Check if you have setup eth0/9 to use NAT. Else you need to have public IPs there.
However, it might be (but I'm not positive about it) that NAT is not applied if you stay in the same zone, no matter what you set the interfaces to. In that case, and I recommend that anyways, you need to create a new zone for eth0/9, and allow traffic via a specific policy.
Interfaces in the same zone can communicate without a policy. That is a security risk if in Untrust, and hence my recommendation to use a different zone in any case.
Different VRs are useful only if you want to separate routing domains (using OSPF, RIP, BGP or the like), and not propagate automatically determined routes. They do not matter in your case, so your Untrust-VR/Trust-VR might introduce more effort than necessary, as you have to explicitely create the VR-passing routes.