The config looks ok. It must be a reachability issue.
You can try:
1. Set the VIP IP as the manage-IP on eth3 and try pinging it from the internet. This will validate IP reachability.
2. enable logging on the VIP policy to check if you see any hits.
3. run a debug while attempting to access one of the VIP services:
- clear db
set ff dst-ip <vip> dst-port <service you are testing>
set ff src-ip <vip> src-port <service you are testing>
debug flow basic
<<Send test traffic>>
<<Press Esc key to stop the debug>>
get db st --- this will dump the debug data
Please share this, you may replace the public IPs before sharing
4. Try adding a static ARP entry on the upstream router for the VIP IP, pointing to eth3 MAC