Set up a 3CX PBX on Windows or the cloud, configure SIP trunks, forward ports on pfSense, and use ring groups for a low-cost, scalable phone system.
Deploying a 3CX PBX: From Zero to Hero in 2025
Published by Brav
Table of Contents
TL;DR
- 3CX can replace a legacy PBX for less than £200 a year.
- SIP & RTP are the two core protocols that keep calls alive.
- Trunks need an authentication ID/password and a public IP whitelist.
- Port forwarding on pfSense is the single most common blocker.
- Ring groups and blind transfers let you handle traffic the way you want.
Why This Matters
I once ran a small office where the IT budget was tighter than a coffee mug. The old PBX was a brick that rattled when we changed the wiring. The phone system cost us hundreds of pounds a year, and any upgrade required a contractor. We needed something that worked on a laptop, let us add new staff instantly, and kept call quality high even over the Wi-Fi we already had. The answer was 3CX – a software PBX that runs on a Windows VM or a cheap cloud instance. It eliminates the need for dedicated hardware, uses the same open-standard SIP protocol that keeps every VoIP system talking to each other, and brings the call-center features you’d find in a paid solution for free. 3CX — 3CX SMB Free Edition (2025)
Core Concepts
SIP & RTP: The Two-Step Process
The Session Initiation Protocol (SIP) is the signaling layer that tells the network “I want to talk to 555-123-4567.” It tells the other side where to find the media stream. The Real-Time Transport Protocol (RTP) actually carries the voice packets. Together, they make the two-way conversation you hear in a phone call.
SIP — Session Initiation Protocol (2024)
RTP — Real-time Transport Protocol (2024)
Codecs
3CX ships with G.711, G.729 and G.722.
- G.711 – 64 kbps, best quality.
- G.729 – 8 kbps, saves bandwidth.
- G.722 – 48–64 kbps, wider audio band.
G711 — G.711 (2024)
G729 — G.729 (2024)
G722 — G.722 (2024)
What a 3CX PBX Gives You
- Add extensions on the fly.
- Connect a physical IP phone, a softphone on Windows, a mobile app on Android or iOS, or a softphone on any desktop.
- Create trunks to an external provider – the simplest way to make and receive calls over the Internet.
- Use inbound and outbound rules so that a single trunk can talk to many countries, or a single country can have a special cost structure.
- Set ring groups and call queues to “hunt” for the next available desk.
- Record, monitor, and even transcribe calls if you want to comply with regulations.
Because 3CX runs on ordinary hardware, you can host it on a Windows VM in your own datacenter, or in the cloud on Amazon, Azure or DigitalOcean – the vendor offers official installation packages for each platform.
3CX — Hosted on Amazon AWS (2025)
3CX — Hosted on Azure (2025)
3CX — Hosted on DigitalOcean (2025)
3CX — 350,000 installs (2025)
| Parameter | Use Case | Limitation |
|---|---|---|
| Trunk Authentication | Register with SIP provider using ID/password | Must match provider’s credentials; fails if wrong |
| Port Forwarding (SIP & RTP) | Expose 5060/UDP/TCP and 10000–20000/UDP | Firewalls and NAT can block; keep ports open |
| Extension Range | Keep extensions in 100-199 or 1000-1999 | Limits number of users; overlapping ranges cause confusion |
How to Apply It
1️⃣ Choose Your Platform
- On-premise: Windows VM or Linux server.
- Cloud: Amazon, Azure, DigitalOcean. Install the base software – see the Windows guide. 3CX — Installing 3CX on Windows (2025)
2️⃣ Set Up the Server
Give the host a static internal IP. On a VM, set the network interface to use DHCP or a static IP and reserve it in the DHCP scope.
3️⃣ Register the 3CX License
Create a free 3CX account, log in, and register your system. The admin console will automatically display a QR code.
4️⃣ Configure the Trunk
Create a SIP trunk in the admin console.
- Authentication type: Register/Account based – you’ll need an ID and password from your provider.
- The trunk will show green once it’s registered.
- Make sure the provider’s IP addresses are added to your whitelist. 3CX — SIP Trunk Registration & Authentication (2025)
5️⃣ Port Forwarding on pfSense
- Forward UDP/TCP 5060 to the internal IP of the 3CX server.
- Forward UDP 10000-20000 for RTP.
- Create a firewall rule to allow traffic to those ports. pfSense — Configuring a pfSense Firewall (2025)
6️⃣ Set Extension Numbers
Choose a starting number and decide on a range: 100-199 for small teams or 1000-1999 for larger deployments. 3CX — Extension Number Ranges (2025)
7️⃣ Inbound & Outbound Rules
- Inbound: Route calls from your trunk to the appropriate DID or ring group.
- Outbound: Define country or prefix rules; prepend “001” for US numbers if your provider expects an international format. 3CX — SIP Trunk Registration & Authentication (2025)
8️⃣ Create Ring Groups
Use the “Ring All” or “Prioritized Hunt” strategy to distribute calls. CrazyTel — Ring Group Guide (2025)
9️⃣ Enable Transfer & Hold
- Blind transfer: Tap “Transfer” and dial the destination extension.
- Music on hold: Enable the feature in Settings > Music on Hold. 3CX — Blind Transfer Guide (2025)
🔟 Test the System
Call a test number from an external line, confirm the call routes, transfer to another extension, and check that the music on hold plays.
🔢 Scale with Cost in Mind
- SMB Free: 10 users, free.
- PRO: About £265 a year for 25 users (≈$350). 3CX — 3CX Pricing (2025)
Pitfalls & Edge Cases
| Issue | Why It Happens | Quick Fix |
|---|---|---|
| Trunk shows red | Wrong authentication ID/password or provider IP not whitelisted | Re-enter credentials, add IP to whitelist |
| Calls drop or are delayed | RTP ports blocked or jittery network | Open UDP 10000-20000, use QoS |
| Extension numbers clash | Overlap between user and ring-group ranges | Keep ranges separate (e.g., 100-199 for users, 900-999 for ring groups) |
| Mobile app fails to register | QR code not scanned correctly | Re-scan QR code, check network connectivity |
| Ring group only rings the first member | “Prioritized Hunt” set incorrectly | Switch to “Ring All” or reorder members |
Quick FAQ
Q1. What is the difference between SIP and RTP in 3CX?
A1. SIP handles the call setup, routing, and teardown; RTP carries the actual audio or video packets. 3CX uses both to establish and maintain a call.
Q2. How do I set up a trunk on 3CX and what credentials do I need?
A2. In the admin console, add a new SIP trunk, choose “Register/Account based” authentication, and enter the ID and password provided by your VoIP supplier. The trunk will turn green when it’s registered.
Q3. Why do I need to forward ports 5060 and 10000-20000?
A3. Port 5060 (UDP/TCP) is used for SIP signaling, while 10000-20000 (UDP) is the range for RTP media streams. Without them, inbound and outbound calls won’t work.
Q4. Can I use 3CX on a cloud VM in Azure?
A4. Yes – the vendor provides a ready-to-use Azure Marketplace image. Just deploy it, point the firewall to the public IP, and follow the standard port-forwarding steps.
Q5. How many extensions can I add in the SMB free plan?
A5. Up to 10 extensions – the license is limited to 10 users.
Q6. What is an inbound rule and why is it useful?
A6. An inbound rule maps an incoming number (DID) to a destination such as an extension or a ring group. It lets you route calls automatically without manual dialing.
Q7. How do I enable dark mode in 3CX?
A7. In the admin console, go to Settings > Appearance and toggle “Dark mode.”
Conclusion
Deploying a 3CX PBX isn’t rocket science – it’s a step-by-step process that starts with choosing a platform, setting up the server, registering a trunk, and opening the right ports. Once those basics are in place, the 3CX admin console gives you a single, web-based interface to add extensions, set up ring groups, and fine-tune call routing. The result is a low-cost, scalable, and feature-rich phone system that can replace expensive legacy PBX hardware while keeping call quality high and giving you the flexibility to grow from a handful of users to hundreds. If you’re a small business owner, IT admin, or VoIP enthusiast looking to modernize your communications, 3CX offers a proven path to a private telephone system without the headaches of traditional hardware.
