Network Operating System for Vessels

One platform.
Every vessel.
Total visibility.

A unified network operating system purpose-built for the maritime industry — managing connectivity, crew access, security, and fleet operations from a single pane of glass. Built on MikroTik. Designed for the open ocean.

Explore the System See the Dashboard →
100%
Built on MikroTik
WAN Failover
24/7
Offline Capable
Fleet Scale
Scroll
01 / Vision

The bridge between
ship and shore

Modern vessels run on networks as critical as the engines themselves. Yet the tools to manage those networks — RouterOS, Winbox, fragmented satellite portals — were built for engineers, not operators. Every config change requires a VPN session into a single ship. Every fleet question requires logging into ten different systems.

We built a different kind of platform. One that treats a fleet as a fleet — not a collection of isolated routers. One that works when the satellite link drops, syncs intelligently when it returns, and gives non-technical staff the safety to operate the network without breaking it.

Edge-First

Local intelligence on every vessel — operations continue when WAN is unavailable.

Single Pane

Entire fleet visible from one dashboard. Drill from world map to a single user session.

Hardware Honest

CCR router + edge appliance. No vendor lock-in to satellite providers.

Operator Ready

Designed for pursers and managers — not just network engineers.

02 / Architecture

Edge plus cloud.
Built for the open sea.

VESSEL · ON-BOARD EDGE WAN UPLINKS VSAT Starlink 4G/LTE Port WiFi MikroTik CCR ROUTEROS v7 Firewall · QoS · VLAN · WireGuard Edge Box MINI-PC · DOCKER DB · IDS · Local UI · Sync VLAN SEGMENTATION VLAN 10 Operations VLAN 20 Business VLAN 30 Crew VLAN 40 Guest END DEVICES ECDIS · VDR · Engine PLC · Bridge PCs Captain laptop · Office PCs · Printers Crew phones · Cabin TVs · Welfare WiFi Guest devices · Lounge captive portal ▲ TELEMETRY · MQTT ▼ COMMANDS · ROUTEROS API WireGuard tunnel SHORE HQ · CENTRAL CLOUD API Gateway · Load Balancer HTTPS · WSS · MQTT-TLS Core API Node.js Poller RouterOS API Worker Jobs · Alerts DATA LAYER PostgreSQL TimescaleDB Redis Web Dashboard Fleet map · Vessels · Users · Vouchers · Reports Mobile App React Native · iOS & Android INTEGRATIONS SMTP · SMS Webhooks ERP · CRM Fleet managers · Captains · Pursers · Helpdesk Crew · Operations · Bridge · Guests
⬢ ON THE VESSEL

Two devices.
One brain.

MikroTik CCR is the network plumbing — firewall, VLANs, hotspot, QoS, multi-WAN failover, WireGuard endpoint. The Edge Box (a fanless mini-PC running Docker) is the brain — local database, IDS, sync agent, local dashboard. They live side-by-side on the bridge.

⬢ THE TUNNEL

WireGuard.
Always on.

Every vessel maintains a WireGuard tunnel to the shore cloud. Telemetry flows up via MQTT — the same protocol used by IoT — because it sips bandwidth. Commands flow down via the RouterOS API. Reconnection is automatic and stateful.

⬢ AT THE SHORE

Cloud HQ.
Multi-tenant.

A clean stack: Node.js services behind an API gateway, PostgreSQL for relational data, TimescaleDB for time-series telemetry, and Redis for caching. Web dashboard in React, mobile app in React Native — same codebase, two platforms.

03 / Features

Seven pillars.
One operating system.

Every feature listed here is delivered through the MikroTik routing layer and the Edge Box working in concert. Nothing on this page is aspirational.

Pillar I

Connectivity Control

Hybrid WAN orchestration across satellite, cellular and Wi-Fi. The router selects the best link in real time and switches without dropping sessions.

Multi-WAN failover
VSAT · Starlink · 4G/LTE · Port Wi-Fi
Cost-aware routing
Cheapest available link wins
Link health scoring
Latency · loss · jitter · throughput
Policy-based routing
Per-VLAN, per-app, per-time
Connection bonding
PCC for parallel link use
Auto-reconnect
Stateful failover via Netwatch
Per-user bandwidth
Crew, captain, ops — distinct profiles
Application priority
Email > voice > web > bulk
Quota enforcement
Daily, monthly, total caps
Burst control
Fair share during contention
Time-of-day shaping
Crew-hours vs ops-hours
Per-VLAN policy
Hard isolation · soft prioritization
Pillar II

Traffic Management

Every megabyte on a satellite link costs money. The platform shapes, prioritizes and meters traffic so operations always wins, and crew entertainment never starves the bridge.

Pillar III

Security & Isolation

Operational technology — ECDIS, VDR, engine telemetry — must never share a broadcast domain with crew Netflix. The platform enforces strict separation and detects intrusion attempts in real time.

VLAN isolation
Operations · Business · Crew · Guest
Stateful firewall
RouterOS filter rules, audited
WireGuard VPN
Modern crypto, low overhead
Intrusion detection
Suricata IDS on Edge Box
DNS filtering
Block malicious domains
MAC blocklist
Ban devices fleet-wide
Hotspot & PPPoE
Captive portal · branded login
Voucher engine
Generate, print PDF, track redemption
Self-service portal
Crew check own quota, top up
Bulk operations
Onboard 200 crew in one CSV
Per-user reporting
Usage history, sessions, devices
Force disconnect
One-click kick offending user
Pillar IV

Crew & User Management

Pursers and reception staff manage hundreds of crew and guest accounts without ever opening Winbox. Voucher commerce, crew quotas, and self-service top-ups are first-class features.

Pillar V

Visibility & Analytics

You cannot manage what you cannot see. Live telemetry, historical trends, per-vessel and per-fleet reports — all stored permanently in our database long after RouterOS rotates its own logs.

Live monitoring
CPU · RAM · sessions · bandwidth
Historical charts
Hours · days · months · custom
Top-talker reports
Find the bandwidth hog instantly
Cost attribution
VSAT vs 4G vs port WiFi split
SLA tracking
Uptime per vessel, per link
Export anywhere
PDF · Excel · CSV · API
World map view
Live vessel positions & status
Config templates
Apply to one or hundred ships
Backup & restore
Daily automated, one-click rollback
Firmware scheduling
Update only when ship is in port
Role-based access
Admin · manager · captain · purser
Audit log
Every action, who, when, what
Pillar VI

Fleet Operations

Manage one ship or one hundred from the same screen. Push config to a single vessel or an entire fleet in seconds. Every change is versioned, auditable, and reversible.

Pillar VII

Alerts & Automation

The platform watches the fleet around the clock and tells you only when something matters. Threshold-based today, machine-learned tomorrow — honest about what is rule and what is intelligence.

Vessel offline alert
Beyond configurable threshold
WAN switchover alert
Know when VSAT failed to 4G
Quota warnings
Notify at 80% / 100% reached
Anomaly rules
"50GB in 2hrs" → flag & investigate
Multi-channel delivery
Email · SMS · Telegram · webhook
Mobile push
Critical alerts to captain's phone
04 / Dashboard

A glimpse of the
command bridge.

A minimum viable layout — fleet overview, drill-down, and live action. Real interface follows this structural language.

maritime-nms.app/fleet
live

Fleet Overview

last sync · 12 seconds ago

Vessels
24
↑ 2 added
Online
22
91.7% uptime
Active Users
412
↑ 18 in 1h
Bandwidth
847 Mb/s
peak 1.2 Gb/s

Live Fleet Map

global view
online degraded offline

Bandwidth · 24h

Mb/s

WAN Mix · today

% of traffic
Starlink 62%
VSAT 22%
4G/LTE 11%
Port WiFi 5%

Layout schematic · final visual design follows brand guidelines · all data illustrative

05 / Offline-First

When the link drops,
the ship keeps going.

A satellite outage is a fact of life at sea — passing under heavy weather, a port shadow, an idle minute between hand-offs. Most management platforms go dark in those minutes. Ours does not.

The Edge Box on every vessel is the local source of truth. Crew Wi-Fi keeps authenticating. Vouchers keep validating. Telemetry keeps recording into local PostgreSQL. The local dashboard remains accessible over ship LAN. The network does not even notice the outage.

When the WAN returns, the agent opens the WireGuard tunnel and begins a quiet reconciliation: queued telemetry uploads first, then any pending shore-side commands execute in order. Conflicts are resolved with clear rules — shore is source of truth for configuration, ship is source of truth for usage data.

Outage & Recovery Sequence

timeline
01
Normal Operation
Ship online via Starlink. Edge Box pushes telemetry to cloud every 30s. Operator commands executed within seconds.
14:22:00 · WAN healthy · ack < 2s
02
WAN Lost
Starlink degrades during weather. RouterOS Netwatch detects loss; failover to 4G fails (out of coverage). Tunnel down.
14:23:14 · all WAN unreachable
03
Edge Takes Over
Edge Box continues authenticating crew, validating vouchers, enforcing quotas, recording metrics into local PostgreSQL. Local dashboard remains live on ship LAN.
14:23:15 · queue depth: 0 · local UI active
04
Buffer Grows
Telemetry events queue locally. Shore-side commands queue in cloud Redis. Operator UI shows vessel as offline with last-known good state.
14:34:00 · 11min · ~2.3 MB queued
05
Link Restored
Starlink recovers. WireGuard re-establishes in < 5s. Edge agent batches queued telemetry over MQTT. Cloud applies queued commands in order.
14:35:42 · sync complete in 8s
Reconciled
Cloud and ship now agree. Operator sees a complete history with no gaps. Audit log records the outage window with exact duration.
14:35:50 · zero data loss
06 / Platforms

Web. Mobile. On-board.
One source of truth.

Web Dashboard

Browser, anywhere

Full-featured operator console. Optimized for desktop screens with rich visualizations, dense data, and keyboard-driven workflows. React + Tailwind, lightweight enough to run on a satellite link.

Mobile App

In your pocket

React Native — one codebase, iOS and Android. Push notifications for critical alerts. Captain or fleet manager view depending on role. Offline mode for connecting directly to the ship's Edge Box.

Local Edge UI

Aboard, always

A streamlined dashboard served directly from the Edge Box on the ship LAN. Used by the captain or purser when WAN is degraded — or simply preferred for on-board tasks. No cloud round-trip required.

07 / Engineering

Modern stack.
Boring on purpose.

We chose proven, mature tools that we can ship, debug and maintain at scale — not the hot framework of the month.

Edge Box
  • OSDebian 12
  • RuntimeDocker
  • AgentNode.js
  • Local DBPostgreSQL
  • QueueRedis
  • IDSSuricata
  • VPNWireGuard
Cloud
  • APINode.js · Fastify
  • DatabasePostgreSQL
  • Time-seriesTimescaleDB
  • CacheRedis
  • BrokerEMQX · MQTT
  • StorageS3-compatible
  • JobsBullMQ
Frontend
  • WebReact · Tailwind
  • MobileReact Native
  • ChartsRecharts · D3
  • MapsMapLibre GL
  • AuthJWT · refresh
  • RealtimeWebSockets
  • i18nEN · TR · AR · FR
On every vessel

Hardware

Two devices, low cost, marine-grade, 12V DC compatible. Pre-flashed and shipped ready to install.

Router
MikroTik CCR
  • · Cloud Core Router series
  • · RouterOS v7+
  • · Multi-WAN, VLAN, hotspot
  • · WireGuard endpoint
  • · SFP+ for high-speed uplinks
Edge Box
Mini-PC Appliance
  • · Fanless industrial mini-PC
  • · Intel N100 / i3 · 4 cores
  • · 8–16 GB RAM · 256 GB NVMe
  • · Dual Ethernet · 12V DC
  • · Debian + Docker stack
08 / Roadmap

From pilot to fleet.
Phase by phase.

Phase 1 · MVP
Foundation
2–3 months
  • · Edge Box image & provisioning
  • · MikroTik connector layer
  • · WireGuard tunnel infrastructure
  • · Multi-tenant cloud backend
  • · Web dashboard (fleet, vessels, users)
  • · Basic monitoring & alerts
  • · Voucher engine
  • · Offline-first sync
▸ Pilot on 3–5 vessels
Phase 2 · Operations
Revenue
2 months
  • · Captive portal · branded
  • · Multi-WAN intelligence
  • · Cost-aware routing rules
  • · Mobile app v1 · React Native
  • · Reports module · PDF/Excel
  • · Config backup & multi-ship push
  • · Role-based access control
▸ Full revenue features
Phase 3 · Security
Hardening
2 months
  • · Suricata IDS integration
  • · DNS filtering · AdGuard
  • · Anomaly detection rules
  • · Audit log · immutable
  • · Self-service portal · crew
  • · Bulk operations · CSV import
  • · Mobile push notifications
▸ Production hardened
Phase 4 · Scale
Enterprise
ongoing
  • · Open API · webhooks
  • · ERP / CRM integrations
  • · White-label · multi-brand
  • · On-prem deployment option
  • · ML-driven optimization
  • · Advanced analytics
  • · Container hosting on edge
▸ Enterprise tier
09 / Next

Ready to bring your fleet
into one view?

Every engagement starts with a discovery session. We map your fleet, your current MikroTik deployment, your WAN providers, and your top three pain points — and come back with a concrete pilot plan.

01
Discovery

90-minute workshop. Fleet, hardware, pain points. No commitment.

02
Pilot Plan

3–5 vessel pilot scoped, priced and timeboxed. Goes live in eight weeks.

03
Fleet Rollout

Phased deployment to remaining vessels with hand-holding throughout.

Book a Discovery Session →

contact@maritime-nms.com · Response within one working day