diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 63298d7449cc..4e00bf2462a6 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -1977,6 +1977,7 @@ int
 pfctl_set_interface_flags(struct pfctl *pf, char *ifname, int flags, int how)
 {
 	struct pfioc_iface	pi;
+	struct node_host	*h = NULL, *n = NULL;
 
 	if ((loadopt & PFCTL_FLAG_OPTION) == 0)
 		return (0);
@@ -1985,6 +1986,12 @@ pfctl_set_interface_flags(struct pfctl *pf, char *ifname, int flags, int how)
 
 	pi.pfiio_flags = flags;
 
+	/* Make sure our cache matches the kernel. If we set or clear the flag
+	 * for a group this applies to all members. */
+	h = ifa_grouplookup(ifname, 0);
+	for (n = h; n != NULL; n = n->next)
+		pfctl_set_interface_flags(pf, n->ifname, flags, how);
+
 	if (strlcpy(pi.pfiio_name, ifname, sizeof(pi.pfiio_name)) >=
 	    sizeof(pi.pfiio_name))
 		errx(1, "pfctl_set_interface_flags: strlcpy");