How to set up per-use Caller ID blocking (*67)

Note: The following is experimental - it worked for me but may or may not work for you. Also, as shown here it may NOT correctly handle the case where some idiot dials *67 then 911 - depending on the call path and the provider, such a call may get "dropped on the floor", so to speak (to decrease the chances of that, you may want to insert something like *67|911 into the Dial Patterns for your emergency route, just in case someone does dial *67 and then 911).

It must be noted that due to technical limitations, dialing *67 from ANY phone will not block your Caller ID 100% of the time - if an end user has the right equipment and/or the right relationship with their provider, they can receive your Caller ID regardless of your attempt to block it. This is because your Caller ID is always sent, but with a "privacy flag" set when you choose to block it. If the telephone company at the distant end chooses to ignore the privacy flag setting - or, if the called party is in effect acting as their own telephone company - then the person you call may see your Caller ID anyway. "It depends" on several factors, some of which may be beyond your control.

This document assumes that you have one or more SIP or IAX providers that will accept a number in the format *671NXXNXXXXXX and treat it as a private call, and will block Caller ID to the called party. I do not go into passing a private call through to a ZAP channel, as I am not sure if the same principles would work. On a ZAP channel only, in some cases you might need to insert a w (wait) character between the *67 and the rest of the number, but that would not be the case on a SIP or IAX trunk (One exception: A SIP trunk associated with an SPA-3000/SPA-3102 device - I will cover the changes needed for that below).

Step 1: Create one or more new outbound routes:

In our case we wanted to send all private (Caller ID blocked) calls to area codes in the United States and Canada through a single provider. So we set up a new outbound route, specifying all the possible 11 digit patterns that include area codes in the U.S. and Canada.

Route Name: Star_67_Privacy (or whatever you want)

Dial Patterns: Here we individually specified each possible U.S. (and Canadian, if your provider handles calls to Canada) area code, like this:

*671201NXXXXXX
*671202NXXXXXX
[..... more patterns .....]
*671985NXXXXXX
*671989NXXXXXX
*67NXXXXXX

(The last example line shown above allows *67 + 7 digit local calls - if you have 10 digit dialing of local calls in your area you could use *67NXXNXXXXXX instead).

Yes, I know that some of you will try to get by with more generic patterns here, but when someone tries to use *67 to bypass your high cost destination blocks you'll thank yourself for being explicit here. If you need a list of valid area codes, you can find one at the NANPA NPA Reports page. Don't forget the pattern for seven digit calls if your provider accepts them.

Trunk Sequence: Here you select only the provider(s) that will accept and honor the *67 prefix. Note that if a particular trunk does not accept *67+7 digit calls but you want to dial calls using *67+seven digits, you may have to add a trunk dial rule of the form
*67|*671AAA+NXXXXXX
(replace AAA with your area code). Or, if you dial local calls using ten digits but your provider wants to see eleven, then the trunk dial rule would be
*67|*671+NXXNXXXXXX

In addition, we created a separate route for toll-free numbers, after discovering that the provider selected in our first route did not honor *67 on calls to toll free numbers:

Route Name: Star_67_TollFree

Dial Patterns: Note on these we are using the bar character to strip off the *67 prefix before sending it on:

*67|1800NXXXXXX
*67|1822NXXXXXX
*67|1833NXXXXXX
*67|1844NXXXXXX
*67|1855NXXXXXX
*67|1866NXXXXXX
*67|1877NXXXXXX
*67|1888NXXXXXX

Trunk Sequence: ENUM

If you have not created an ENUM trunk, go do that first, then select it as the destination for toll-free numbers. As far as I know (but I may be wrong, so test with a toll-free number that reads back your Caller ID) the carriers that pass toll-free calls via ENUM use a "dummy" number, not any number you pass to them.

After doing the above, you should be able to dial any 11 digit number (or either a 7 or a 10 digit number) with the *67 prefix and the call should go out, and hopefully the outgoing Caller ID should be blocked (assuming your provider actually honors the *67 prefix). But, your users will not get the second dial tone after dialing *67. If you're happy with that, you can stop here. If all your endpoints are Linksys/Sipura adapters or phones (or use similar dial plan strings) you may wish to read step 5 before doing steps 2, 3, and 4. The rest of the steps are primarily designed to provide the second dial tone after *67 is dialed, and also provide some extra assurance that you are not sending a valid Caller ID.

Step 2: Add a new context to etc/asterisk/extensions_custom.conf:

[custom-set-privacy]
exten => _1NXXNXXXXXX,1,Noop(Adding *67 prefix - 11 digit call)
exten => _1NXXNXXXXXX,n,Goto(from-internal,*67${EXTEN},1)
exten => _NXXNXXXXXX,1,Noop(Adding *67 prefix - 10 digit call)
exten => _NXXNXXXXXX,n,Goto(from-internal,*671${EXTEN},1)
exten => _NXXXXXX,1,Noop(Adding *67 prefix - 7 digit call)
exten => _NXXXXXX,n,Goto(from-internal,*671###${EXTEN},1)
exten => 911,1,Noop(Some idiot dialed *67 + 911 - attempt to handle it)
exten => 911,n,Goto(from-internal,${EXTEN},1)
exten => _[*0-9]!,n,Goto(app-blackhole,busy,1)
exten => h,1,Hangup()

REPLACE ### IN LINE 6 WITH YOUR AREA CODE! (Yes, we know we already took care of 7-digit calling above, but as you read on you may understand that there are probably good reasons to do it in both places). You can, of course, omit any lines that match dial patterns that you don't use on your system. It may not be a good idea to leave in the lines for both 7 and 10 digit dialing, for example - pick one or the other.

Step 3: Add a new DISA:

Note that the DISA module must be installed!

DISA name: Privacy
Caller ID: <>
Context: custom-set-privacy

Leave everything else at the defaults (you can change the timeouts later if you like, once you get this working). You are not going to expose this to outside callers, so unless your system is seriously misconfigured you should not need, and for this application do not want a PIN. Be sure to set the Caller ID to <> - this is the extra assurance that you aren't sending out a valid Caller ID!

Step 4: Add a Misc Application:

Description: *67 Privacy
Feature Code: *67
Destination: DISA [Privacy]

Step 5: Configure the dial plan at your endpoints:

Originally, our idea was that endpoints should send *67 calls to Asterisk as soon as *67 is dialed, and let the DISA handle it (which is the reason for steps 2 through 4 above). However, we have discovered that there's a more reliable method that works with Linksys/Sipura devices, and that may work with other types of phones or endpoint devices as well (depending on how configurable the phone or device is). Let's consider how we might set up a Linksys PAP-2 or equivalent Sipura adapter.

A Linksys/Sipura device typically wants to handle *67 itself, but not in the way we want it to. The reason we don't just use the *67 feature built into the adapter is because that only blocks the adapter itself from sending Caller Id information, and FreePBX pretty much ignores that anyway, instead using the Caller ID data you have entered on the FreePBX extension configuration page(s) associated with the extensions handled by the adapter. So the *67 feature built into the adapter just gets in the way, and therefore must be disabled. So look in the "Supplementary Service Subscription" section (you need to be in advanced view to see this) and make sure that "Block CID Serv" is set to NO. Then go to the "Regional" tab, scroll down to the "Vertical Service Activation Codes" section, and make sure that *67 doesn't appear anywhere (particularly in the "Block CID Act Code" setting) - if it does, erase it and save the settings.

There are a couple of ways that a Linksys/Sipura adapter can handle *67 calls. If you completed steps 2 through 4 above, you could go into each of the Line tabs and change the Dial Plan for each line going to your Asterisk box, to add *67S0 (and be sure there are the required bar characters separating this from other parts of the dial plan, e.g. |*67S0|). The "0" is a zero, not a letter "O." This tells the adapter that once it has seen *67 dialed, it should complete the call (to the DISA) right away, so that the caller gets the second dial tone almost immediately. We originally tried this method, and discovered that while it generally works, sometimes digits dialed after the second dial tone aren't received reliably by Asterisk, causing misdials and calls to not go through. However, with some adapters that may be the only method that works at all (though, obviously, what you need to add to the Dial Plan may vary with different equipment manufacturers).

Every endpoint is different but the principle is the same: You want the endpoint to pass the *67 (or *67 + the digits dialed thereafter) to Asterisk, not try to handle it itself. And if it is to connect to the DISA after dialing *67, you want that to happen immediately, not after a few seconds delay. But obviously, the best way to handle this, if the adapter supports it, is to have the adapter generate the second dial tone after the *67, collect the additional digits, and send all of the dialed digits (including the *67 prefix) to your Asterisk server (so there is no inband dialing of touch tones, and less chance of misdialed numbers).

At first I did not think this was possible with a Linksys/Sipura adapter, but after digging into some documentation on Dial Plan construction I realized that it is possible - but, it might turn a relatively simple dial plan into a somewhat more complicated one. Don't worry, a Linksys/Sipura device lets you use a Dial Plan that contains up to 2047 bytes, and you probably won't be anywhere near that limit (however, other manufacturers may not be as generous).

So, if you want the Linksys/Sipura device to collect all the digits and then send them to Asterisk, here's how to do it - but don't say I didn't warn you that it was a bit convoluted. Note that if you do this, you still need to follow ALL of the instructions above, except that if ALL of your endpoints are Linksys/Sipura devices and you plan to modify the dial plan in this way on all of them, then you can skip steps 2, 3, and 4 (the custom context and the DISA - it doesn't hurt to leave them in if you've already created them, however, and they can still be used with other types of endpoints).

For reference, here's a sample original Linksys/Sipura dial plan (which includes our original trick of using *67S0 to reaching the DISA):

(911S2|[2-9]xxxxxxS0|1[2-9]xx[2-9]xxxxxxS0|*67S0|[*x][*x].S4)

This Dial Plan may seem strange to some, but it allows us to dial anything - local extensions, regular PSTN numbers, Free World Dialup Numbers, and even Sipbroker codes and numbers without ever having to dial an access code. For anything other than a 7 or 11 digit PSTN number there is a four second timeout (except for 911 where the timeout is reduced to two seconds, and that short timeout exists only because there could be a Free World Dialup number starting with 911 - if you don't have any FWD trunks you really should change the timeout to zero, using 911S0 instead of 911S2). Anyway, to get the adapter to generate the second dial tone it gets a lot more complicated - here is how that same dial plan looks after changing it to allow *67 + 7 digit and *67 + 11 digit calls:

(911S2|[2-9]xxxxxxS0|1[2-9]xx[2-9]xxxxxxS0|*67,[2-9]xxxxxxS0|*67,1[2-9]xx[2-9]xxxxxxS0|x[*x].S4|*[*0-57-9][*x].S4|*6[*0-68-9].S4|*6[*0-68-9][*x].S4)

The main reason it got so much longer (besides the obvious addition of the two patterns that start with *67,) is that apparently the Linksys/Sipura will NOT generate the second dial tone if there is any ambiguity with another part of the dial plan, even if you put the *67, parts first (note the comma after the *67 - that's what generates the second dial tone). So where we had [*x][*x].S4 (which basically meant, pass anything dialed with a digit or a * in any position as long as it's at least two characters long, but only after a four second delay to see if more digits are coming), we now had to use these four Dial Plan elements instead, to get roughly the same functionality...

x[*x].S4|*[*0-57-9][*x].S4|*6[*0-68-9].S4|*6[*0-68-9][*x].S4

...which gives pretty much the same effect except that it specifically excludes *67 from a possible timeout (also it will reject some two character long patterns that the other element would have accepted, but we have nothing like that on our system anyway). The new Dial Plan is still nowhere near the 2047 byte limit; it's just harder to decipher what's going on unless you understand Linksys/Sipura dial plan construction.

If you don't get the second dial tone after modifying your dial plan as shown (or in some similar manner) the most probable reason is because there's a conflict with some other part of the dial plan, or because there is a *67 somewhere in the "Vertical Service Activation Codes" section (under the "Regional" tab). If you get a fast busy immediately after dialing *67 plus a seven digit number, it likely means you didn't set up a route in FreePBX to accept the *67NXXXXXX dial pattern.

One final note: The dial tone you hear after dialing *67 in this configuration is the "Outside Dial Tone" under the Regional tab. If you want it to sound like a normal dial tone, just copy the pattern from the "Dial Tone" text box, and paste it into the "Outside Dial Tone" text box, then save the settings. While in the Regional settings, you may want to go to the "Control Timer Values (sec)" section and change the value of the Interdigit Long Timer to 20, so that if someone dials *67 and then pauses a few seconds to look up the number, they will have 20 seconds before the (second) dial tone times out.

Additional Instructions if you are using a SPA-3000/SPA-3102 device (or other channel/device that requires a wait after *67 is dialed) for your trunk

(NOTE: I had a major brain fart when creating this page and originally had a process here that was totally unnecessary. Sorry about that).

You may find that the channel you are dialing out on requires a short delay after the *67 is dialed - this usually occurs when you are calling out to the PSTN. The following additional instructions have been tested using a Sipura SPA-3000 device but MAY be equally applicable if you are using a ZAP channel. Make some test calls without inserting a delay first - they may work.

But, if it does turn out that the delay is necessary, then what you need to do is go to the page for each trunk that connects to such a channel or device, and add TRUNK Dial Rules to match the patterns you might be dialing through that trunk, that will insert the w (wait) character after the *67. Here are some sample TRUNK dial rules. Note these would REPLACE any TRUNK Dial Rule patterns you may have added in Step 1 above (do NOT get confused and change any ROUTE Dial Patterns - see Hints on Route Dial Patterns and Trunk Dial Rules if you are not quite sure of the difference).

If you want to dial *67 + 11 digit calls (U.S./Canada numbering format) and you need a short wait after *67 is dialed on a particular trunk, add this trunk Dial Rule:

*67|*67w+1NXXNXXXXXX

Alternately, if your provider accepts *67 + 7, 10, or 11 digit calls you could just use this pattern as a catch-all to insert the wait after *67 and then pass on whatever other digits were received (don't use this pattern if you are going to use any of the other patterns on this page with the same trunk):

*67|*67w+X.

If you want to be able to dial local calls using 7 or 10 digits, but you need or want to send your provider *67 plus a full 11 digits, here's how to do that. First, if you want to dial *67 + 7 digits (for calls within your own area code) and you want to send the number to the provider as *67 + 11 digits, you could add this TRUNK Dial Rule (replace AAA with your area code):

*67|*67w1AAA+NXXXXXX

Alternately, if you dial local calls using ten digits rather than seven in your area you'd use this:

*67|*67w1+NXXNXXXXXX

ONLY make these changes on trunks that require a short delay after the *67 is dialed. A single w gives you a one half second delay, which is almost always long enough for the second dial tone to come up - but if it's not you can stack w's for more time (e.g. wwww would give a two second delay). Just make sure all the w's are together, and on the left side of the + character.