WAN on VLAN on ER-X switch, no internet on LAN

I tried replacing the supplied router from Dutch internet provider Telfort with a Edgerouter-X. They use tagged VLAN 4 for IPTV and VLAN34 for internet. I had already seen configurations on the internet that use a bridge for the IPTV connection, however I wanted to try using the build in switch to untag the VLAN4 packets. IPTV works, however because eth0 is now a switch port I can't define a vlan 34 for WAN on eth0. So I had to create a VLAN 34 on the switch as WAN.

I get a WAN ip address, I can ping from the edgerouter to the internet. I can see (from the packet logging) packets are send out (translated from LAN to WAN) and I see reply packets back on the WAN interface, but they are not forwarded to the internal LAN.

I removed firewall rules to disable the firewall. I tried both firmware 1.9.0 and 1.9.1.

Does anyone have an idea why this won't work? Am I doing something wrong?

The setup I would like:

port 0:WAN (only tagged 4/34), port1+2:IPTV (untagged VLAN4), port 3+4:LAN

my config:

interfaces {
    ethernet eth0 {
        duplex auto
        speed auto
    }
    ethernet eth1 {
        duplex auto
        speed auto
    }
    ethernet eth2 {
        duplex auto
        speed auto
    }
    ethernet eth3 {
        duplex auto
        speed auto
    }
    ethernet eth4 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.30.1/24
        mtu 1500
        switch-port {
            interface eth0 {
                vlan {
                    pvid 98
                    vid 4
                    vid 34
                }
            }
            interface eth1 {
                vlan {
                    pvid 4
                }
            }
            interface eth2 {
                vlan {
                    pvid 4
                }
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware enable
        }
        vif 4 {
            description IP_TV
            mtu 1500
        }
        vif 34 {
            address dhcp
            description WAN
            mac fc:f5:12:34:56:78
            mtu 1500
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name lan_dhcp {
            authoritative disable
            subnet 192.168.30.0/24 {
                default-router 192.168.30.1
                dns-server 192.168.30.1
                lease 86400
                start 192.168.30.100 {
                    stop 192.168.30.200
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        listen-address 192.168.30.1
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description "MASQ WAN"
            log disable
            outbound-interface switch0.34
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    domain-name local
    host-name router
}

(removed ntp/syslog/login to make it shorter)