Guide on How to Configure pfSense Firewall for Use With the 3CX Phone System


This document describes the configuration of pfsense for the use with 3CX Phone System. This manual is based on version 2.0.



In general pfSense is know to work correctly and can be used as gateway in front of a 3CX Phone System to connect Voip Provider, direct Remote Extensions (STUN) and 3CX Tunnel connection.

The status of this type of firewall is “Supported”.
Nat Type: IP and Port Restricted


Configuration of the firewall will never be carried out by the 3CX Staff at any point and must be made by the System-Administrator of the company.  You must understand the risk of opening ports to the World Wide Web. Read for more information and agree with the terms stated. The provided guide is based on the best known effort to configure the device(s). 3CX is not liable for any misguidance may made in this guide.

Configure NAT

Start a web browser and open the web management console of the pfsense machine.


1. Navigate to Firewall -> NAT


2. Use the “+” symbol to add a new rule.

To determine the ports needed for the setup, follow this link, as the ports may depend on the version you are using.


3. This example shows how to create the NAT for the SIP port, default port 5060.

1) Set the protocol type to TCP/UDP
2) Select the Port/Port-Range for the NAT. If the Port is not predefined as shown for SIP enter the ports manually.
3) Enter the internal IP address of the 3CX Phone System
4) Enter the internal port (which commonly is the same as the external port)
5) Label the rule for easier identification at a later stage
6) Important: set this to “Add associated filter rule”

4. Save/Apply the config and repeat this steps for each NAT required.

In case a port range for RTP must be entered use the following writing style:


A basic setup will look like this



Port Preservation

Many pfSense guides describe how to preserve the port in outbound connections while a backward NAT is created. This is a key MUST in VoIP which ensures that when data is send from port 5060 or 9000-9500 to an destination, the NATed Source Port is not altered by the firewall. Normally the option within the NAT rule for “Nat reflection” and the setting to “Pure NAT” should solve this. However trying every single combination we failed to do so and needed to create the mapping manually.


Navigate to Firewall > NAT > Outbound and set the type from automatic to manual and press “Save”. A list of pre-set outbound rules will be created. Find the rule “Auto created rule for XXX to WAN”, where XXX is the Name for your Lan interface and press the “+” to create a copy of it.


In the rule define the IP of the 3CX Phone System (e.g. and set the Translation to “Static port: ON”

Move the rule to the first position inside your “outbound nat table” to ensure operation (shown in the first screenshot of this section”.

Optional Settings

If your remote phones or voip provider mostly work, but randomly disconnect, set “Firewall Optimization Options” to Conservative under System -> Advanced to allow a bigger grace period in latency high connection. This option should not be set by default and only be changed if the issue can be seen. Some more options and information regarding Voip and pfSense can be found here:



Run the 3CX Firewall Checker to validate the setup from the 3CX Phone System Management Console Settings >> Firewall Checker. All tested ports must return green / working.


If you use this firewall in a remote location in front of an STUNed IP Phone, the appropriated NAT to the internal IP Phone MUST be made. Due to the NAT type, the audio port opened in the dynamic NAT will change, and won’t match the port resolved via ippbx:5060, that is sent in the invite to the 3CX Phone System.

Liked this article?

Get notified of new articles
or share
You might also be interested in:
  1. Allan May

    Can you also provide QOS setup for PfSense ?

    May 17, 2014 at 10:53 pm
  2. Dave Rowland

    Nice writeup, just what I need as we have just installed ours, however it is working but the Firewall checker fails and using remote software like iPhone/PC Phone just don’t find their in correctly. Using the Tunnel also isn’t the best experience.
    I read up and post back my results

    May 22, 2014 at 11:50 am
    • Stefan Walther

      @Dave, we made an addition to the post since for port allocation.
      have you set it?

      May 25, 2014 at 7:47 am
    • Dave Rowland

      Just spied your changes, I am about to attempt it, however the pfsense box has a lot of responsibilities and NAT is important here, so I am gonna take a backup before I enter anything

      June 4, 2014 at 1:02 am
    • Dave Rowland

      I gave it a go, I had mixed results, I entered the outbound rule and notice that my internet connections died however I did do Firewall tests and some ports between 9004-9014 sockets did work, the rest still failed with [Test2] One on One Port Forwarding … FAILED.
      No response received or port mapping is closed. Firewall check failed. This configuration is not supported

      I did some resets and put it back to how it was when I started, maybe retry and do some more configuration, but when I applied the outbound rule, I basically screwed up everything else like Internet to Lan, will have another go another night

      June 4, 2014 at 2:15 am
    • Stefan Walther

      Best would be to joing our webinar about firewall configuration ( which is demonstrated on a pfsense and you can have a look on the device it self. It may fails as some services already used the port 5060 and you need to reset all connections (a device reboot is the easier way)

      June 6, 2014 at 3:38 pm
  3. Lorenzo Faleschini

    I have strange issues only for incoming calls.. they drop after 15-30 seconds. I have switched to pfSense 2.1.3 and applied all the rules you wrote here. outgoing calls working just fine.. any clues?

    June 20, 2014 at 4:13 pm
    • Lorenzo Faleschini

      I’ve found the problem. I forgot to apply changes when I moved the outgoing NAT rule to the first place, so that was not applied. now working perfectly 3CX behind a pfSense and phones located in 3 different sites connected trough site2site openvpn. thanks pfSense, you make sense!

      June 23, 2014 at 11:09 pm