This is a bit of a niche one, not least because network-scripts is supposed to be on its way out as a configuration method, despite cPanel still not supporting NetworkManager properly. No problem people, it's only been around for ten years.
This may also be specific to OVH's network, but I haven't found a resource that covers it, so here are my notes.
Dedicated servers at OVH are allocated a /64 IPV6 range. The gateway is the last address in the range, which is slightly more eye crossing than with IPV4, but ends in FF:FF:FF:FF. However, in EL8 (and in Debian-derived distros to my knowledge), ifup doesn't add a default gateway if it can't ping the address, and it can't ping the address because it needs a default gateway. This also applies to IPV4 in OVH's network, which is a pain for automatic provisioning.
The network-scripts system is remarkably flexible, and wrangling it is a dying art, but the key here is the ifup-post script. This runs after ifcfg-<device> and goes through a sequence of the other scripts in /etc/sysconfig/network-scripts- you can see which ones if you look at the code.
One of these is route6-<device> and this is where you add your default route so it's added after the initial network config. In OVH images it is disabled, and perhaps confusingly, includes a list of static routes generated by cloud-init. Rename that one, and using your editor of choice (vim, you animals), open a new file vi route6-eno1 (for example) and enter your gateway and default route like this:

2001:xxxx:xxxx:xxff:00ff:00ff:00ff:00ff dev eno1
default via 2001:xxxx:xxxx:xxff:00ff:00ff:00ff:00ff dev eno1

Enable the script by making it executable chmod +x route6-eno1.
and restart the network with systemctl restart network.
and you should now be able to ping the IPV6 host of your choice (let's face it, your local gateway).

I have a virtual OPNSense router as the gateway to a production network based on Proxmox servers (more about this another day). All VMs and containers get an unrouted IP address in the 10.x.x.x range and I have a couple of IP ranges for public access, generally but not always behind Haproxy. This doesn\'t seem to be documented properly elsewhere. ## A quick summary: 1. Assign IP range(s) as Virtual IPs 2. Create a One to One NAT between an external IP from a virtual IP range and an internal address 3. Create a WAN rule for the ports you want open to the internal address. ### 1. Assign IP ranges as Virtual IPs Our servers are with OVH and connected by their vRack service, which is remarkably flexible - connected servers can use an unrouted IP network, which is shared between them automatically, and for routed IP addresses, you rent a range (minimum is a /30, for reasons I\'ll explain shortly) and allocate it to the vRack, and in the simplest usage they are allocated to a physical interface on a server and routed to the ranges\' gateway, which is, somewhat counter-intuitively, the second to last address in the range, which is why the smallest range possible is a /30: | Range | CIDR | Gateway | Usable addresses | |-------|------|---------|------------------| | | /30 | | 1 | | | /29 | | 5 | | | /28 | | 12 | For the purposes of this article, I\'ll add a /29 as I have a routed one that\'s about to be reallocated from my account. a) Go to Interfaces > Virtual IPs > Settings b) Press \'+\' c) For the mode in this context, you will use Proxy ARP as IP Alias is for a single IP - the \'Single IP\' option is disabled. d) Select WAN for the interface e) Select \'Network\' for Type f) Enter the network range in the Address field without the CIDR range and select that from the dropdown. You don\'t define a gateway at this point, which also seems a bit counterintuitive but that comes at allocation time. g) Set a description and save. h) Apply changes on the main page. ### 2. Enable Reflection in the Firewall settings UPDATE 19/12/2022: I\'ve been trying to work out why I couldn\'t search other ActivityPub services from my Mastodon instance and found that on my local network at least, I couldn\'t find the address of my blog, so this is the fix for being able to access services internally. a) Go to Firewall > Settings > Advanced b) In the Network Address Translation section, check the Reflection options that you use. I went with all three just to be sure. c) Save. ### 2. Add a One to One NAT a) Go to Firewall > NAT > One-to-One b) Press \'+\' c) For \'Interface\' select \'WAN\' d) For Type selected \'BINAT\' so outbound traffic is rewritten as well e) For \'External network\' select an IP from your allocation and give it the CIDR range /32 f) For \'Source\' select \'Single host or Network\' and enter the IP address of the destination server/VM/container, again with a CIDR range of /32. This is also somewhat non-intuitive at first as the pfSense instructions say the CIDR range should be the same for both addresses and in this case we have a /29 for external traffic and a /22 for internal traffic. g) Set \'Destination\' to \'any\' h) Add a description i) Set NAT reflection to \'Use system default\' or as required. The default is set in Firewall:Settings:Advanced and is Disabled. j) Save k) Apply changes on the main page ### 3. Create firewall rules a) Go to Firewall > Rules > WAN b) Press \'+\' c) Action is \'Pass\' d) Interface is WAN e) Direction is in f) TCP/IP version is generally TCP g) Source is \'any\' h) Destination port range will usually a single port for a protocol such as HTTPS i) Destination is \'Single host or Network\' and the value is the IP address of the backend device with the correct CIDR range for your network, so in this case it\'s 10.10.x.x/22 j) Optionally set a description, but it\'s advisable as it\'s useful for documentation. k) Save l) Apply changes on the main page. Revision 2