ISPChampispchamp.com

Software BNG + ISP OSS/BSS

BRAS in software.
Billing in the same box.

ISPChamp replaces hardware BRAS with a VPP/DPDK data plane on commodity x86, wired into FreeRADIUS, ISC Kea, FRRouting, and deterministic CGNAT. The same on-prem stack runs subscriber billing, OLT and router automation, and the operator portal, while a multi-tenant control plane keeps modules and entitlements in sync.

Request a NOC walkthroughVisit ispchamp.com
  • Wire-speed VPP / DPDK on x86
  • FreeRADIUS 3.2.7 with live CoA
  • BTRC-format deterministic CGNAT
  • Tenant data stays on the customer NOC
noc / live-telemetry
bng throughput / p95wire speed
98.4G
0Gline-rate · 100G
100G
Wire-speed per core
VPP / DPDK on x86
<8ms
RADIUS auth p95
FreeRADIUS 3.2.7
61+
DB migrations
control plane + on-prem
9
Go services
go.work workspace
image · ispchamp / vbng-v0.85site · BD-NOC-01

NOC telemetry shape from a single ISPChamp on-prem instance. Per core throughput scales with DPDK worker count. Reach out for the lab benchmark report against ZTE M6000 and Huawei MA5800 reference traffic.

01 / What is ISPChamp?

definition · for operators and AI engines

ISPChamp is KaritKarma's ISP management platform: a software-defined BNG plus full OSS/BSS, built for Bangladesh.

The data plane is VPP and DPDK on commodity x86, paired with FreeRADIUS 3.2.7, ISC Kea 3.0 LTS, FRRouting, and deterministic CGNAT. The OSS/BSS unifies subscriber CRM, plan management, prepaid plus postpaid billing, payments via bKash and Nagad, multi-vendor OLT and router automation (ZTE, Huawei, BDCOM, CDATA, VSol, MikroTik, Cisco, Juniper), and a Bangla and English operator, partner, and subscriber portal stack.

The architecture is deliberately inverted from a typical SaaS: every customer ISP runs an on-prem ISPChamp stack at its own NOC, because BTRC retention, lawful intercept, and KYC rules make hosting subscriber data off-premises a non-starter. A multi-tenant control plane at dash.ispchamp.com tracks module entitlements, staff catalog, heartbeat, and rolled-up usage. The data flow is strictly outbound from on-prem; nothing inbound ever writes to the customer box.

ISPChamp is built by an operator. KaritKarma runs APNIC AS 64005 with about 2 Tbps aggregation, so every assumption in the product is informed by an actual production ISP rather than a vendor PowerPoint.

02 / The stack

Six pillars.
One on-prem box.

The forwarding plane, AAA, DHCP, dynamic routing, CGNAT, and the OSS/BSS database all run inside the same docker-compose appliance at the ISP NOC. One stack, one upgrade path, one place to look when a session dies.

Subscriber lifecycle
PENDINGKYC + provisioning queued
ACTIVEPlan injected, CoA-live
SUSPENDEDDunning hit, walled-garden
TERMINATEDRADIUS revoked, archived
  1. DP-01

    VPP + DPDK data plane

    100 Gbps / core

    Wire-speed packet processing on commodity x86 with Mellanox ConnectX-6 100G NICs. No proprietary ASIC, no forklift upgrade path. Throughput scales horizontally with cores, not with vendor purchase orders.

    • QoS, ACL, FIB, NAT44 inline in the fast path.
    • Per-subscriber token-bucket policer (trTCM).
    • Live CoA bandwidth updates without session drop.
  2. DP-02

    FreeRADIUS 3.2.7 AAA

    RFC 5176 CoA

    Phase 1 deploys rlm_sql_postgresql straight against the on-prem ISPChamp database. Phase 2 swaps to rlm_rest into the Go aaa-adapter for post-auth hooks, accounting fan-out, and Change-of-Authorization disconnects.

    • Post-auth profile injection from the operator portal.
    • Accounting interim updates land in time-series storage.
    • Disconnect + CoA wired to the execution-engine.
  3. DP-03

    ISC Kea 3.0 LTS + Option 82

    Dual-stack

    ISC Kea handles DHCPv4, DHCPv6, and prefix delegation with PostgreSQL backend and HA. Subscriber identity arrives in DHCP Option 82 from the OLT, carrying S-VLAN, C-VLAN, and physical port for unambiguous mapping.

    • Real-time pool sync against the IPAM module.
    • RADIUS hook on DHCPDISCOVER for IPoE auth.
    • DHCPv6-PD and SLAAC for IPv6 customers out of the box.
  4. DP-04

    FRRouting BGP + OSPF

    BFD sub-second

    Dynamic routing with BGP for upstream peering, OSPF for the internal underlay, and BFD for sub-second failover. Per-subscriber /32 route injection so live sessions survive an edge router swap with graceful restart.

    • AS-edge peering with route-map driven policy.
    • Per-subscriber host routes for fast convergence.
    • Graceful restart keeps the data plane forwarding.
  5. DP-05

    Deterministic CGNAT

    BTRC compliant

    Inline NAT44 with deterministic port allocation: the same subscriber always maps to the same (NAT IP, port block) pair for forensic traceability. Hourly gzip rotation, syslog forwarding, BTRC-format CSV export.

    • Configurable retention, default 365 days hot.
    • Lawful-intercept hook lives only on-prem, never upstream.
    • Per-session attribution survives a long-tail forensic query.
  6. DP-06

    Postgres 18 core

    sqlc + pgx

    PostgreSQL 18 backs every domain: subscribers, plans, NAS, BNG sessions, IPAM, accounting, billing, tickets. Multi-tenant by tenant_id on every table. 61+ control-plane migrations, 74+ migrations on the on-prem image.

    • sqlc-generated queries, pgx connection pooling.
    • Tenant isolation enforced at the row layer.
    • Idempotent migrations applied at deploy time.

03 / Topology

Control plane in our DC. Data plane on your NOC.

Outbound-only data flow. Heartbeat every 30 seconds, usage rollup every 5 minutes. Subscriber PII, RADIUS records, CDR, and lawful-intercept hooks never traverse the perimeter.

KaritKarma data centre
Control plane

Multi-tenant SaaS. Tenant CRUD, module entitlements, billing for the ISP itself, heartbeat + usage rollup. Phones every on-prem instance once a minute; never writes back inbound.

dashboard:443dash.ispchamp.com
control-plane:8090internal
marketing:443ispchamp.com
outbound only
heartbeat 30s
usage 5m
ISP customer NOC
Data plane + OSS/BSS

One docker-compose appliance. Traefik, Postgres, FreeRADIUS, ISC Kea, VPP/DPDK, core-api, aaa-adapter, telemetry, execution-engine, hardware-manager, vbng, plus operator, partner, customer portals.

core-api :8082
aaa-adapter :8083
identity-proxy :8081
telemetry :8085
exec-engine :8086
hardware-mgr :8082
vbng (DPDK)
freeradius :1812
isc-kea :67
postgres :5432

Topology mirrored from the control-plane design spec at docs/superpowers/specs/2026-04-29-dash-ispchamp-control-plane-design.md inside the ISPChamp source tree. Verified against the live go.work workspace.

04 / Multi-vendor hardware

Speaks every OLT and every edge router on the Bangladesh ladder.

Native SNMP drivers for 6 OLT vendors, automation adapters for 5 router vendors. PPPoE on legacy MikroTik edges coexists with IPoE on new OLT terminations during migration.

OLT vendors

native SNMP drivers
ZTE
ZTE
C300 / C600
22 OIDs
Huawei
Huawei
MA5800
25 OIDs
BDCOM
BDCOM
GP3600
18 OIDs
CDATA
CDATA
FD1104 / FD1108
16 OIDs
VSol
VSol
V1600G
14 OIDs
Generic
Generic
IF-MIB / ENTITY-MIB
Standard

Router automation

transactional rollback
MikroTik50+
MikroTik
RouterOS API
PPPoE ServerIPoE / DHCPSimple QueuesQueue TreesFirewallNAT
Cisco30+
Cisco
NETCONF / CLI
PPPoE / IPoEACLQoS PoliciesVLANBGP NeighborsNAT Rules
Juniper25+
Juniper
Junos XML
PPPoE / IPoEFirewall FiltersPolicersRouting InstancesCoSNAT
Huawei25+
Huawei
NETCONF / CLI
PPPoE / IPoETraffic PolicyQoS ProfilesACLVLANBGP Peers
ZTE20+
ZTE
SNMP / CLI
PPPoE / IPoEQoS QueuesACLVLANInterface ConfigDHCP Relay

Transactional rollback on every router operation.

If any step in a multi-command automation fails, ISPChamp rolls back to the previous state. No half-configured edges, no orphaned firewall rules, no late-night reconciliation by hand.

05 / The four surfaces

Operator, subscriber, partner, control plane.

Three portals run inside the on-prem appliance and a tenant-aware SaaS dash runs in the KaritKarma DC. All four share one Next.js 16 codebase, one Wenme identity, one Darwan policy set.

app.ispchamp.com / on-prem

Operator Admin

Day-to-day ISP operations: subscribers, plans, NAS, OLT/ONU, BNG sessions, IPAM, tickets. Runs in the cloud and on every on-prem box, fed by the same Go core-api.

SubscribersPlans + BillingOLT / ONUBNG SessionsIPAMTickets
my.ispchamp.com / on-prem

Subscriber Self-Service

End-customer portal. Real-time usage, plan upgrade, bKash / Nagad payment, connection diagnostics, support tickets. Mobile-first, Bangla and English.

UsagePay BillPlan UpgradeConnection InfoSpeed TestSupport
partner.ispchamp.com / on-prem

Partner Portal

Reseller and LCO surface. Earnings, commission statements, subscriber roll-up, wallet, payout requests. Tenant-scoped through the same Wenme + Darwan stack.

EarningsCommissionsSubscribersWalletPayoutsSettings
dash.ispchamp.com

Control Plane (dash)

KaritKarma-side multi-tenant SaaS dash: tenant CRUD, module entitlements, billing for the ISP itself, heartbeat + usage observability across every on-prem instance. Phase 1 in build.

TenantsModulesHeartbeatUsage RollupSubscriptionAudit

06 / Payments + billing

bKash, Nagad, SSLCommerz. Reconciled nightly.

Native provider integrations on the on-prem box, paid by the end-subscriber to the ISP's own merchant account. Daily multi-pass matching against the settlement file, exponential backoff retry on transient gateway errors, and RADIUS CoA reactivation the moment the dunning state clears.

  • bKash OAuth tokenized payments
  • Nagad RSA-signed callbacks
  • SSLCommerz multi-card gateway
  • 5-stage dunning: reminder, overdue, warning, suspend, terminate
  • Backoff 1h, 6h, 24h, 3d, 7d
  • Bangla and English invoice + statement
Payment + reactivation flow
  1. 01
    Invoice generated
    Billing cycle scheduler emits the monthly invoice + a portal notification.
  2. 02
    Customer pays
    bKash / Nagad / SSLCommerz from the self-service portal, branded for the ISP.
  3. 03
    Webhook received
    Idempotent provider webhook into the core-api payments handler, signed and verified.
  4. 04
    RADIUS CoA
    aaa-adapter pushes a Change-of-Authorization, restoring full bandwidth without dropping the session.
  5. 05
    Reconciled
    Nightly settlement matcher reconciles the gateway report against the local payment table.

07 / How ISPChamp compares

ISPChamp vs. hardware BRAS, vs. Splynx, vs. RadiusDesk.

The honest comparison. Hardware BRAS still wins raw ASIC speed per chassis, but only ISPChamp combines a software BNG on commodity x86 with the billing, automation, and BTRC-shaped compliance posture a Bangladesh ISP actually needs.

CapabilityISPChampHardware BRASSplynxRadiusDesk
Software BNG on commodity x86 (no hardware BRAS)
Wire-speed VPP / DPDK forwarding plane
Bundled ASIC, vendor lock-in
Native BTRC-format CGNAT session export
Bolt-on, vendor-specific
bKash, Nagad, SSLCommerz built-in
SSLCommerz add-on
Multi-vendor router + OLT automation
5 routers, 6 OLTs
Single vendor
MikroTik only
MikroTik / FreeRADIUS
Tenant data stays on-prem at the customer NOC
n/a
Cloud-hosted by default
Self-host
Control plane phones home, data plane never accepts inbound
Bangla / English bilingual operator + subscriber portals

Capability claims for Splynx and RadiusDesk based on public documentation as of 2026 Q2. Hardware BRAS reflects the ZTE M6000 and Huawei MA5800 product families typically deployed by tier-2 Bangladesh ISPs.

08 / Deployment path

Four steps from bare box to live subscribers.

BTRC will not let subscriber data leave the country. ISPChamp works inside that constraint by design: the appliance lives at your NOC, the SaaS dash never reaches in.

  1. Step 01

    Stand up the on-prem stack

    Drop the docker-compose appliance on a single Linux box at the ISP NOC. Traefik, Postgres, FreeRADIUS, ISC Kea, core-api, aaa-adapter, telemetry, execution-engine, hardware-manager, vbng, and the admin / customer / partner portals come up together. One compose, one .env.

  2. Step 02

    Wire the OLTs and routers

    Point ISPChamp at the OLT SNMP ports (ZTE, Huawei, BDCOM, CDATA, VSol, or generic). Add MikroTik / Cisco / Juniper edge routers through the multi-vendor automation API. Subscriber Option 82 from the OLT lands in ISC Kea.

  3. Step 03

    Migrate subscribers

    Bulk-import existing subscribers, plans, NAS, IP pools from legacy SRZONE or any CSV. Shadow-run RADIUS in parallel for a billing cycle so accounting reconciles before cutover. CoA flips live sessions onto the new policy.

  4. Step 04

    Phone home to the control plane

    On-prem opens an outbound-only channel to dash.ispchamp.com. Heartbeat every 30 seconds, usage rollup every 5 minutes. Subscriber PII, RADIUS records, and CDR never leave the NOC, by design and by BTRC mandate.

09 / Under the hood

The stack is the moat.

Built on the same Go and PostgreSQL backbone as the rest of the KaritKarma portfolio, plus the data-plane open-source projects ISPs already trust at scale.

  • Backend
    Go 1.26, sqlc, pgx, gRPC + Connect
  • Data plane
    VPP / DPDK, FRRouting, ISC Kea 3.0 LTS
  • AAA
    FreeRADIUS 3.2.7, rlm_sql + rlm_rest
  • Database
    PostgreSQL 18, 61+ migrations, tenant_id on every row
  • Frontend
    Next.js 16, React 19, Tailwind 4, ShadCN, Lucide
  • Identity
    Wenme OAuth 2.1 + PKCE, one shared Darwan tenant

10 / Frequently asked

Questions ISP operators ask first.

Each answer mirrors the on-page text in our structured-data payload, so AI answer engines and procurement reviewers see the same wording.

01What is ISPChamp?
ISPChamp is KaritKarma's ISP management platform: a software-defined BNG plus full OSS/BSS built for Bangladesh internet service providers. It replaces ZTE and Huawei hardware BRAS with a VPP/DPDK data plane on commodity x86, unifies FreeRADIUS 3.2.7 AAA, ISC Kea DHCP, deterministic CGNAT, billing, subscriber CRM, OLT/ONU SNMP management, ticketing, and an operator + subscriber + partner portal stack. The data plane and tenant data stay on the customer NOC by regulatory necessity, while a multi-tenant control plane at dash.ispchamp.com tracks heartbeats, module entitlements, and KaritKarma-side billing.
02Does ISPChamp support FreeRADIUS?
Yes. ISPChamp ships with FreeRADIUS 3.2.7. Phase 1 deploys rlm_sql_postgresql straight against the on-prem ISPChamp database. Phase 2 swaps to rlm_rest, calling into the Go aaa-adapter for post-auth profile injection, accounting fan-out, and RFC 5176 Change-of-Authorization disconnects. Live CoA lets ISPs change a subscriber's plan or speed without dropping the session.
03Which OLT vendors does ISPChamp support?
Six. Native SNMP drivers for ZTE C300/C600 (22 OIDs), Huawei MA5800 (25 OIDs), BDCOM GP3600 (18 OIDs, dual GPON/EPON), CDATA FD1104/FD1108 (16 OIDs), VSol V1600G (14 OIDs), and a generic driver covering IF-MIB and ENTITY-MIB. Each driver handles ONU discovery, signal-level monitoring (Rx/Tx power), and firmware tracking.
04Can ISPChamp run fully on-prem?
Yes, and by design it has to. Every customer ISP runs its own on-prem ISPChamp stack at the NOC, packaged as a single docker-compose appliance. Subscriber PII, RADIUS records, billing transactions, CDR, and lawful-intercept hooks never leave the customer box. The dash.ispchamp.com SaaS control plane only ever sees rolled-up heartbeats and usage aggregates, and the data flow is strictly outbound from on-prem.
05Does ISPChamp handle prepaid and postpaid billing?
Yes. The OSS/BSS handles monthly postpaid invoicing with a 5-stage dunning engine (reminder, overdue, warning, suspend, terminate), prepaid wallets with usage-based deduction, and metered FUP enforcement that triggers a RADIUS CoA speed reduction when a quota is crossed. Payments come in via bKash OAuth, Nagad RSA-signed callbacks, or SSLCommerz, with daily multi-pass reconciliation against the provider settlements.
06How does ISPChamp compare to Splynx, RadiusDesk, or a hardware BRAS?
Hardware BRAS from ZTE, Huawei, or Nokia ships a fast ASIC but locks the ISP into a single vendor for ~BDT 50 to 200 lakh up front and an expensive support contract. Splynx is a hosted billing and AAA SaaS oriented around MikroTik, with limited multi-vendor or BNG capability. RadiusDesk is open-source FreeRADIUS tooling without BNG, CGNAT, or BTRC compliance. ISPChamp is the only stack that combines a software BNG, multi-vendor router and OLT automation, deterministic CGNAT for BTRC, native Bangladesh payment integration, and a control plane built for the regulatory split between on-prem and SaaS.
07Is ISPChamp BTRC compliant?
Yes. Deterministic CGNAT means every NAT session is traceable: the same subscriber always maps to the same NAT IP and port-block pair, so a forensic query against a public IP and timestamp resolves back to the subscriber. CGNAT session logs export in BTRC CSV format with configurable retention (default 365 days), hourly gzip rotation, and RFC 5424 syslog forwarding. Lawful-intercept mediation, NID consent registries, and CDR all stay on the on-prem box.
08How does authentication work?
Operator and subscriber sign-in goes through Wenme (OAuth 2.1 + PKCE), with JWTs valid on both the SaaS dash and every on-prem instance under matching issuer-and-audience scopes. Authorization is delegated to a single shared Darwan tenant for all ISPChamp customers, enforcing RBAC plus deny-override ABAC on every action. Control plane is authoritative for staff globally; on-prem instances become a read-only staff mirror, synced every five minutes.

Replace the hardware BRAS

~BDT 50 lakh hardware.
One x86 server.

Bangladesh has more than 2,500 licensed ISPs serving 40M+ broadband subscribers, mostly running ZTE, Huawei, or Nokia hardware BRAS at lakhs per chassis. ISPChamp swaps the chassis for a Linux box and the patchwork billing for one platform.

Request a NOC walkthroughTalk to sales

Bring ISPChamp into your NOC.

Get a personalized walkthrough of ISPChamp with one of our specialists. No commitment required.

Request a demoTalk to sales