Trying to understand why Turing Pi 2's network jacks are bridged

I’m thinking of getting a Turing Pi 2 and I’m curious about why the two RJ45 jacks are bridged (aside from board design simplification), and what that means.

I understand bridged networking in the sense of bridging a modem with a more capable router (pfSense firewall appliance for example, as is my case; so pfSense handles everything instead of the modem).

What I don’t understand is what, if anything, is the benefit of having two network jacks which more or less have the same identity by being bridged (if that makes sense, as they shouldn’t both be connected to the same switch/router without causing problems if I understand correctly), that’s more or less how I understand bridging at the moment, anyway (though I understand each Pi has its own MAC & IP address).

Is bridging in the context of the Turing Pi (1 or 2) to allow each Pi to be seen by separate/isolated networks? How are addresses handled by the Turing Pi’s internal switch? Would each system get a different IP based on the network it gets connected to through the respective RJ45 jack? Am I completely misunderstanding bridging?

I’d really appreciate a “for dummies”-style explanation of bridging and a more technical one (rooted in the “for dummies” explanation, ideally, to help me understand), if someone would be so kind as to provide one. The only experience I’ve had with bridging is that mentioned in the first paragraph with the modem/pfSense appliance, so I’m having difficulty generalizing my understanding of it to really understand it properly, how it can be beneficial, and any security considerations to account for.

Thanks

The Turing Pi 2 is listed as having a “Managed Switch” comprised of an 8-port switch chip that supports VLANs. A switch chip is an ASIC that is the guts of any switch you would buy. In a regular switch, all 8 ports on the chip would be connected to physical ethernet ports on the front panel. Of the 8 ports on the switch chip, 4 are wired to the Pi slots, 2 are on the front panel as gigabit ports, and the other two are unused. This is common because the next step smaller for switch chips is 5 ports, and the Turing Pi 1 had a 7th 100Mb port connected as well.

The documentation Cluster Management Bus (i2c) - Turing Pi V1 states the chip is an RTL8370 and is on I2C address 0x5ch. I could not find any documentation relating to how to manage the switch chip. (The documentation also hasn’t been updated at all for the Turing Pi 2, but I would expect the switch chip to be the same)

“Bridging” means the act of performing Layer 2 (MAC address based) packet forwarding between 2 or more ports, and is specifically used when performed via software on ports that otherwise would be independent L3 interfaces (meaning you are doing this with ports on a router). “Switching” means to do the same action but in optimized hardware, an ASIC we then refer to as a switch chip.

The default state of an unprogrammed managed or smart switch is the same as an unmanaged switch - all ports are have no VLAN and are in the same broadcast domain. Thus, in the out of the box state, the two ports of the Turing Pi 2 cannot meaningfully be used together, except to connect further devices downstream. Perhaps you only have a single ethernet run in your office, you could plug that into one port and your desktop into another.

If you figure out how to program the switch chip however, it may support Link Aggregation (I haven’t checked the features of the RTL8370), or you could split the ports using VLANs. All the same functions you would expect to do with a managed switch should be possible, you just have a weird switch where 4 ports are hardwired on the PCB and 2 ports are disconnected permanently.

So the next paragraph is my original answer, and everything after is all the notes I took. Everything check out? It’s overkill, but it includes the answers to questions (which I left out) that popped up in my trek to fully understand. Great answer by the way, thanks!

In the Turing Pi example, (default) bridged mode RJ45s (as defined in advance on the switch by Turing Pi developers) accept/deny frames not destined to connected CM4s (for example), while the switch is a normal, but hardwired, switch which transmits frames as appropriate, meaning the fact that the RJ45 jacks are in bridged mode is only relevant to them, not the CM4s. Tautological! It seems I was looking for (additional) meaning where there was none. Oddly, I looked up the model number of that chip and found nothing, even on RealTek’s own site, except a couple with suffixes N-VB-CG and MB-CG. Weird.

OSI Model
Layer 7 (Application) SMTP, FTP, Telnet
Layer 6 (Presentation): Format Data, Encryption
Layer 5 (Session): Start & Stop Sessions
Layer 4 (Transport): TCP, UDP, Port Numbers
Layer 3 (Network): IP Address, Routers
Layer 2 (Data Link): MAC Address, Switches
Layer 1 (Physical): Cable, Network Interface Cards, Hubs
Memory Mnemonic: All People Seem To Need Data Processing
(Mnemonic and basics from some of the following is from a “Certbros” YouTube video I found on the difference between hubs, switches, and routers, and other sources online reworded in a way that makes sense to me with lots of extra information as well.)

Modem (Layer 1): Establishes a network connection with an ISP. Early modems dialed a gateway which carried the signal to establish a connection between your home computer (which was assigned the globally accessible IP address) and the Internet, this meant your computer was accessible to all, unless protected by firewall software. A router could be used to sit between the modem and computer and helped provide some protection by segmenting the Internet from your home, providing you your own LAN, as well as allowing multiple devices to connect to eachother and the Internet at once. Most modern modems also contain routing hardware (at a minimum) to segment your home network from the Internet, and multiple ports forming a simple basis for your home LAN (though a LAN doesn’t require a Router if not connecting to another network or the Internet), allowing you to have your own LAN without additional hardware.

Hub (Layer 1): Physically connects devices together into one network, blindly sending traffic to all connected devices except the original sender, connected devices themselves are responsible for accepting or rejecting traffic (has several physical ports). Network hubs in hardware form were superseded by bridges.

Bridge (Layer 2, MAC Address only): Connects network segments (layers 1 & 2) together allowing for more devices to form one same network (e.g. one LAN, this is why both ports on the Turing Pi 2 can’t both be connected to the same network Switch or Router), a Bridge is also a Hub. A Bridge (filtering) can be configured to occur between NICs, ports, or both. When a frame destined to a never-before-seen MAC address is received by the bridge, it forwards it and, if no reply is received, drops future frames to that destination. When a reply is received, the MAC address is added to a MAC address table and immediately forwards future frames destined to the same MAC address. Network bridges in hardware form have been superceded by switches, though they are still used today in software (e.g. virtual machines, or, bridging physical ports in firmware which are connected through a switch chip which also connects other systems which are in their own network segment as in the Turing Pi).
Role & terminology disambiguation note: Bridges with only two ports are commonly referred to as such and not as a Switch because the only decision to make, using the MAC address table, is whether to forward data.

Switch (Layer 2, MAC Address, Port): All Switches are Bridges, but have (potentially many) more than two ports. This forwards a frame with an unrecognized MAC address (like a hub) to every port, adds the MAC address to the MAC address table (like a bridge) with the port which replies, and sends all future frames destined to the specified MAC address to only that physical port (sorting, to optimize transmission speed). This also means no devices on the network (at Layer 3) will be assigned an IP address if the switch’s upstream link is not directly or indirectly connected to a Router.

Switch (Layer 3): Contains all the same functionality as a Layer 2 Switch, with additional features such as dynamic or static routing, and VLAN awareness.

Switch (Layers 4+): Same as above, but capable of also doing switching based on the information available to it relative to the OSI layer the switch was designed to work on, as well as layers beneath it (see “Multilayer switch” on Wikipedia).

Managed vs Unmanaged Switches: All managed switches have IP addresses (for management purposes), Layer 3 and above switches are, by definition, managed, thus have an IP address and need to be directly or indirectly connected to a Router upstream to perform their Layer 3+ routing.

Router (Layer 3, IP Address): All Routers are (layer 2 at a minimum) Switches, and serve to establish connections between networks (e.g. different LANs). Most often has several ports, but may have as few as two (upstream, downstream) for Routers with a specialized purpose that goes beyond a basic Router package (e.g. Pi-Hole). These use MAC addresses when communicating within the same LAN (whether or not it’s the same network segment) and IP addresses between networks. Routers often have built-in DHCP servers (etc) to ease or automate configuration at device connection establishment time.

Random note which I’m less sure of:
Network design (spine-leaf vs three-tier) results in optimizations targeting different aspects of a network, based on use case.

Three-tier (traditional) is okay for simple networks, where devices need access to eachother more-or-less equally (if at all), with access to other networks (e.g. the Internet) provided for at the top.

Spine-leaf allows fewer hops for traffic between client and server (e.g. storage or compute to client, and servers to eachother) on the local network, with connections to external networks being provided for at the lowest possible point of impact (leaf switches), if servers shouldn’t be directly Internet-accessible for example), though this is at the cost of extra cabling and hardware.

Network segment vs network (LAN):
A network segment is a network of devices, all of which are connected through the same hub (layer 1). Multiple connected network segments are a LAN in and of themselves. Once a router (acting as a router, not a hub) is connected to a device in the network, this creates a break in said network, such that other devices connected to the router upstream are addressable and accessible, but not part of the same LAN. LAN devices are thus also accessible to the upstream network’s devices if no firewall is in place.

(Apologies for the disorganized notes.)

I stopped reading about 1/3 through, not in the mood to read through a long post at the moment. But I can see you’re off on the wrong path regarding Layer 1/2 and bridge vs switch.

Layer 1 - consist purely of physical mediums and the electrical or optical signals sent on them. In a medium where multiple nodes can see each other (a coax network, or wifi) you need to perform collision detection, avoidance, and retransmission (CSMA/CD). But in a medium with just two nodes, especially in Full Duplex like a direct fiber or RJ45 ethernet connection, you don’t need to do this.

Layer 2 - frames are sent with source and destination MAC addresses. With a pure broadcast medium (coax ethernet aka 10Base2, wireless) the MAC is used to filter incoming packets to only those bound for the self, or with a broadcast destination MAC. With point-to-point connections (fiber or RJ45 ethernet), we need some way to make a larger network. A hub blindly retransmits all frames to all ports except the destination. A bridge or switch (there is no distinction at this point) pays attention to the source MACs of incoming packets to build up a forwarding table of where each MAC is located. If the destination MAC is present in the table, the packet will be sent out only that single port, otherwise it will be flooded the same as a hub.

The only difference between a bridge and a switch is whether it is built in software or hardware. They perform the same tasks and are logically equivalent. Bridges came first, because it was easy to take the software made for routing (L3 forwarding) and repurpose it to do L2 forwarding.

When you start talking in this level of technical detail, you can’t allow yourself to get confused by the term “layer three switch”. no such thing exists. Any device forwarding traffic based on layer three (IP) is called a router. A layer three switch means that they have implemented some amount of routing functionality in the same ASIC that is performing switching. Depending on the ASIC, this may be a separate logical unit - in other words, an internally connected router-on-a-stick - or they may have expanded the switching fabric to perform routing in the same logic. A L3-Light switch means that it only performs static routing while a full L3 switch performs dynamic routing protocols. At this point the distinction between a router and a full L3 switch is that a layer three switch will not have NAT nor statefull firewall. It may offer ACLs, but these are static rules that don’t keep track of sessions the way a stateful firewall does. It is the fact that they can’t maintain a L3/L4 state table that keeps them from being called routers, even though at this point they have more functionality than the original Cisco Routers did.

Layer 3 - forwarding via IP addresses, called routing. Most devices these days are either a L2/L3 combination (a L3 switch), or a L3/L4 combination, called a router or firewall.

Layer 4 - sessions, formal or informal, using protocols such as TCP and UDP with defined ports. Other protocols exist such as ICMP that don’t use ports, but they can be tracked the same way.

To repeat myself a little, here are the original definitions of terms compared to how they are used today:

Bridge - no change in usage, has always meant a L2 forwarding “device” built in software with multiple ports on a general purpose computer or router. A bridge is used whenever you have multiple ports on a computer/router and think “gee, it would be great if these acted like ports on a switch”.
Switch - originally L2 only, and without other distinctions is still expected to be
Router - originally a L3-only device, most now are L3/L4 devices due to their support for NAT and stateful firewalls.
Firewall - originally a L3/L4 device, however most these days fall into the category of NGFW “Next Gen Firewall” or UTM “Unified Threat Management” which means they operate from L3-L7. And for good measure, nearly all will let you create a bridge as well, so in one device you might have functionality spanning L2-L7.

You may have a router with a switch builtin, like a Cisco 891-24X, Ubiquiti ER-X, or nearly all Mikrotik Routerboard models. And then there is the thousands of models with wireless builtin as well. A device that is a router, switch, AP, and maybe even modem combined is best referred to as a “SOHO router”. Despite being combined into one package, you can still break them down into the components, as can be seen in this block diagram: https://i.mt.lv/cdn/product_files/C53UiG5HPaxD2HPaxD_221052.png