Okay, you planted some doubt. This is a quote what my peer wrote me about the issue, I hope it is ok to quote, contains no personal or sensitive info, emphasis added:
Comcast/Xfinity! has a bumpy past with tor. They periodically block it, get yelled out by their subscribers and the media, then unblock it. At this moment, outgoing tor is working. That is I am able to put the Brave browser in tor mode. But, because of the intermittent interruptions, I've given up on using tor when running behind my ISP.
Outgoing tor is working - so he has to be able to connect to some relay, not necessarily all of them. Or he configured a tor bridge because of past problems and forgot about it?
Are you sure that port forwarding To your relay is reliably working and that some "security feature" in your Comcast modem/router isn't causing the problem? I haven't researched any reports of Comcast blocking so I can't speak to any other anecdotal reports of said blocking. I sure hope it isn't the case. If it is, I'll certainly drop them in a flash too.
Well, I am not in the US, no Comcast here :), and running OpenWrt on my router. My peer is Comcast customer. I was connected to > 100 lighting nodes while not able to connect to my Comcast peer. I did not check specifically, my lightning node should be reachable by IPv4, IPv6 and tor/onion, so in theory there could have been no inbound IPv4 connection while having > 100 connections. But not likely. I think I either checked my fail2ban-client banned, or turned off fail2ban.
Still, there could be some DDoS protection on my Comcast peer's end. To corroborate: lightning nodes need to be connected, they try to reconnect frequently to all their "neighbours". I myself see that when I take my lightning daemon offline for just 10 minutes, many IP addresses end in my fail2ban list. So my Comcast peer could have just taken his node offline, his router would see too many connection attempts from me and consider it DoS and ban me. Still, I would expected to be unbanned after some time, and this does not seem to happen, so this would be argument against DDoS protection.
For reference, this is my fail2ban's jail.local, perhaps too aggressive:
[lnd] enabled = true ports = 9735:9736 filter = lnd logpath = ... maxretry = 4
[lnd-repeat] enabled = true ports = 9735:9736 filter = lnd logpath = ... maxretry = 12 findtime = 1h bantime = 1h
I'll test again by starting tor middle relay, and check inbound IPv4 connections, should bring some results in a few hours.