Networking Toolbox

The offline-first networking toolbox for sysadmins — 100+ subnet, DNS, DHCP, and TLS utilities that work without internet access.

2.6Kstars
230forks
MIT License
Svelte

Networking Toolbox is a self-hosted, offline-capable web application packing over 100 networking utilities into a single deployable container. Designed for system administrators and network engineers who need reliable tools during outages or in restricted environments, it eliminates dependence on external websites for tasks like subnetting, DNS validation, TLS inspection, and DHCP configuration. Built with SvelteKit and TypeScript, it runs equally well as a Docker container, static site, Vercel deployment, or bare Node.js server.

The toolset spans every major networking discipline: IPv4 and IPv6 subnet calculators with VLSM and supernetting, full DNS suite covering DNSSEC, SPF flattening, DMARC validation, and zone linting, a TLS analyzer covering cipher suites and OCSP stapling, and a comprehensive DHCP option generator covering vendor-specific options 43, 60, 82, 119, 121, 150, and PXE profiles for enterprise wireless controllers. All 100+ tools are client-side-first and load without any third-party dependencies.

The application is architected for real operational workflows, not toy demos. Each tool category is routed as a self-contained feature module with dedicated server-side API endpoints, composable state management, and keyboard-navigable UIs. A command palette, bookmarking system, global search, and configurable homepage layouts make navigating the full toolset efficient for power users who rely on it daily.

What You Get

  • IPv4/IPv6 Subnet Calculator - Computes network address, broadcast address, usable host range, subnet mask, and binary representation from CIDR notation, with correct handling of /31 and /32 edge cases
  • VLSM and Supernet Calculator - Allocates variable-length subnets across a network plan and finds the smallest supernet covering a given set of IP ranges, with correct CIDR selection logic
  • CIDR Toolset - Converts between CIDR and dotted-decimal masks, checks overlap and containment, splits and summarizes blocks, deaggregates ranges, and diffs two CIDR lists
  • DNS Record Suite - Generates and validates PTR, SPF, DMARC, DKIM, CAA, TLSA, MX, SRV, and NS records with zone linting, TTL calculation, SOA serial analysis, and AXFR zone transfer testing
  • DNSSEC Tools - Validates DNSSEC chains, checks AD flag propagation, analyzes EDNS size, and tests label normalization for internationalized domain names
  • TLS Certificate Analyzer - Inspects certificates for expiry and chain issues, checks ALPN negotiation, OCSP stapling status, supported cipher suites, and TLS version handshake behavior
  • DHCP Option Generator - Builds vendor-specific configurations for Options 43, 60, 82, 119, 121/249, and 150, targeting Cisco, Aruba, Ruckus, and UniFi wireless controllers, plus PXE profile generation and freeform TLV composition
  • IP Address Converters - Converts between binary, decimal, hex, octal, and dotted representations for both IPv4 and IPv6, generates EUI-64 identifiers, ULA prefixes, MAC address lookups, and regex pattern generators
  • DNSBL Blacklist Checker - Queries 15+ major real-time blacklists server-side using native DNS without requiring any API keys, with IPv6 support and per-RBL response time reporting
  • HTTP Diagnostics - Analyzes security headers, inspects redirect chains, checks CORS policy, cookie flags, and compression settings, with detailed pass/fail scoring against security best practices
  • RDAP Lookup Tools - Queries IP, domain, and ASN registration data via RDAP protocol, providing ownership, abuse contact, and registration history for compliance and forensic investigations
  • BGP and Network Reference - Looks up ASN data, geolocation, and routing information for IP prefixes, with reference tables for well-known ports, protocol numbers, and IANA assignments

Common Use Cases

  • Offline data-center troubleshooting - A sysadmin carries Networking Toolbox on an internal Docker host and uses it during a WAN outage to calculate subnets, verify DNS PTR records, and confirm TLS certificate validity without any internet connectivity
  • Enterprise DHCP provisioning - A network engineer uses the DHCP Option 43 and 60 generators to produce correct vendor-specific configurations for Cisco, Aruba, and Ruckus wireless controllers, copying ready-to-paste DHCP snippets directly into their ISC or Kea config files
  • Security compliance auditing - A security engineer runs DNSSEC chain validation, SPF flattening, DMARC policy checks, and HTTP security header scoring to verify that infrastructure meets CIS or internal hardening benchmarks before a quarterly review
  • DNS zone migration validation - A DevOps engineer uses the SOA serial analyzer, NS/SOA consistency checker, and DNS propagation monitor to confirm that a zone transfer to a new authoritative server has completed correctly before cutting over traffic
  • Email deliverability investigation - A platform engineer uses the DNSBL checker to query 15+ blacklists simultaneously for a sending IP, then uses the SPF evaluator and DMARC validator to identify why outbound mail is being rejected or flagged
  • Network planning and documentation - A network architect uses the VLSM calculator and subnet planner to allocate address space across multiple sites, then exports calculations as reference material for infrastructure documentation

Under The Hood

Architecture Networking Toolbox uses SvelteKit’s file-based routing to map each tool category — subnetting, CIDR, DNS, DHCP, diagnostics — to its own feature module, with server-side API endpoints colocated alongside the client components that consume them. Shared state and UI patterns are extracted into Svelte 5 rune-based composables including useDiagnosticState, useClipboard, useExamples, and useValidation, which replace what was previously duplicated across 80+ individual tool pages. Error handling flows through a centralized ErrorManager class with typed AppError objects, pluggable transport support, deduplication within a 5-second window, and identical integration in both client and server SvelteKit hooks. Navigation, tool discovery, and keyboard shortcuts are driven by a declarative nav configuration, making the entire 100+ tool surface navigable without hardcoded references.

Tech Stack The application is built on SvelteKit 2 with Svelte 5 runes and TypeScript, compiled by Vite 7, and adapts to multiple deployment targets through a DEPLOY_ENV environment variable that selects between Node, Docker, static, Vercel, and Netlify adapters at build time. Testing combines Vitest for unit and API-contract tests, Playwright for end-to-end browser tests, and MSW for HTTP mocking, with coverage tracked via Codecov and quality gated through Codacy. Docker production images use multi-stage builds, non-root user execution, tini as a proper init process, and a built-in healthcheck endpoint. SCSS via sass-embedded handles styling, with Prettier and ESLint with typescript-eslint and eslint-plugin-svelte enforcing code consistency.

Code Quality The Vitest configuration enforces an 85% threshold across statements, branches, functions, and lines as a hard build requirement, covering IP parsing edge cases, CIDR math, DNS record generation, and DHCP option encoding with explicit test cases. TypeScript strict mode is enforced via both svelte-check and tsc --noEmit as separate CI steps, and the codebase uses typed interfaces for every API contract and utility return value. Error handling is explicit throughout — all utility functions return typed result objects with error fields rather than throwing, and the ErrorManager captures both unhandled exceptions and promise rejections with structured context. Test output noise suppression is deliberately configured in Vitest to silence expected error patterns, signaling intentional rather than accidental test discipline.

What Makes It Unique The DNSBL checker queries 15+ major real-time blacklists using Node.js native DNS entirely server-side, with no third-party API keys required and full IPv6 support — a level of coverage that most similar tools either omit or gate behind paid tiers. The DHCP generator covers rarely-implemented enterprise options including 43 vendor-specific configs for named wireless controller vendors, 82 relay agent information, 119 domain search lists, 121/249 classless static routes, and PXE profile generation, making it one of the only self-hosted tools that handles real enterprise wireless provisioning requirements. Offline-first operation is genuine rather than aspirational: zero client-side external dependencies, multiple static build targets, and a service worker pathway mean the toolbox functions in fully airgapped environments. The VLSM and supernet calculators include specific correctness fixes for /31 and /32 edge cases that are commonly broken in simpler implementations.

Self-Hosting

Networking Toolbox is released under the MIT License, meaning you can use it commercially, modify the source, redistribute it, and incorporate it into proprietary systems without restriction. The only requirement is preserving the copyright notice. There are no copyleft implications, no dual-licensing, and no feature restrictions tied to a license check — every capability in the repository is available to self-hosters without a commercial license.

Running it yourself is deliberately lightweight. The recommended path is a single Docker command or a docker-compose.yml pointing at the published image. For teams that prefer no container runtime, the static adapter produces a fully self-contained build directory deployable to any web server, CDN, or GitHub Pages. For Node.js environments, the node adapter produces a standalone server. There is no database, no external service dependency, and no configuration required beyond choosing a deployment target. Updates involve pulling a new image tag or rebuilding from source — there is no migration step or persistent state to manage.

There is no hosted or managed version of Networking Toolbox, so self-hosting is the only option. This means you own uptime, updates, and any network exposure decisions entirely. The trade-off is complete control: no usage telemetry, no account requirement, no rate limiting, and no vendor lock-in. The project ships a healthcheck endpoint for container orchestration, but operational concerns like TLS termination, reverse proxying, and access control are left to the deployer’s existing infrastructure stack.

Join founders buildingwith open source

Opinionated takes, migration guides, cost-saving tips, and insights from the open source ecosystem.

Subscribe on Substack

No spam. Unsubscribe anytime.

Join 750+ subscribers
No spam. Unsubscribe anytime.

Search