell ID, NR Cell ID selection criteria); local UPF labeled "same host"; routable address selector; routing destination badge on session pools
  • Remote SGW-U generator (SGW-U config page) β€” mirrors UPF pattern; generates sgwu.yaml with SGW-C address and deployment steps
  • SGW-C config page β€” full SGW-U routing table with TAC, APN, Cell ID (e_cell_id) selection criteria; local SGW-U labeled; routable PFCP server section
  • TAC/APN/Cell ID routing criteria β€” all three SGW-U selection methods from Open5GS sgwc.yaml supported in both SGW-C editor and SGW-U generator
  • "How it works" topology button on SMF and SGW-C pages β€” opens modal with full network diagram explaining Remote UPF/SGW-U architecture, IP requirements, and interface routing
  • Network topology diagram (SVG) showing central site (AMF, MME, SMF, SGW-C) ↔ edge site (UPF, SGW-U) with all interface IPs, PFCP/N4/Gxc connections, N2/S1-MME control plane, N3/S1-U user plane

βš™οΈ Auto-Config improvements

  • "Use Local UPF Only" checkbox (default checked) β€” hides PFCP addressing complexity for single-server deployments; auto-detects from existing config
  • mergePfcpServers() helper β€” prevents duplicate IP entries in PFCP server lists across all services (SMF, UPF, SGW-C); also self-heals existing duplicates on next run
  • localUpfOnly and localSgwuOnly flags β€” when set, forces loopback defaults (127.0.0.x) regardless of IP fields

πŸ§ͺ Unit Tests

  • 32 Jest unit tests for RAN UE session reporting covering: 4G/5G session detection, IMSI field variants (supi/imsi, prefixed/bare), UE deduplication, live eNodeB/gNodeB filter, Prometheus metrics fallback, interface status
  • parsePeerIP helper tests (bracketed IPv4, IPv6, plain IP:port)
  • 5G-only deployment short-circuit β€” skips all 4G logic when MME not running

πŸ› Bug Fixes

  • RAN page UE crash fix β€” mmeUe.supi null guard with fallback to imsi field for older Open5GS versions
  • RAN page eNodeB filter relaxed β€” setup_success: false no longer drops all UEs from display
  • RAN page N3/5G filter relaxed β€” shows UEs even when gNodeB setup_success is false
  • Services page route order fix β€” /all/:action registered before /:name/:action in Express; fixes "Stop 4G" / "Stop 5G" buttons
  • SGW-C and SGW-U metrics sections removed β€” neither service exposes a Prometheus metrics HTTP endpoint
  • Duplicate PFCP server IP bug (auto-config) β€” entering a loopback address that already exists in the YAML no longer creates duplicate entries

πŸ“„ License

Copyright (C) 2026 Paul Mataruso

This project is licensed under the GNU Affero General Public License v3.0 (AGPL-3.0) β€” see the LICENSE file for details.

In plain terms:

  • You are free to use, modify, and distribute this software
  • If you run a modified version on a server and users interact with it over a network, you must make your modified source code available to those users under the same license
  • Commercial use requires either compliance with AGPL-3.0 or a separate commercial license agreement with the copyright holder

For commercial licensing inquiries, open an issue or discussion on GitHub.


πŸ™ Acknowledgments


πŸ“ž Support


Built with ❀️ for the Open5GS community