Full-stack open-source NMS platform. TACACS+, SNMPv3, config backup, performance testing, firewall management, and unified observability — one appliance, zero vendor lock-in.
Built from the ground up for real-world network operations — not a checkbox SaaS product.
Full SNMPv3 AuthPriv support with SHA/AES. Poll CPU, memory, interfaces, errors, and custom OIDs from Cisco IOS, ASA, NX-OS, and more.
SHA · AES · MIB-IIFull TACACS+ management UI backed by tac_plus. Per-user privilege levels, command authorization, and per-session audit trails with AD/LDAP integration.
tac_plus · AD · Priv 15Automated config archival via Oxidized. Every change committed to Git with full diff viewer, rollback capability, and per-device history timeline.
Oxidized · Git · DiffVisual rule management for the NMS server's UFW firewall. Add, remove, and audit ingress/egress rules without touching the CLI.
UFW · iptables · PolicyReal-time intrusion detection dashboard. View active jails, banned IPs, ban/unban actions, and brute-force attempt timelines by source IP and service.
SSH · NGINX · TACACSFull Grafana Unified Alerting integration. Configure threshold alerts, SMTP/webhook notifications, silence windows, and alert routing — all from the portal UI.
Prometheus · Loki · PDCentralized syslog collection from all Cisco devices via rsyslog + Loki. Full-text search, filter by severity, device, facility. All correlated in Grafana.
rsyslog · Loki · SearchDeploy the full platform under your own brand. No 5NinesNet references. Complete theming, custom logos, customer-isolated tenants, and security transparency docs.
OEM · Multi-tenant · CustomCustomer-deployable packet capture and audit export. Prove to your clients exactly what data the NMS touches — a key differentiator over closed-source competitors.
PCAP · SBOM · SOC2-readyDrag-and-drop topology canvas with multi-hop chain links, ghost/alias nodes, SNMP interface pickers, and live right-click editing. Your actual network — not a diagram tool.
Multi-hop · Alias · Live SNMPBuilt-in iPerf3, ping, traceroute, and DNS test runner. Schedule recurring tests, clone existing ones, and visualize historical bandwidth and latency trends per device.
iPerf3 · Ping · TracerouteActive/Standby HA with VRRP VIP, automated rsync of Loki, Prometheus, syslog, and TACACS data. Preflight health checks before every sync. Zero-downtime management continuity.
VRRP · rsync · PreflightFull-screen NOC dashboard optimized for operations center displays. Real-time device health, BGP status, active alarms, and syslog stream — all auto-refreshing, zero interaction required.
Wall Display · Auto-Refresh · AlertsRegister remote NMS nodes via SSH key trust — no agents, no extra software. Performance tests run directly from the remote node via SSH so you measure real WAN throughput, not local loopback. UFW rules auto-scope to each enrolled node's IP.
SSH Trust · Zero-Agent · Zero-Trust UFWAD group membership drives not just portal access but Linux OS sudo policy. Each role maps to precise sudoers rules — NOC gets service status and log reads only, admins get service management, super admins get full access. Applied with one click, validated by visudo.
sudoers · AD Groups · Per-RoleEvery test result — latency, TCP throughput, UDP jitter, packet loss — is automatically pushed to Prometheus and available in Grafana. Dynamic dashboards with Source/Target dropdowns let you trend any test pair over time and correlate with SNMP interface errors on the same timeline.
Prometheus · Grafana · Time-SeriesAdd, remove, and manage persistent static routes on the NMS server directly from the portal. Routes are written to Netplan and survive reboots. Interface auto-detection, metric control, and one-click Apply — no CLI required.
Netplan · Persistent · No CLIGrafana-powered panels fed by Prometheus, Loki, and SNMP Exporter. Real device data from your actual environment.
| Jail | Banned | Attempts 1h | Status |
|---|---|---|---|
| sshd | 11 | 243 | ● Active |
| nginx-http-auth | 2 | 18 | ● Active |
| tacacs-auth | 1 | 4 | ● Active |
| ft | priv 15 | 142 auth | RT-EG-01-A, SW-01-A, ASA |
| rmartinez | priv 7 | 98 auth | SW-01-A |
| achen | read-only | 39 auth | RT-EG-01-A |
| unknown | — | 5 fail | ASA-EG-01 |
Clone from GitHub. Edit a single config file with your device IPs, SNMP credentials, and SMTP settings.
git clone …One script installs all dependencies — FastAPI, Prometheus, Grafana, Loki, tac_plus, Oxidized, nginx, Fail2Ban, UFW.
./bootstrap.shAdd routers, switches, and firewalls via the portal UI. Apply & Restart auto-generates snmp.yml and prometheus.yml.
Portal → DevicesFull visibility from day one. Dashboards, alerts, TACACS audit logs, config diffs, and syslog — all live.
Dashboard → LiveScheduled PDF and CSV exports for network health, security posture, and compliance. Customer-ready on demand.
Most NMS tools show you everything your network contains. 5NinesNet shows you everything your team needs to see. Curated multi-canvas views, drag-and-drop layout, ghost/alias nodes, and multi-hop chain links — your topology as a living document of network intent, not a scan result.
Links store a full hops[] path — Source → via SW1 Gi0/24 → via ASA → Target. Each hop has SNMP interface pickers for in/out interfaces. Labels render on-canvas offset from the line.
Right-click any device → Create Alias. The alias shares the same IP and SNMP data as the original, appears with a dashed border and numbered badge (② ③), and can connect to different parts of the topology. Deleting an alias never affects the original.
Right-click any link to open the full hop-builder pre-filled with existing hops and interface assignments. Changes are saved via PATCH — no page reload, no data loss.
All instances of the same physical device — original and all aliases — automatically share a unique color ring derived from the device ID. No configuration required.
Separate canvases for WAN, per-site, management, and core topology. Each view is purposeful — your NOC team sees what matters for their scope. No spaghetti, no unused interfaces, no decommissioned devices cluttering the map.
Auto-discovery tools map everything — unmanaged printers, loopbacks, VLAN interfaces, stale hosts. The map becomes unreadable in days. 5NinesNet puts you in control: you decide what goes on the canvas, and the result stays clean forever.
Built-in iPerf3 TCP/UDP, ping, traceroute, and DNS tests. Run from the local NMS or SSH into any remote node to measure real WAN throughput from the network edge — not from the server room. Results feed directly into Grafana for time-series trending.
| Name | Target | Type | Last Result | |
|---|---|---|---|---|
| RT Edge Throughput | 10.1.2.1 | iPerf3 | 941 Mbps | |
| ASA VPN Latency | 10.1.2.12 | Ping | 2.1 ms | |
| Copy of RT Edge Throughput | 10.1.2.11 | iPerf3 | 487 Mbps | |
| BGP Path Trace | 203.0.113.1 | Traceroute | 9 hops OK |
Measure real TCP/UDP throughput between NMS and any network device or server. See download, upload, jitter, and packet loss per test run — with trend history.
Continuous RTT tracking with min/avg/max and packet loss. Alerts fire when latency spikes above threshold. All data stored in Prometheus for Grafana trend visualization.
On-demand traceroute with hop-by-hop RTT and ICMP response analysis. Identify path changes, asymmetric routing, and transit provider issues before customers do.
Hit the ⧉ clone icon on any test row to instantly copy all settings — target, type, schedule, thresholds — prefilled with a "Copy of" prefix so you can modify and save without rebuilding from scratch.
Tests run on configurable intervals (every 5 min to every 24h) or triggered manually. Historical results surface in the dashboard so you can see when throughput degraded — even after the fact.
Register any remote NMS node in seconds. SSH key trust is installed automatically — no agents, no VPN tunnels, no manual copy-paste. Once enrolled, performance tests originate from that node's network vantage point, giving you real end-to-end measurements across your WAN.
| Node | IP | SSH | Ports |
|---|---|---|---|
| NYC-NMS-01 | 10.2.0.10 | ● Trusted | ✓ 5201 · 9090 · 3100 |
| LAX-NMS-01 | 10.5.0.10 | ● Trusted | ✓ 5201 · 9090 · 3100 |
| LHR-NMS-01 | 10.8.0.10 | ⚠ Not verified | Install Trust → |
Enter the remote node's SSH username and password. The portal automatically installs the SSH public key via sshpass, verifies passwordless access, and confirms all required ports are reachable — no manual copy-paste, no terminal required.
When a node is enrolled, UFW rules are automatically added scoped to that node's IP only — ports 5201, 9090, and 3100. Broad ALLOW Anywhere rules are removed. When a node is deleted, its rules are removed. The firewall always reflects exactly what's enrolled.
After trust is installed, the portal SSHes into the remote node and tests each required port back to the collector using netcat. You see green/red per port — not just "it worked" but proof that the network path is actually open end-to-end.
Adding a remote node automatically creates a Performance endpoint — no double-entry. Tests set to use that node as source will SSH in and run iperf3 from the remote site. Delete the node and the endpoint is cleaned up automatically.
Full-screen NOC dashboard optimized for wall displays and operations centers. Real-time device health, BGP status, active alarms, and syslog stream — auto-refreshing with zero operator interaction required.
Designed for large screens and TV-mounted displays. High contrast, large font metrics, and auto-refresh — operators see everything at a glance without touching the keyboard.
SNMP metrics, BGP session state, VPN connections, TACACS auth status, and syslog stream all update live. Powered by Prometheus and Loki — no polling delay.
Critical alerts appear in red, warnings in amber, healthy in green. The NOC operator knows immediately what needs attention — and what can wait.
Active/Standby HA with VRRP VIP failover, full data sync — Loki logs, Prometheus metrics, syslog, TACACS audit trails — so the standby node is ready to take over without data gaps.
A single VIP (10.1.2.251) floats between nodes via keepalived VRRP. Devices, SNMP pollers, syslog forwarders, and TACACS clients always point to the VIP — failover is transparent.
HA sync replicates Loki log storage, Prometheus metric time-series, and all syslog/TACACS history. The standby node has your full operational history — not just configuration — so failover has zero audit gaps.
Before every sync run, the portal checks SSH trust, service readiness, and data path accessibility. If anything fails, an amber warning panel surfaces exactly which check failed — sync is blocked until it's clean.
System scripts and sudoers entries are reinstalled on every update.sh run — not just at bootstrap. Configuration drift between nodes is eliminated automatically.
cd ~/nms-portal && git pull && sudo ./update.sh
TACACS+ (Terminal Access Controller Access-Control System Plus) controls who logs into your routers, switches, and firewalls — what commands they can run, and creates a full audit trail of every action. It is the authentication backbone of every serious enterprise and ISP network.
| User | Device | Priv | Command | Time | Result |
|---|---|---|---|---|---|
| ft | RT-EG-01-A | 15 | show bgp summary | 09:41 | ✓ permit |
| ft | ASA-EG-01 | 15 | crypto key generate rsa | 09:38 | ✓ permit |
| rmartinez | SW-01-A | 7 | show interfaces | 08:52 | ✓ permit |
| rmartinez | SW-01-A | 7 | configure terminal | 08:53 | ✗ deny |
| unknown | ASA-EG-01 | — | — | 03:14 | ✗ auth fail |
Every login to every Cisco IOS, ASA, NX-OS, or other TACACS-capable device goes through the 5NinesNet TACACS+ server. Username and password validated against local users, Active Directory groups, or both. Failed auth attempts are logged, bannered, and trigger Fail2Ban rate limiting automatically.
Granular per-user and per-group command authorization. Privilege level 15 for senior engineers, level 7 for NOC read-only, level 1 for view-only. Specific commands can be permitted or denied per user per device — no more "give everyone enable" because it's easier.
Every command entered on every device is logged with timestamp, username, source IP, device, and result. The accounting log is ingested by Loki, queryable in Grafana, and exportable as PDF/CSV. Answers "who ran that command at 2am" in under 10 seconds.
Live Grafana dashboard shows authentication activity by hour (7-day heatmap), success/fail rates per user, top devices, and anomaly detection. Automated weekly PDF reports are customer-deliverable — show your client a signed, timestamped access audit without touching the CLI.
| Feature | 5NinesNet | SolarWinds | Traditional NMS | Cloud NMS |
|---|---|---|---|---|
| Source Code Auditable | ✓ Full OSS | ✗ | ✗ | ✗ |
| TACACS+ Management UI | ✓ Full | ✗ | Basic only | ✗ |
| Git-based Config Backup | ✓ Native | Add-on | ✗ | SaaS only |
| Fail2Ban / UFW Management | ✓ Built-in | ✗ | ✗ | ✗ |
| Self-Hosted / On-Premise | ✓ Always | Option | Varies | Cloud only |
| White-Label / OEM | ✓ Included | Enterprise tier | ✗ | ✗ |
| Zero-Trust Transparency | ✓ PCAP export | ✗ | ✗ | ✗ |
| SSH Remote Performance Testing | ✓ Native | ✗ | ✗ | Limited |
| Linux OS Authorization (sudoers) | ✓ Per AD Group | ✗ | ✗ | ✗ |
| Intentional Topology (No Auto-Sprawl) | ✓ By Design | Auto-only | Auto-only | Auto-only |
| Perf Metrics → Grafana (Native) | ✓ Built-in | Add-on | ✗ | SaaS only |
| Starting Price | $0 / mo | $18,000+/yr | $5,000+/yr | $199+/mo |
Engineered in the United States. Every component open source and auditable. No cloud dependencies, no telemetry, no black boxes — designed for the security posture of regulated industries, critical infrastructure, and government-adjacent environments.
Designed, built, and maintained in the United States by a network engineer with production ISP and enterprise infrastructure experience. No offshore development, no foreign dependencies in the core stack.
U.S. ORIGIN · U.S. STACKEvery component — FastAPI, Prometheus, Grafana, Loki, tac_plus, UFW, Fail2Ban, SSSD — has publicly audited source code. No proprietary daemons, no compiled blobs, no mystery processes on your management server.
OSS · AUDITABLE · NO BLOBSThe portal never makes outbound connections to 5NinesNet or any third party. No license checks, no usage analytics, no crash reporting. What happens on your network stays on your network — verifiable by packet capture.
NO TELEMETRY · AIR-GAP READYOnce bootstrapped, operates with zero internet connectivity. All dependencies install at setup time. Suitable for isolated environments, classified networks, and OT segments requiring strict network separation.
AIR-GAP · OT · ISOLATEDEvery release ships with a complete Software Bill of Materials listing every package, version, and license. Security teams can verify exactly what's running before deployment — a requirement in modern federal and enterprise procurement.
SBOM · CVE TRACKABLE · LICENSESEvery install ships with UFW deny-all inbound, Fail2Ban intrusion detection, SSH hardening, TACACS+ per-command authorization, AD group-based Linux sudo policy, and TLS-only access. Security is the default posture — not an add-on.
UFW · FAIL2BAN · TACACS+ · TLS5NinesNet is not pursuing FedRAMP certification today — that process takes years and significant investment. What we provide is something more immediately useful: a fully transparent, on-premise platform whose security posture is verifiable by any qualified engineer before a single device is managed.
5NinesNet started as an internal toolset for managing a production ISP infrastructure — BGP peering, MPLS VPNv4, ASA firewalls, Catalyst switching, and TACACS+ AAA at scale. After years of duct-taping open-source tools together, I built a unified platform that actually fits how network engineers work.
Everything is open source because transparency isn't a feature — it's the foundation. Your team should be able to audit exactly what's running on your network management server. That's why 5NinesNet is built on tools with readable source code, not black boxes.
Built by network engineers. Deployed at ISP scale. Open source forever.
Or try the live demo — launch it here → · admin / demo123