I've accepted that there probably isn't a "solution" to this but are the Firmware developers even aware that it is an issue?
Running a 3CX server behind a Smart hub 2 currently requires a DMZ configuration. Strictly speaking to pass the server's tests you'll also need to turn the firewall off but after getting a good test result it can be turned back on again.
A port forwarding configuration almost works except that ports are being remapped, they are not properly transparent. Specifically I believe outbound connections are being handled by NAPT (NAT) not by the forwarding rules. The difference is subtle but apparently matters for SIP.
Reasons for wanting to use forwarding rules and not DMZ:
I don't want to expose other vulnerabilities that might exist on the server such as the RDP port.
There can only be one DMZ device.
It just seems an extreme solution.