別再用試算表管 IP 了Stop tracking your IPs in spreadsheets
團隊共用一份 Excel 登錄公司 IP,最後總是拿錯版本、蓋掉別人剛改的內容、用到衝突 IP 服務掛掉…… 這種痛苦,您肯定經歷過。A shared Excel file for company IPs always ends in wrong versions, overwritten edits, and outages from duplicate IPs — you've surely been there.
權限控管、稽核軌跡、自動同步:用一套系統取代試算表Permissions, an audit trail and auto-sync — one system replaces the spreadsheet
整合 DNS、LibreNMS、OPNsense、Proxmox VE 等既有系統Integrates your existing DNS, LibreNMS, OPNsense, Proxmox VE
IP 與網路狀態集中在同一處IP and network state, all in one place
整合多套開源軟體Integrates many OSS toolsphpIPAM 資料匯入phpIPAM data import標準套件建置Standard package install遵循資安規範Follows security standards雙因素認證Two-factor authSSO整合 AD / LDAPAD / LDAP integration深色 / 淺色雙主題Dark / light themes多語言介面Multilingual UI
管多家公司 / 客戶?一套平台全管完Managing many companies or clients? Run them all from one back office
不論是集團、分公司、管理單位、客戶還是不同站點,都能把各自的 IP、子網路、裝置與機房收進同一套系統,依歸屬隔離並做物件層級授權。MSP、系統整合商、集團 IT 一個畫面就管完所有單位,不必每家各開一份試算表、各裝一套工具。Whether it's groups, subsidiaries, business units, clients or separate sites, keep each one's IPs, subnets, devices and rooms in a single system — isolated by ownership with object-level access control. MSPs, integrators and group IT manage every tenant from one screen, instead of a spreadsheet (and a tool) per client.
核心功能Core features
方便的搜尋、清楚的物件關係、現代的操作體驗。Convenient search, clear object relationships, a modern UX.
內建主機上線與作業系統偵測(ICMP / ARP / 反查 / NetBIOS / mDNS / OS,可逐代理 / 子網路 / IP 設定要跑哪些探測),可直接在主機上跑;也能把掃描代理部署到其他網段或站點,透過金鑰安全回報、支援立即執行與自動更新,集中探索新上線與失聯 IP,不必每段網路各裝一套工具。Built-in host liveness and OS detection (ICMP / ARP / rDNS / NetBIOS / mDNS / OS, with per-agent/subnet/IP control over which probes run) runs on the server itself — or deploy remote agents to other segments and sites that report back securely over a key, with run-now & self-update, so new and stale IPs are discovered centrally without a separate tool per network.
憑證保管與派送Certificate vault & distribution
商業或自簽憑證一次上傳集中保管(私鑰加密),純 bash 代理依排程把最新版自動派送到各站台的 nginx/apache/caddy/haproxy/Proxmox VE·PMG·PBS/Zimbra 等服務並重載,支援到期告警、手動續簽與自動更新;不必再逐台 scp 換憑證、重啟服務。Upload a commercial or self-signed certificate once into central, encrypted storage; a pure-bash agent pulls the latest version on a schedule and deploys it to each site's nginx / apache / caddy / haproxy / Proxmox VE·PMG·PBS / Zimbra and reloads the service, with expiry alerts, manual renew and self-update — no more scp-and-restart on every host.
本地 AI 助理Local AI assistant
結合 LLM Server 在自家機房跑自然語言查詢與語意搜尋,資料不外送;並提供 MCP server,讓外部 LLM 客戶端直接操作 IPAM。Natural-language queries and semantic search via LLM Server, all on-prem (data never leaves); plus an MCP server so external LLM clients can drive the IPAM directly.
權限與多單位Access control & multi-tenant
物件級 RBAC(7 種物件、階層繼承、5 個內建角色),子網路 / 裝置 / IP 皆可歸屬單位或客戶:一套系統就能分隔管理多家公司、集團與站點。Object-level RBAC (7 object types, cascading inheritance, 5 built-in roles); subnets / devices / IPs all belong to a tenant or client — one system manages many companies, groups and sites with isolation.
物件關係Object model
不是一堆各自獨立的清單:每個物件都有明確的上下層與關聯。Not a pile of disconnected lists — every object has a clear hierarchy and links.
這條鏈不是裝飾:每一層都能往下鑽、彼此互相關聯,而且全部可再歸屬到單位 / 客戶。This chain isn't decorative: every level drills down, links to the others, and can be owned by a tenant / client.
邏輯定址Logical addressing
區段 → 子網路 → IP 位址。一層層收斂,每個位址都知道屬於哪個網段、哪個區段,使用率與閒置一目了然。Section → Subnet → IP address. Each IP knows which subnet and section it belongs to, with utilization and free space at a glance.
實體資產Physical assets
機房 / 地點 → 機櫃 → 裝置。對應真實機房平面與機櫃 U 位,一台裝置在哪個機房、哪座機櫃、第幾 U 都查得到。Room / Site → Rack → Device. Mirrors the real floor plan and U positions — find which room, rack and U slot any device occupies.
關聯與歸屬Links & ownership
一個 IP 指派給一台裝置、虛擬化的 VM 對應裝置並佔用 IP;點任一節點即可深入,全部還能再歸屬到單位 / 客戶做隔離與授權。An IP maps to a device, VMs map to devices and consume IPs; click any node to drill in, and everything can be owned by a tenant / client for isolation and access control.
定位:集中記錄與管理,不是網路管控 / 執法工具What it is: documentation and central management — not a network-control or enforcement tool
jt-ipam 的核心是把 IP、子網路、裝置與整合進來的網路狀態集中記錄、管理,作為你的「事實來源」與稽核依據。它不會主動發放或回收實體位址、不會攔截流量、也不會推送 DHCP 拒絕或防火牆封鎖規則去阻止未登錄的裝置上線。像「IP 申請審核」這類功能屬於管理簽核紀錄:核准或駁回只影響系統內的登錄與授權,不會在網路層面強制阻擋——實際的位址發放與封鎖,仍由你的 DHCP、防火牆、NAC 等系統負責。jt-ipam's job is to centrally record and manage IPs, subnets, devices and the network state it integrates — your source of truth and audit trail. It does not hand out or revoke real addresses, intercept traffic, or push DHCP-deny / firewall-block rules to stop unregistered devices from getting online. Workflows like "IP request approval" are administrative sign-off records: approving or rejecting only affects records and authorization inside the system, never enforcement on the wire — actual address assignment and blocking remain the job of your DHCP, firewall and NAC.
原生整合多套開源軟體Integrates many open-source tools
核心價值就是「整合」:把你既有的多套開源網路與安全軟體串成一個檢視中樞:集中檢視、單向拉取、不改動來源。並支援從 phpIPAM 匯入既有資料、無痛遷移。Integration is the core value: tie your existing open-source network & security tools into one hub — centralized, pull-only, non-invasive. Plus data import & smooth migration from phpIPAM.
所有整合皆為單向拉取、不改動來源;資料集中在自家機房。All integrations are pull-only and non-invasive; data stays centralized on-prem.
Graylog 記錄補上主機名稱Graylog log enrichment— 讓 Graylog 記錄中的 IP 更具可視性— make IPs in Graylog logs human-readable
jt-ipam 即時產生 IP → 主機名稱 / FQDN 對照表,供 Graylog「DSV File from HTTP」配接器抓取,把記錄中只有 IP 的事件自動補上可讀名稱。在管理區開關、設定路徑與 token 即可,詳細欄位與格式說明見設定頁與 README。jt-ipam serves a live IP → hostname / FQDN lookup table for Graylog's "DSV File from HTTP" adapter, so log events carrying only an IP get a readable name automatically. Toggle it and set the path and token in the admin area; field and format details are on the settings page and in the README.
實際畫面Screenshots
畫面導覽See it in action
實際操作畫面 + 說明。Real screens with explanations.
01
子網路 / IP 管理Subnets / IP management
從區段、子網路到單一 IP 的階層式管理,一眼掌握每個網段的使用率與閒置區間。最上方的「IP 指示計」用紅 / 綠 / 灰方格即時呈現整個網段每個位址的上線、離線、未知狀態,哪裡離線、哪裡還空著一目了然。另支援 DHCP 範圍標示、重疊網段偵測、失聯 IP 篩選與批次回收;可從 CSV 匯入,任何表格也能匯出成 CSV / Excel / ODS / Markdown,再也不用在試算表裡手動對位。Hierarchical management from sections to subnets down to each IP, with utilization and free-range gaps at a glance. The “IP indicator” grid at the top shows every address's online / offline / unknown state in red / green / grey in real time — gaps and free slots are obvious. Plus DHCP-range marking, overlap detection, stale-IP filtering and bulk reclaim; import from CSV and export any table to CSV / Excel / ODS / Markdown — no more manual bookkeeping in a spreadsheet.
02
IP 明細IP detail
每個 IP 都有一份完整檔案:主機名稱依多來源優先序自動決定(掃描代理 / LibreNMS / DNS / 手動),並帶出 MAC 廠商、交換器埠位、所屬裝置與相關 NAT。下方還有「區段→子網路→IP→裝置」上下層關係圖,以及逐欄的人為異動記錄:誰在何時改了哪個欄位一清二楚,責任歸屬不再靠記憶。系統還會自動辨識 IP 與裝置的關聯(例如主機名稱對得上某一台裝置),管理者按一下「確認」即可把兩者串起來,不必手動翻找。Every IP gets a full record: the hostname is resolved by multi-source precedence (scan agent / LibreNMS / DNS / manual), alongside MAC vendor, switch port, owning device and related NAT. Below it sits a section→subnet→IP→device hierarchy graph and a per-field change log — exactly who changed which field and when, no guesswork. jt-ipam also auto-detects likely IP↔device matches (e.g. a hostname that matches a device) and links them with one click once the admin confirms — no manual hunting.
03
IP 拓樸圖IP topology
整合掃描代理、LibreNMS、OPNsense、Proxmox VE 等多種系統的資料,自動推測 裝置↔子網路 的鄰接關係,並把實體佈線、無線、站對站 VPN 與 L3 連線分別以不同線型畫出。可依子網路篩選、自由縮放,底部圖例的節點類別可點選,開關各類裝置 / 子網路要不要顯示;整張圖再匯出成 PNG / SVG / draw.io 放進維運文件。It combines data from the scan agent, LibreNMS, OPNsense and Proxmox VE to infer device↔subnet adjacency, drawing physical, wireless, site-to-site VPN and L3 links each with its own line style. Filter by subnet, zoom freely, click the node categories in the legend to toggle whether each device / subnet type is shown, and export the whole graph to PNG / SVG / draw.io for your runbooks.
04
機房平面圖 / 機櫃Floor plan & racks
上傳機房平面底圖後,直接拖拉定位每一座機櫃(可旋轉、依實際 U 數標示、自動貼齊),對應真實機房配置;下方則是每座機櫃的 U 位示意圖,支援半 U、前後雙面,裝置依類型自動上色,一眼看出哪幾格還空著。機櫃圖可匯出 draw.io / PNG / SVG,裝置清單另可匯出 CSV / Excel / ODS。Upload a floor-plan background and drag-place each rack (rotatable, U-aware, snap-to-grid) to mirror the real room; below it, each rack's U-diagram with half-U, front/rear and type-based colors makes empty slots obvious. Export diagrams as draw.io / PNG / SVG and the device list as CSV / Excel / ODS.
05
機房 / 地點 與地圖Sites & map
集中管理所有機房 / 地點:記錄地址與經緯度,並在世界地圖上標出各站點位置;清單同時顯示每個地點的機櫃數與裝置數,多站點的盤點與導覽一目了然。Manage all rooms / sites in one place: record addresses and coordinates and pin every site on a world map; the list also shows rack and device counts per location, so multi-site inventory is clear at a glance.
06
裝置 / 連接埠Devices / Ports
裝置明細把所在機櫃位置、規格與連接埠清單整合在同一頁;每個連接埠顯示自身實體 MAC、連線對端與跳接穿透對應,欄位皆可排序。連接埠會在 LibreNMS / OPNsense / Proxmox VE 同步時自動帶入,不必手動一筆筆建立,新裝置上線即有完整介面清單。Device detail brings rack position, specs and a sortable port list onto one page — each port shows its own MAC, connected peer and pass-through mapping. Ports are auto-populated on LibreNMS / OPNsense / Proxmox VE sync, so you never build them by hand; a new device arrives with its full interface list.
07
連線路徑追蹤Connection path trace
替連接埠建立纜線連線後,系統自動畫出端對端的連線路徑圖,一段段標出沿途經過哪台裝置、哪個埠,並能穿透跳接面板與橋接 NIC 繼續追下去。整條路徑可下載成 SVG / PNG / draw.io,無論是交接維運、畫網路文件或排查斷線都省事。Once ports are cabled, jt-ipam draws the end-to-end connection path hop by hop — through patch panels and bridge NICs — showing each device and port along the way. Export the whole path to SVG / PNG / draw.io, handy for handover, documentation or tracing a broken link.
08
本地 AI 智慧助理Local AI assistant
用自然語言就能查 IP、子網路、裝置:「列出 192.168.1.0/24 的使用率」「找一段三個連續 IP」之類的問題直接問。它透過 jt-ipam 內建的 MCP 直接讀你的即時資料,搭配語意搜尋(embedding + pgvector)與異常偵測,全程在自家機房的 LLM Server 上推論,資料完全不外流。Query IPs, subnets and devices in plain language — “show utilization for 192.168.1.0/24”, “find three consecutive free IPs”, and so on. It reads your live data through jt-ipam's built-in MCP, with semantic search (embeddings + pgvector) and anomaly detection, all inferred on a local LLM Server — your data never leaves the network.
09
AI 也懂你的機房AI that knows your infra
讓 AI 助你快速掌握機房狀況:AI 真的看得懂你的基礎設施,問「R1 機櫃還剩幾 U」「這段子網路幫我找三個連續 IP」「192.168.1.87 被誰占用」,它會直接讀實際資料回答,省去自己翻表對照。全部跑在本地 LLM Server,實測搭配 gemma4:26b 效果良好,回應快又準。The assistant genuinely understands your infrastructure: ask “how many U are left in rack R1”, “find three consecutive free IPs here” or “who's using 192.168.1.87”, and it answers from real data instead of making you dig through tables. It all runs on local LLM Server — gemma4:26b works well in our testing, fast and accurate.
10
在頁面上直接問,多筆一次到位Ask in context, get many answers at once
AI 對話會帶入你目前所在的頁面:在某個子網路頁打開助手,直接問「這幾個 IP 各是誰、接在哪台交換器」,它一次把多筆查清楚並逐筆引用實際資料,不必一個一個點開。需要改資料時還會先列出待確認動作,按下確認才執行。The assistant picks up the page you're on: open it on a subnet and ask “who owns these IPs and which switch are they on” — it answers several at once, citing real data per entry, instead of opening each one. For changes it lists a confirm-first action and only runs it after you approve.
11
實用工具Tools
內建一站式網路規劃工具,分 IP/CIDR、MAC、DNS/郵件、機房/電力四類:CIDR 計算與切割、IP 範圍 ↔ CIDR、多網段聚合、遮罩換算;MAC 格式轉換、EUI-64、OUI 廠商查詢;DNS 解析、郵件網域檢查(SPF / DKIM / DMARC)、GeoIP;以及 PDU 電力 / 散熱 / UPS 續航試算。不必再開一堆線上計算器,且全程在自家機房完成、查詢不外送。A one-stop set of network-planning utilities in four groups — IP/CIDR (calc, split, range↔CIDR, aggregate, netmask), MAC (reformat, EUI-64, OUI lookup), DNS/mail (resolution, SPF/DKIM/DMARC, GeoIP) and facility/power (PDU power, heat, UPS runtime). No more juggling online calculators — and it all runs on-prem, nothing leaves your network.
12
主機名稱 / ARP 來源優先順序Source precedence
同一個 IP 或裝置,可能同時被掃描代理、DNS、LibreNMS、OPNsense、Proxmox VE、Wazuh、AdGuard 回報不同的值,到底以誰為準?主機名稱、ARP / MAC、裝置名稱、裝置型號與作業系統各自都有一份來源優先順序,用拖拉排序自訂、可個別停用;系統據此自動解析出最可信的結果,不再每次同步互相蓋來蓋去。The same IP or device may be reported with different values by the scan agent, DNS, LibreNMS, OPNsense, Proxmox VE, Wazuh and AdGuard — which one wins? Hostname, ARP / MAC, device name, device model and OS each have their own source-precedence list you reorder by drag (and can disable individually); jt-ipam resolves the most trustworthy value accordingly, so syncs stop overwriting one another.
把商業憑證或 Let's Encrypt 憑證集中保管在一處(私鑰 AES-GCM 加密),再由各站台的輕量代理(純 bash,只相依 curl)自動拉取部署到 nginx / Apache / Caddy / HAProxy / Postfix / Dovecot / Proxmox VE / PMG / PBS / Zimbra 等服務,套用前先做設定測試、失敗自動還原、部署後重載服務。憑證檔案可以手動上傳或設定 URL / SFTP 來源定期自動同步,同步時若偵測到缺中繼或根憑證會用系統信任庫自動補齊完整鏈,憑證快到期或內容飄移會主動告警──再也不用每次續簽就手動登入每一台貼憑證。Keep commercial or Let's Encrypt certificates in one vault (private keys AES-GCM encrypted); a lightweight per-site agent (pure bash, curl-only) pulls and deploys them to nginx / Apache / Caddy / HAProxy / Postfix / Dovecot / Proxmox VE / PMG / PBS / Zimbra and more — config-testing before apply, auto-rollback on failure, and reloading the service afterwards. Certificate files can be uploaded manually or pulled from a URL / SFTP source on a periodic sync; missing intermediate or root certs are auto-completed from the system trust store, and expiry or drift raises an alert — no more logging into every host to paste certs at each renewal.
企業級管理Enterprise management
安全是從套件開發起就列入核心要求。Security is a core requirement from the very start of development.
幾個內建預設角色,加上物件層級授權 (單位 / 區段 / 子網路 / 裝置…) 與階層繼承。A few built-in preset roles plus object-level grants (tenant / section / subnet / device…) with hierarchy inheritance.
C稽核串鏈Audit chain
所有變更逐筆雜湊串接,可驗證是否被竄改;明細含變更前後對照。Every change is hash-chained and verifiable against tampering; diffs show before/after.
D資安遵循Security by design
對齊 OWASP Top 10:2025,每個模組與 PR 都過逐項自我檢核;嚴格 CSP、安全標頭、伺服器端授權。Aligned with OWASP Top 10:2025 — every module and PR passes the checklist; strict CSP, security headers, server-side authz.
E完全自架Fully self-hosted
不用 Docker、不依賴雲端;systemd + apt 直接跑在虛擬機與容器。No Docker, no cloud; runs on VMs and containers via systemd + apt.
F排程拉取Scheduled pull
phpIPAM 走 SSH tunnel 匯入;OPNsense / LibreNMS / Wazuh 定時排程拉取,單向、不改動來源。phpIPAM import over SSH tunnel; OPNsense / LibreNMS / Wazuh pulled on a schedule — one-way, non-invasive.
本地 AI 加值Local AI value
走自架 LLM Server,資料不外流。問答、摘要、異常偵測都在自家機房完成。Powered by self-hosted LLM Server — data never leaves your network. Q&A, summaries and anomaly detection, all on-prem.
智慧助理Smart assistant
用自然語言查 IP / 子網路 / 裝置,透過 jt-ipam 內建的 MCP 工具直接讀取你的 IPAM 資料。Ask about IPs / subnets / devices in natural language; jt-ipam's built-in MCP tools read your live IPAM data.
異常偵測Anomaly detection
標記異常使用模式與失聯 IP,協助提前發現問題。Flags unusual usage patterns and unreachable IPs to surface issues early.
語意搜尋Semantic search
以 embedding 向量 (LLM Server 嵌入模型 + pgvector) 找相關物件,不只關鍵字比對;要用哪個模型由你自選。Vector search over embeddings (your chosen LLM Server model + pgvector) finds related objects, beyond keyword matching.
助理對話自動持久化,可回溯、管理與稽核歷次問答。Assistant conversations are persisted — review, manage and audit past Q&A.
全域 LLM 設定Global LLM settings
自由切換 chat / embedding 模型,直接列出 LLM Server 已安裝標籤,全域一處設定。Switch chat / embedding models freely, list installed LLM Server tags, configured in one place.
部署Deployment
以 systemd 託管、預設強制 HTTPS:可選 nginx 反向代理或 uvicorn 自簽憑證,內網、對外都能安心上線。Runs under systemd with HTTPS enforced by default — choose an nginx reverse proxy or a self-signed uvicorn, secure whether on an intranet or the public internet.
系統需求:Debian 12+ 或 Ubuntu 22.04+(64 位元)。 硬體:最低 2 核心 CPU / 4 GB 記憶體 / 20 GB 磁碟;建議 4 核心 / 8 GB / 40 GB 以上(保留給資料庫與備份成長)。選用的本地 LLM 請另跑於獨立主機、依模型自行配足記憶體 / 顯示記憶體,不含在此。 自動安裝:安裝腳本會自動裝好並設定 PostgreSQL 16、Python 3.11+、Node 20+、nginx 等相依套件,並自動產生所有金鑰。 更多:完整步驟與環境變數見 GitHub 上的 README 與 scripts/。Requirements: Debian 12+ or Ubuntu 22.04+ (64-bit). Hardware: minimum 2 vCPU / 4 GB RAM / 20 GB disk; recommended 4 vCPU / 8 GB / 40 GB+ (headroom for the database and backups). The optional local LLM runs on a separate host with its own RAM/VRAM and is not included here. Auto-setup: the install script installs and configures PostgreSQL 16, Python 3.11+, Node 20+ and nginx, and generates all keys for you. More: see the README and scripts/ on GitHub for full steps and env vars.
首次登入密碼:安裝程式會自動建立管理員帳號 admin 並產生一組隨機密碼,於安裝結束時印出一次(同時存到 /etc/jt-ipam/.admin-initial-password,僅 root 可讀;該檔在 /etc 之下、不在 web root 內,無法透過 HTTP 連到)。請登入後立即更換,之後即可安全刪除此檔(sudo rm /etc/jt-ipam/.admin-initial-password);日後可用 create-admin --force-update CLI 重置(詳見 README)。First-login password: the installer creates the admin account with a random password and prints it once at the end (also saved to /etc/jt-ipam/.admin-initial-password, root-only — under /etc, outside the web root, so never reachable over HTTP). Change it right after logging in, then you can safely delete the file (sudo rm /etc/jt-ipam/.admin-initial-password); reset later with the create-admin --force-update CLI (see the README).
