Slider 2TryLearn MoreSlash your Phone bills - Slider Image

Use SIP trunks, WebRTC & Apps

Slash your Phone Bill by 80%

3CX Tunnel / 3CX Session Border Controller

On this topic


How it Works

Configuring the Tunnel

Step 1 – Configure the Firewall

Step 2 – Configuring Remote Sites via 3CX SBC, 3CX Apps, Bridges

See Also


3CX includes the 3CX Tunnel allowing easier bridging of remote 3CX Phone Systems and connecting remote extensions. The 3CX Tunnel combines all SIP (signaling) and RTP (media) VoIP Packets from one location and delivers them to and from another location (typically the PBX Server) using a custom TCP protocol. This simple concept allows 3CX to overcome firewall or telecom provider issues. The 3CX Tunnel can be used for the following reasons:

  • Resolve issues of NAT Traversal at both the remote and the PBX location.
  • Simplified Firewall configuration at both the remote and the PBX location.
  • Overcome difficulties with ISPs that block VoIP Traffic based on port numbers.
  • Allows VoIP-over-WiFi in some restricted locations, such as Hotel rooms.
  • “Fixes” Firewalls that cannot handle VoIP traffic correctly or which are very problematic to configure correctly, such as Microsoft ISA Server

Note: Presence information does not get carried through the Tunnel to the remote network as of yet. Make sure that the HTTPS ports you have chosen during the installation are open on the PBX server side.

How it Works

The 3CX Tunnel

The image above demonstrates how the 3CX Tunnel works. In this example, 3CX Phone System is on IP Address, and listens on TCP port 5090 (by default) for incoming Tunnel traffic. We must set up a single Port Forwarding rule on the NAT/Firewall Device, telling it that all incoming TCP traffic received on port 5090 should be delivered to LAN IP Address

The remote setup is shown on the left hand side of the cloud. In this example, the machine with IP address of has the 3CX app installed. We will need to tell the VoIP Phone the public IP address of the PBX Server (which in this case is, and also the private IP address of the PBX Server (which in this case is Since the 3CX app will by default use the standard port numbers used by 3CX Phone System, typically no further configuration will be necessary.

3CX Tunnel technology can be used in the following scenarios:

  • Connect Remote Sites using the SBC - For remote sites with a number of remote phones, you can deploy the 3CX SBC to the site so that all phones will communicate with the 3CX PBX over a single port. This is also the preferred option in case 3CX Phone System is running in the cloud.
  • Connect Remote 3CX app Users - The 3CX apps for Windows, Mac, iOS and Android have a built in tunnel that will be used automatically when the 3CX app detects it is not on the LAN. No configuration is necessary in the 3CX app.
  • Connect 3CX Phone Systems via a Bridge - When creating a Bridge to another 3CX Phone System, you can choose to use the 3CX Tunnel rather than a direct connection. 

Configuring the Tunnel

We will use the above example in “How the 3CX Tunnel Works” to configure a tunnel connection.

Step 1 – Configure the Firewall

The Tunnel protocol is designed to eliminate NAT traversal problems and reduce Firewall configuration work to a minimum. There is only one Firewall setting that needs to be made – we must forward the TCP and UDP Tunnel port (set by default to 5090) to the PBX.

Configuring a Port Forward Rule in pfSense

The above picture shows configuration for a pfSense firewall - most firewalls will provide similar functionality. In your firewall:

  1. Enable Port Forwarding.
  2. Specify the PBX’s Local IP Address (which we had set previously to
  3. Set the Type to TCP/UDP.
  4. Set the Port Range to be from 5090 to 5090 (only one port).
  5. Set the Comment field to 3CX Tunnel.
  6. Click on the Add button followed by the Apply button. Your firewall configuration is now done!

Step 2 – Configuring Remote Sites via 3CX SBC, 3CX Apps, Bridges

After you have configured the local tunnel connection and the firewall, the tunnel is now “ready for use”. At the client side you must configure the 3CX apps, an SBC or the Bridges accordingly.

3CX SBC (Session Border Controller)

The 3CX SBC is suitable for sites with multiple IP Phones in the same LAN. The SBC must be installed at the remote site and is available for Windows and Raspberry Pi:

3CX apps

No configuration is necessary for the 3CX apps. However to view 3CX Tunnel options, see the chapter Configuring the 3CX Apps.

3CX Bridges

To configure a Bridge using the 3CX Tunnel, see the Chapter Connecting 3CX Phone Systems (Bridges).

See Also


Free for up to 1 year! Select preferred deployment:


for Linux on a $200 appliance or as a VM

Get the ISO


for Windows as a VM

Download the setup file

On the cloud

In your Google, Amazon, Azure account

Take the PBX Express