A managed network management platform for teams that can't afford black-box tools or silent telemetry. Deployed on your infrastructure. Auditable down to the source. Supported by the engineer who built it — with commercial SLAs when you need them.
5NinesNet builds focused network management products — not sprawling all-in-one suites. Each portal does one job well, runs on your infrastructure, and is backed by the engineer who wrote the code.
If you're managing routers, switches, and TACACS+ at ISP or enterprise scale — start with NMS Portal. If you're running an OPNsense firewall and want modern day-to-day security operations — start with 5NinesNet SecureEdge. Many customers deploy both; we offer a bundled engagement when that makes sense.
5NinesNet isn't for everyone. It's built for teams with specific network management requirements that generic SaaS tools can't meet.
"We run BGP with multiple transits. We have dozens of devices. TACACS+ is mission-critical. Our config history is a mess of SCP dumps nobody trusts."
"We sell managed network services. We need customer-isolated tenants, white-label reports under our brand, and a platform we can stand behind without rebuilding from scratch."
"We run air-gapped. Our procurement team asks for SBOMs. We can't deploy anything that phones home. Every component must be verifiable before it touches our network."
tcpdump — no telemetryStripped of marketing language, here are the five network management problems that drive buyers to 5NinesNet. If any of these sound like your week, we should talk.
"You got audited last week. Nobody could tell the auditor who ran conf t on the edge router at 2am on March 3rd."
Full TACACS+ command accounting. Every command, every user, every device, every timestamp — searchable in Grafana, exportable as PDF.
"Your security team can't let you deploy the SaaS NMS. It phones home with your network topology. Procurement is stuck."
Zero outbound telemetry. Verifiable with tcpdump before you sign. Full SBOM with every release.
"Cisco ISE quote came back at $40K/year just for the licenses. We're a 12-device network."
Flat appliance pricing. No per-device licensing. Same TACACS+ capability Cisco charges for — plus monitoring, config backup, and HA in the same platform.
"Our vendor support is a ticket queue in another time zone. When the border router went down, we got a Tier-1 script-reader asking us to reboot."
Your support tickets reach the engineer who wrote the code. Not a call center. Not Tier 1. The person who knows the commit history.
"What if our NMS vendor gets acquired or shuts down? We've got 200 device configs depending on their software working forever."
Source escrow is built in — the code is yours from day one. If we vanish, your team forks the repo and keeps running. Vendor-proof by design.
Built from the ground up for real-world network operations — not a checkbox SaaS product.
Full TACACS+ management UI backed by tac_plus. Per-user privilege levels, command authorization, and per-session audit trails with AD/LDAP integration.
tac_plus · AD · Priv 15Full SNMPv3 AuthPriv support with SHA/AES. Poll CPU, memory, interfaces, errors, and custom OIDs from Cisco IOS, ASA, NX-OS, and more.
SHA · AES · MIB-IIAutomated config archival via Oxidized. Every change committed to Git with full diff viewer, rollback capability, and per-device history timeline.
Oxidized · Git · DiffActive/Standby HA with VRRP VIP, automated rsync of Loki, Prometheus, syslog, and TACACS data. Preflight health checks before every sync. Zero-downtime management continuity.
VRRP · rsync · PreflightDeploy the full platform under your own brand. No 5NinesNet references. Complete theming, custom logos, customer-isolated tenants, and security transparency docs.
OEM · Multi-tenant · CustomGrafana-powered panels fed by Prometheus, Loki, and SNMP Exporter. Real device data from your actual environment.
| Jail | Banned | Attempts 1h | Status |
|---|---|---|---|
| sshd | 11 | 243 | ● Active |
| nginx-http-auth | 2 | 18 | ● Active |
| tacacs-auth | 1 | 4 | ● Active |
| ft | priv 15 | 142 auth | RT-EG-01-A, SW-01-A, ASA |
| rmartinez | priv 7 | 98 auth | SW-01-A |
| achen | read-only | 39 auth | RT-EG-01-A |
| unknown | — | 5 blocked | Fail2Ban auto-ban |
Clone from GitHub. Edit a single config file with your device IPs, SNMP credentials, and SMTP settings.
git clone …One script installs all dependencies — FastAPI, Prometheus, Grafana, Loki, tac_plus, Oxidized, nginx, Fail2Ban, UFW.
./bootstrap.shAdd routers, switches, and firewalls via the portal UI. Apply & Restart auto-generates snmp.yml and prometheus.yml.
Portal → DevicesFull visibility from day one. Dashboards, alerts, TACACS audit logs, config diffs, and syslog — all live.
Dashboard → LiveScheduled PDF and CSV exports for network health, security posture, and compliance. Customer-ready on demand.
Most NMS tools show you everything your network contains. 5NinesNet shows you everything your team needs to see. Curated multi-canvas views, drag-and-drop layout, ghost/alias nodes, and multi-hop chain links — your topology as a living document of network intent, not a scan result.
Links store a full hops[] path — Source → via SW1 Gi0/24 → via ASA → Target. Each hop has SNMP interface pickers for in/out interfaces. Labels render on-canvas offset from the line.
Right-click any device → Create Alias. The alias shares the same IP and SNMP data as the original, appears with a dashed border and numbered badge (② ③), and can connect to different parts of the topology. Deleting an alias never affects the original.
Right-click any link to open the full hop-builder pre-filled with existing hops and interface assignments. Changes are saved via PATCH — no page reload, no data loss.
All instances of the same physical device — original and all aliases — automatically share a unique color ring derived from the device ID. No configuration required.
Separate canvases for WAN, per-site, management, and core topology. Each view is purposeful — your NOC team sees what matters for their scope. No spaghetti, no unused interfaces, no decommissioned devices cluttering the map.
Auto-discovery tools map everything — unmanaged printers, loopbacks, VLAN interfaces, stale hosts. The map becomes unreadable in days. 5NinesNet puts you in control: you decide what goes on the canvas, and the result stays clean forever.
Built-in iPerf3 TCP/UDP, ping, traceroute, and DNS tests. Run from the local NMS or SSH into any remote node to measure real WAN throughput from the network edge — not from the server room. Results feed directly into Grafana for time-series trending.
| Name | Target | Type | Last Result | |
|---|---|---|---|---|
| RT Edge Throughput | 10.1.2.1 | iPerf3 | 941 Mbps | |
| ASA VPN Latency | 10.1.2.12 | Ping | 2.1 ms | |
| Copy of RT Edge Throughput | 10.1.2.11 | iPerf3 | 487 Mbps | |
| BGP Path Trace | 203.0.113.1 | Traceroute | 9 hops OK |
Measure real TCP/UDP throughput between NMS and any network device or server. See download, upload, jitter, and packet loss per test run — with trend history.
Continuous RTT tracking with min/avg/max and packet loss. Alerts fire when latency spikes above threshold. All data stored in Prometheus for Grafana trend visualization.
On-demand traceroute with hop-by-hop RTT and ICMP response analysis. Identify path changes, asymmetric routing, and transit provider issues before customers do.
Hit the ⧉ clone icon on any test row to instantly copy all settings — target, type, schedule, thresholds — prefilled with a "Copy of" prefix so you can modify and save without rebuilding from scratch.
Tests run on configurable intervals (every 5 min to every 24h) or triggered manually. Historical results surface in the dashboard so you can see when throughput degraded — even after the fact.
Register any remote NMS node in seconds. SSH key trust is installed automatically — no agents, no VPN tunnels, no manual copy-paste. Once enrolled, performance tests originate from that node's network vantage point, giving you real end-to-end measurements across your WAN.
| Node | IP | SSH | Ports |
|---|---|---|---|
| NYC-NMS-01 | 10.2.0.10 | ● Trusted | ✓ 5201 · 9090 · 3100 |
| LAX-NMS-01 | 10.5.0.10 | ● Trusted | ✓ 5201 · 9090 · 3100 |
| LHR-NMS-01 | 10.8.0.10 | ⚠ Not verified | Install Trust → |
Enter the remote node's SSH username and password. The portal automatically installs the SSH public key via sshpass, verifies passwordless access, and confirms all required ports are reachable — no manual copy-paste, no terminal required.
When a node is enrolled, UFW rules are automatically added scoped to that node's IP only — ports 5201, 9090, and 3100. Broad ALLOW Anywhere rules are removed. When a node is deleted, its rules are removed. The firewall always reflects exactly what's enrolled.
After trust is installed, the portal SSHes into the remote node and tests each required port back to the collector using netcat. You see green/red per port — not just "it worked" but proof that the network path is actually open end-to-end.
Adding a remote node automatically creates a Performance endpoint — no double-entry. Tests set to use that node as source will SSH in and run iperf3 from the remote site. Delete the node and the endpoint is cleaned up automatically.
Full-screen NOC dashboard optimized for wall displays and operations centers. Real-time device health, BGP status, active alarms, and syslog stream — auto-refreshing with zero operator interaction required.
Designed for large screens and TV-mounted displays. High contrast, large font metrics, and auto-refresh — operators see everything at a glance without touching the keyboard.
SNMP metrics, BGP session state, VPN connections, TACACS auth status, and syslog stream all update live. Powered by Prometheus and Loki — no polling delay.
Critical alerts appear in red, warnings in amber, healthy in green. The NOC operator knows immediately what needs attention — and what can wait.
Active/Standby HA with VRRP VIP failover, full data sync — Loki logs, Prometheus metrics, syslog, TACACS audit trails — so the standby node is ready to take over without data gaps.
A single VIP (10.1.2.251) floats between nodes via keepalived VRRP. Devices, SNMP pollers, syslog forwarders, and TACACS clients always point to the VIP — failover is transparent.
HA sync replicates Loki log storage, Prometheus metric time-series, and all syslog/TACACS history. The standby node has your full operational history — not just configuration — so failover has zero audit gaps.
Before every sync run, the portal checks SSH trust, service readiness, and data path accessibility. If anything fails, an amber warning panel surfaces exactly which check failed — sync is blocked until it's clean.
System scripts and sudoers entries are reinstalled on every update.sh run — not just at bootstrap. Configuration drift between nodes is eliminated automatically.
cd ~/nms-portal && git pull && sudo ./update.sh
TACACS+ (Terminal Access Controller Access-Control System Plus) controls who logs into your routers, switches, and firewalls — what commands they can run, and creates a full audit trail of every action. It is the authentication backbone of every serious enterprise and ISP network.
| User | Device | Priv | Command | Time | Result |
|---|---|---|---|---|---|
| ft | RT-EG-01-A | 15 | show bgp summary | 09:41 | ✓ permit |
| ft | ASA-EG-01 | 15 | crypto key generate rsa | 09:38 | ✓ permit |
| rmartinez | SW-01-A | 7 | show interfaces | 08:52 | ✓ permit |
| rmartinez | SW-01-A | 7 | configure terminal | 08:53 | ✗ deny |
| unknown | ASA-EG-01 | — | brute-force · auto-banned | 03:14 | ✗ blocked |
Every login to every Cisco IOS, ASA, NX-OS, or other TACACS-capable device goes through the 5NinesNet TACACS+ server. Username and password validated against local users, Active Directory groups, or both. Failed auth attempts are logged, bannered, and trigger Fail2Ban rate limiting automatically.
Granular per-user and per-group command authorization. Privilege level 15 for senior engineers, level 7 for NOC read-only, level 1 for view-only. Specific commands can be permitted or denied per user per device — no more "give everyone enable" because it's easier.
Every command entered on every device is logged with timestamp, username, source IP, device, and result. The accounting log is ingested by Loki, queryable in Grafana, and exportable as PDF/CSV. Answers "who ran that command at 2am" in under 10 seconds.
Live Grafana dashboard shows authentication activity by hour (7-day heatmap), success/fail rates per user, top devices, and anomaly detection. Automated weekly PDF reports are customer-deliverable — show your client a signed, timestamped access audit without touching the CLI.
5NinesNet is a commercial network management platform built on a fully auditable open-source foundation. What you're buying is the engineering relationship: deployment, tuning, updates, and the engineer who built it on the other end of your support tickets.
Single-site deployments that need a real vendor relationship — someone to call when it matters, a tested update channel, and commercial terms.
For service providers billing their own customers. White-label the portal, isolate tenants, and deliver signed audit reports under your brand — not ours.
For carriers, regional ISPs, and regulated environments where the NMS is production-critical and standard tiers don't fit.
Every line of the platform is auditable before you buy and after you deploy. This isn't a free alternative to the paid editions — it's your insurance policy against vendor lock-in. If we vanish tomorrow, your team keeps the code and keeps running. Evaluate on GitHub, audit it with your security team, then engage when you want the engineer who built it on the other end of your support tickets.
tcpdump. Your data never leaves your network.| Feature | 5NinesNet | SolarWinds | Traditional NMS | Cloud NMS |
|---|---|---|---|---|
| Source Code Auditable | ✓ Full OSS | ✗ | ✗ | ✗ |
| TACACS+ Management UI | ✓ Full | ✗ | Basic only | ✗ |
| Git-based Config Backup | ✓ Native | Add-on | ✗ | SaaS only |
| Fail2Ban / UFW Management | ✓ Built-in | ✗ | ✗ | ✗ |
| Self-Hosted / On-Premise | ✓ Always | Option | Varies | Cloud only |
| White-Label / OEM | ✓ Included | Enterprise tier | ✗ | ✗ |
| Zero-Trust Transparency | ✓ PCAP export | ✗ | ✗ | ✗ |
| SSH Remote Performance Testing | ✓ Native | ✗ | ✗ | Limited |
| Linux OS Authorization (sudoers) | ✓ Per AD Group | ✗ | ✗ | ✗ |
| Intentional Topology (No Auto-Sprawl) | ✓ By Design | Auto-only | Auto-only | Auto-only |
| Perf Metrics → Grafana (Native) | ✓ Built-in | Add-on | ✗ | SaaS only |
| Starting Price | From $2,988/yr | $18,000+/yr | $5,000+/yr | $199+/mo |
5NinesNet isn't the right answer for every network. Here's when you should pick a competitor — and when you shouldn't.
You're already locked into the Cisco ecosystem with an enterprise agreement, need a Fortune 500 vendor name on procurement paperwork, and budget isn't a constraint.
You need mass auto-discovery across a sprawling heterogeneous network, Windows-centric operations, and you're comfortable with the vendor's security track record.
You want SaaS simplicity, have no data-residency constraints, and your network data can leave your infrastructure. You're willing to pay usage-based pricing that scales with your network.
You need auditability, your data has to stay on your infrastructure, you'd rather talk to the engineer who built it than a Tier-1 queue, and you want vendor-lock-in protection written into the architecture itself.
Engineered in the United States. Every component open source and auditable. No cloud dependencies, no telemetry, no black boxes — designed for the security posture of regulated industries, critical infrastructure, and government-adjacent environments.
Designed, built, and maintained in the United States by a network engineer with production ISP and enterprise infrastructure experience. No offshore development, no foreign dependencies in the core stack.
U.S. ORIGIN · U.S. STACKEvery component — FastAPI, Prometheus, Grafana, Loki, tac_plus, UFW, Fail2Ban, SSSD — has publicly audited source code. No proprietary daemons, no compiled blobs, no mystery processes on your management server.
OSS · AUDITABLE · NO BLOBSThe portal never makes outbound connections to 5NinesNet or any third party. No license checks, no usage analytics, no crash reporting. What happens on your network stays on your network — verifiable by packet capture.
NO TELEMETRY · AIR-GAP READYOnce bootstrapped, operates with zero internet connectivity. All dependencies install at setup time. Suitable for isolated environments, classified networks, and OT segments requiring strict network separation.
AIR-GAP · OT · ISOLATEDEvery release ships with a complete Software Bill of Materials listing every package, version, and license. Security teams can verify exactly what's running before deployment — a requirement in modern federal and enterprise procurement.
SBOM · CVE TRACKABLE · LICENSESEvery install ships with UFW deny-all inbound, Fail2Ban intrusion detection, SSH hardening, TACACS+ per-command authorization, AD group-based Linux sudo policy, and TLS-only access. Security is the default posture — not an add-on.
UFW · FAIL2BAN · TACACS+ · TLS5NinesNet provides what most compliance-focused platforms don't: a fully transparent, on-premise architecture whose security posture is verifiable by any qualified engineer before a single device is managed. Full source code, SBOM, zero telemetry, and air-gap operation — the foundation your security team actually needs.
CCIE network architect with 20+ years across enterprise design, operations, and security. Spent that time building, breaking, and rebuilding networks at the layer where vendor marketing meets pf state tables — and got opinionated about what actually matters when something's on fire at 3 AM.
5NinesNet is the home for the work that came out of that — managed network infrastructure that doesn't require a six-figure contract and a year-long deployment to actually use. The portal is part of it: a control plane for OPNsense-based deployments built on the principle that if you can't reproduce it from a clean install in 30 minutes, you don't actually own it.
Watch how 5NinesNet handles TACACS+ AAA, iperf3 performance testing, HA failover, and more — in 30 seconds.
Let's scope your deployment. The engineer who built it will be on the call.
Or try the live demo — launch it here → · Credentials provided on request.